Unspoken Security

True Stories from the Dark Web

AJ Nash and Roman Sannikov Season 1 Episode 10

In this episode of Unspoken Security, AJ Nash is joined by Roman Sannikov, the President of Constellation Cyber LLC. Before his current efforts conducting research and delivering Intelligence reports for various clients, Roman has led multiple teams focused on combatting threats in the Deep and Dark Web.

Roman and AJ give a brief overview of what we all mean when we say "Deep Web" or "Dark Web" to ensure we're all speaking the same language and then discuss the subcultures and self-regulation within some of the busiest criminal marketplaces. Roman provided insights into things that have changed over the last couple of decades (and what has remained the same) as cybercriminals have become more structured and professionalized.

The discussion turned to an exploration of things people often misunderstand when it comes to cybercriminal marketplaces and how easily people can go wrong in their choices for how to combat these threats. From there, the show focused on some of the myths and true stories from Roman's long and storied career as a resident within the cybercriminal underground, including some fascinating stories about his work on behalf of the FBI.

As always, the show wraps up with our guest revealing something that had, to this point, gone "unspoken." While I don't want to give too much away, Roman didn't disappoint when he revealed his "unspoken" truth.

Send us a text

Support the show

Unspoken Security Ep 10: True Stories from the Dark Web

roman_y. sannikov: [00:00:00] [00:01:00] [00:02:00] AJ, thank you so much for having me. This is great. So my goal for today is to find a topic that we vehemently disagree on so can have actual argument. And, uh, and to get that going, I actually had, you know, three or four, uh, beers before this. So that, you the spirit of that, uh, happy hour after, uh, you know, after DEF CON meetings and stuff like that.

So I really got into, into the mood here and, uh, yeah. find a heated. topic that we disagree on. It's probably it's unlikely because I know we've we've spent time chatting and unfortunately we pretty much agree on on most anything but uh maybe if we have time maybe we get into some sort of a sports [00:03:00] disagreement or something at uh at the end or 

aj_nash: so [00:04:00] 

roman_y. sannikov: Sure. Before I say that, gave me the subtitle from the book I'm going to write. So the title was going to be How Dark is the Dark Web? And the subtitle is going to be True Tales from the Dark Web. Um, 

thank you. 

aj_nash: know don't what it is 

roman_y. sannikov: so, so, yeah, so it's actually a great question.

And part of the problem is something that we might actually talk about later is that a lot of times these terms are used partly as marketing. Um, so everybody has their own. Way to describe it. And I know some organizations actually, uh, vehemently disagree about what to call this. Essentially, what we're talking about is a, um, an area of the web [00:05:00] of the Internet that is difficult

to access so that has barriers to access. So typically the way we used to define it is it's something that, you know, Google isn't going to, uh, analyze isn't going to scrape. Although even that's not necessarily the case. You know, I've seen, uh, posts from, uh, from exploit and from other major forums, uh, commented, uh, or reflected on Google searches and things like that.

Uh, but essentially we're talking about is an area of. The Internet, an area where individuals communicate relatively openly because there is a barrier to entry, so the barrier could be either financial, meaning you have to pay, or it could be reputational. You have to be vouched in by someone. You have to know someone to gain access to this platform, or in a lot of times, in a lot of cases, both you have to both know someone and you have to pay.

Um, so, but [00:06:00] essentially that's, uh, kind of what we're talking about. It's something that, um, barrier to entry.

could. It could also just be things that are proprietary things that are part of a corporation, a part of some sort of network that again is somehow closed off. Uh, and, uh, and things like that. So, the dark web typically is what we talk about when we're talking about [00:07:00] malicious activity. It's something that The reason I think we call it dark is because it's hiding in the shadows.

It specifically wants us as researchers, as law enforcement, as other individuals to not be able to see what they're doing. So I think that's the easiest way to kind of look at it is really something that is purposely hidden from view.[00:08:00] 

So I'm going to switch that question around a little bit. I think I'm going to haven't changed.

it. Don't get offended. I'm just all. I'll 

Um, so I'm going to focus on what hasn't changed because I that's kind of fundamental to what's the purpose of the dark web is of, um, this underground, let me just call it that so we offend any companies about the So is the reason you [00:09:00] have this area is because you have essentially when you're talking about cybercrime, you're talking about individuals conducting business. People who don't know each other, people who have never seen each other. Most of the time, people have very little kind of control over each other and each other's actions.

And at the same time, they have to trust individuals who are criminals, who are inherently not very trustworthy. Uh, that's why there's that saying, you know, no honor among thieves, uh, is, uh. They're not very trustworthy. Uh, they will rip you off if they can. Um, and essentially the underground provides a some sort of community that allows these, uh, threat actors, these individuals, these criminals, uh, to have some sort of recourse.

So if you're in a community, like a forum, like a telegram channel, like a discord channel where there's, uh, Other individuals, if you do [00:10:00] something illicit, if you rip somebody off, if you do something that will, that has the potential of ruining your reputation with others. So then you will have a harder time conducting business with other individuals, be it selling it, buying it, et cetera.

So essentially, I know, I think sometimes for sales purposes, companies will say, you know, Forums are dead, or this or chat is dead, or this and that is dead. Um, and I disagree. I think there's always going to be a need for some sort of place. Yes. Threat actors may eventually. Go to private messaging, but there's a need for this initial area where individuals who don't know each other, who haven't worked together can come together and have some level of comfort in giving money to someone who's a criminal and think that you're going to get [00:11:00] something back from them that somehow resembles what you want.

Um, and forums in these places, um, channels and et cetera. Uh, they've created things like escrow services, similar to when you're buying a house or something like that. There's reputational damage. There's all sorts of ways that they've worked out over the years to create that level of, um, trust so that they can work together.

Um, Obviously, they're working together for a bad cause, but still, you have to look at it from just the operational needs and operational necessities. Um, so I think that's something that's stayed even when people have. When again, the threat actors, the bad guys, the criminals have moved from be it from forum to forum, from forum to shop, uh, from shop to telegram channel, to discord, to Jabber, [00:12:00] to whatever it may be.

The idea behind all of this has been the same, that there has to be some way to communicate, to conduct transactions, uh, when you're not. Being able to like literally hand somebody a, uh, suitcase or a duffel bag full of cash, uh, and receive some, some drugs, uh, right there on the spot in return. Um, so I think that's something that's, that's maintained.

Um,[00:13:00] [00:14:00] 

Just to follow up on what you said, I agree completely with what you said. It kind of makes me think of those T shirts that you see, the Anti Social Social Club. I see those, that's what I think of is these dark web forums and channels and exactly. But for those who may not No, um, things like escrow services are literally where you have a trusted individual [00:15:00] on a platform like a forum, uh, and, uh, you go to them and you say, okay, I'm going to conduct the transaction.

I'm going to sell a bunch of credit cards, stolen credit cards to someone else. Uh, you know, uh, once they send you the agreed upon amount, you tell me that you have the money. I send the cards to that individual, uh, and then. Once that individual confirms that they have the cards, uh, they'll let you know you released the money to me.

That's how it works again. Very similar to when you're buying a house or something like that. And I know that the mechanics are different between things like telegram channels and discord channels like that. But I think that's more important for, um, the threat Intel providers, uh, because of how they collect the information, how they scrape the information, how they get access to this information.

But for real Intel, I don't think it matters that much. I think these are all still that dark web platforms where the communication happens. Um, [00:16:00] getting back to your question, um, how things have changed is, I think that when this started out, um, the idea behind a lot of these was privacy. Um, a lot of these, uh, platforms had very high level of privacy.

It was very difficult to get into these platforms. forms. Uh, the idea was that everyone was trying to, uh, conduct these, um, uh, negotiations, just conduct their business in, in the private away from the eyes of researchers, from law enforcement, et cetera. At some point over the course of the last, maybe, um, six, seven years, there's been a bit of a shift.

And that is the way I see it is. There's kind of this more open communication between researchers and threat actors. You'll see, uh, when I was at one of the companies that I won't mention right now, but one of the companies, [00:17:00] we got into a little bit of heat because we've published, uh, a, an interview with a pretty prominent.

Uh, threat actor 

aj_nash: I 

roman_y. sannikov: my colleagues that, uh, and I, uh, I had the fun, the pleasure of actually translating, uh, this, uh, interview and editing for clarity and, and helping with some of the questions and stuff like that. And we got some heat, uh, because it was seen as we were promoting, uh, and kind of making this individual more of a celebrity.

Um, I disagree because, um, I. think that to me, it seems silly that somehow individuals who would read this, um, interview would somehow think, Oh yeah, this guy is 100 percent correct. It's kind of like, I don't know, listening to the interview would Putin and saying, Hmm, you know, maybe this guy isn't the killer.

Maybe he's, uh, you got some good points. Yeah, exactly. I don't think that a lot of people in the industry all of a sudden decided that, you know what? [00:18:00] I don't think I'm going to go after these ransomware guys anymore. I think they are just a bunch of good. Pen testers, uh, et cetera. Um, so I think that that was just kind of this, this level of animosity that some people in our industry have against these individuals, and it prevents us from kind of opening up our minds and really seeing the world through their eyes, which I think is really.

Key to understanding their motivation, what they're doing, how they're doing it. It's like, uh, you know, uh, uh, really you need to know the enemy, uh, uh, to understand, uh, uh, what's going on. Um, and so I, I think, so I'm kind of going off the topic a little bit, Point is that I think over the course of the last five, six years, there's been like more of this openness.

So you're communicating, uh, relatively openly. I've been able to ping [00:19:00] individuals, um, uh, openly as They know who I am. They know what they do. And I've asked them, I said, Hey, um, you know, I think that this is happening in the cyber criminal. Uh, you know, what is your take on this? And, you know, again, not to say that I take everything they say as gospel truth, but 

Trust, trust, but verify. So Yes. Um, but, uh, but yeah, but I think it is important to, um, and honestly they like being listened to. So believe it or not. Um, when they have a bit of a platform and people ask them, I think a lot of times, maybe not. Maybe they won't be completely honest about what they're doing specifically, but when you ask him a more general question about trends and about methodologies and TTPs, I found that they're actually fairly open, uh, in in this collaboration.

Um, and kind [00:20:00] of a funny twist to that back when I used to work with with the FBI and when we used to arrest individuals who were engaged in criminal activity and cybercrime, particularly cybercrime, maybe not all criminal activity, but cybercrime very frequently after we had our kind of sit down and we'd arrest and go through all of this stuff like that.

You know, literally within like a day or two, they'd be like, Hey, Roman, how do you become an FBI agent? Uh, you know, and I would invariably say, well, you kind of start out by not committing felonies. 

good start. Yeah, but, uh, but it's like they would, a lot of them would. Cooperate and they would feel like all of a sudden they're part of the team and they're on, you know, team America or team, whatever country they had been picked up by.

But, um, but again, I think that one of the things I've seen again. This transition is that [00:21:00] there is a much more open level off communication between the bad guys and the researchers. And I'm not saying that that's necessarily, um, improved everything. Uh, because obviously we still have a huge. problem with, um, with cybercrime or with criminal activity.

But I think that if we as researchers, as security professionals are smart, uh, we will take that information. We'll incorporate that information. Um, I've listened to a few of your podcasts before, and we will. into intelligence, we will help make the better decisions, uh, for, for our clients. Um, so I think that's one of the things that's definitely changed is this kind of, uh, new level of, of openness.

Um, and, uh, and I think a lot of that has come out of the fact that a lot of these threat actors realize, uh, that a lot of their platforms have been [00:22:00] infiltrated. By law enforcement, by researchers. Um, and so it's kind of this bit of a cat mouse, uh, thing. And to some extent it reminds me of, um. Again, when I was working with, with the FBI, um, a lot of the, uh, work I did contractually, uh, was, uh, also, um, uh, investigating organized crime.

And a lot of times we would monitor these, uh, Russian organized crime groups. And sometimes it would be other organized crime as well, not just Russian, but a lot of times they would be hanging out literally in the same bars and restaurants as the cops and the agents and stuff like that. And so there were essentially, they were kind of rubbing elbows, uh, and And it reminds me what's happening in the cybercrime now, kind of reminds me of that a little bit, is, uh, essentially we're kind of rubbing virtual elbows, uh, very frequently with these, uh, with these threat actors.[00:23:00] [00:24:00] 

Man, so those the couple that you mentioned, and I know we've talked about this before, this is something that kind of like breaks my heart. Um, because these are some of the earliest scams that I helped work on. Um, 1 [00:25:00] of the very 1st cyber related scams, uh, or cases I worked on back around 2002 was actually a, um, uh, so we're working with some Russian law enforcement to MVD individuals.

And this is back when we were all. sort of on the side. Yeah, exactly. Um, and kind of this halcyon years for about, maybe 10 years or so before things went, uh, uh, Um, I was going to use a slightly more 

aj_nash: uh, 

roman_y. sannikov: they came to us and they said, look, we've got these three individuals in this, uh, you know, fairly large city in the middle of Russia that are scamming people all over the world, uh, like three or 4, 000 at a time.

But they've gotten to the point where they have about half a million dollars worth of scams that they've, uh, that they've done and, um, they, um, wanted people to, uh. to, um, submit cases to them. They needed, they need, because all the [00:26:00] crimes are committed outside of Russia. And so they needed victims. They needed individuals to, um, and they had victims from Australia, from Canada, from various States in the United States, Finland, just all over the world.

Um, and, uh, I remember specifically, uh, again. with the FBI's blessing and through the FBI, but reaching out to some of the law enforcement organizations, uh, regional organizations in Texas and a couple of other places where these victims had, uh, were located. Um, and the attitude was really, if they sent, you know, 3, 000 to some Natasha, uh, you know, thinking she was going to come over then, you know, that's, uh, know, uh, that's, uh, on them, uh, kind of No, absolutely not. Um, and in the end, only country that did file that submit these was China. Um, from what I recall. Um, but none of the Western countries took it seriously enough. And that's what's heartbreaking is because [00:27:00] now, you know, 20 years later, over 20 years later, we have people who are essentially falling for the same scams.

The pig butchering scams. Almost all the pig butchering scams start with a romantic relationship, there's some sort of, you know, uh, and I can't help but think that had we taken this more seriously 20 years ago, had we done more education 20 years ago, or how do we have more empathy, um, 20 years ago, then I think there would be a level of maturity, um, in.

Victims and individuals that would prevent a lot of this from happening. Um, and so, like I said, that really breaks my heart. Um, in terms of one of the things that has changed is really what we're seeing is a lot of people kind of outside the industry and. Surprisingly to me, even inside the industry, sometimes people at that [00:28:00] clients that we talked to, they still have this image of a hacker from like a 1990s movie or something like that, where it's some, some usually guy who basically does everything from, you know, hacks in the computer, transfer funds, cashes out funds, goes, you know, to the ATM, grabs the funds you know, starts exactly.

and Exactly. And this is something that really hasn't been the case for many, many years now. And it seems like almost every year, they're coming up with a new platform, a new way to, you know, ransomware as a service. Before that, was DDoS as a service, you know, exploit kits, um, uh, It's almost kind of like when you think about, uh, I don't know how many people of your viewers remember Jack London, but this is a person who went to the Klondike to strike it rich, found no gold, figured out that he could make it rich by, by writing stories and by all that kind of stuff.

In a lot of these places, the people who are actually making [00:29:00] rich, making a lot of the money are the ones who are providing the infrastructure. So ransomware, uh, these aren't the individuals who are breaking in and who are literally. ransoming you. These are the individuals that are providing it as a service.

They created a platform. They created this business model. Um, and the same thing, you know, I worked with one of the first individuals who created malware as a service where they rented malware, which made it so much more difficult for us because in the before that we could get a sample, we could buy the malware, and then we have control over it.

We could reverse it. We have something. And this young man, me a very smart guy who I still, uh, keep in touch with. Fortunately, he's on the straight and narrow now and is a, is a productive member of society. Um, but, uh, uh, he created the idea that, Hey, why would I give something to them? Let me rent it.

That's why I still maintain control over it. And it was so much harder for us because we didn't get the samples. We couldn't. Um, [00:30:00] so that's something that's changed. And again, now you're seeing. Fraud is a service. You've seen all of these as a service things where people are, are with the criminals are really, uh, specializing on specific services and really making their money, um, that way, as opposed to, you know, doing the whole soup to nuts and opening themselves up to so much more, um, risk.[00:31:00] [00:32:00] 

aj_nash: tie 

roman_y. sannikov: put a helmet on and some dark and [00:33:00] 

aj_nash: spaces 

roman_y. sannikov: a lot of things that, you how hours do we have? Um, so one of the things I'll just touch on really quickly because I already kind of mentioned it earlier. think we as an industry have a little bit, uh, kind of too much of this us versus them mentality. Um, you know, they're all scumbags and they're all horrible and they're all evil, which may be the case.

I wouldn't, I would say that probably not all of them are scumbags, but a good percentage of them are, you know, people of low moral values, but that doesn't mean that we shouldn't, uh, uh, interact with them that we shouldn't, uh, listen to them when they say things, um, that we shouldn't, um. Try to see things through their eyes.

Um, and that's something that I think a lot of times there is a lack of, I think a lot of times there's too adversarial a relationship. There's kind of, you know, uh, I mean, I'm sure you've [00:34:00] seen like, uh, my job is punching bad guys in the nose kind of thing. And it's, it's funny, you know, it's, it's, 

aj_nash: It's 

roman_y. sannikov: but when you really, you know, again, I laugh at that.

That's, that's, that's cool. You know, I, I want to do that too. Yeah. But when you take that too seriously, and when that's really your attitude, then you're, I think you're closing yourself off from a lot of valuable intelligence and from really understanding, um, Hey, the way I got into this, I was actually a translator and interpreter for many years working with the, with the FBI, um, as a contractor.

And, uh, it turned out that I, Was able to understand the criminal, uh, element, uh, at first, uh, organized crime, and then it's cyber crime, all these things, um, because I was able to kind of, uh, again, I'm not saying I'm special in this, there's a lot of people who are wonderful at this, but I think my, uh, my approach was, [00:35:00] why are they doing this?

How is it, you know? And so I think that really helped. Um, whereas a lot of people are like, these guys are just. You know, uh, take them out to the woodshed and stuff like that in the long run that doesn't help us understand. And that doesn't help us stop them. And that doesn't help us. So I think that's 1 of the things that we, as an industry frequently get wrong.

Um, I can go into a lot more detail on that. The especially around things like ransomware, where I've gotten into some, uh, some heated discussions with, with some people. Um, but the other thing that also drives me nuts that I've come across recently is, you know, talking to client companies and, you know, I've heard some people say this, that, you know, they're going to people and they're like, well, we don't really care about, um, the initial access, we don't really care about.

Credentials. We don't really care about this stuff. We know that they're going to get in. We need to stop them. once they get in, we need to, uh, [00:36:00] and it blows my mind and it's kind of like, you know, we just saw the super bowl. And to me, like the analogy is kind of like, all right, it's like giving the other team the ball on the 50 yard line, because chances are, they're probably going to cross the 50 yard line sooner or later.

Anyway, you know, most, even when they don't make, uh, even when they don't get a touchdown or a field goal. Most of the time, they at least cross the 50 yard line. So then why don't we just give them the ball at the 50 and focus on stopping them during that last, you know, that drive stuff like that.

That's essentially what we're saying. What we're saying, we don't care about the initial access. And, uh, my argument is if you're, if you're really focused on ransomware, you're too late should be. Focused on that initial access. I'm trying to stop them from, from coming in. Um, and it's not easy.

I know credentials and all that stuff, but you can't, you know, Intel is important.[00:37:00] 

absolutely, I think, and partly maybe it's our fault or maybe it's the marketing fault because, you know, everybody's talking about it's not if you get breached, it's when, but the thing is that you're not just going to get breached one time. It's not like, it's not like [00:38:00] if anybody ever saw the movie, the world, according to GARP, where, know, buy a house and the, uh, the.

Plane crashes into it and the garb says, you know what, we should buy it anyway, because it's kind of, it's, it's disaster proof, already. So that's not the case with cyber crime. I've talked to several companies, uh, this year, they got popped by ransomware multiple times. So it's not like, okay, we got breached.

All right. Now we don't have to worry about that ever again. Um, 

aj_nash: lightning striking[00:39:00] 

roman_y. sannikov: hmm. [00:40:00] I, I saw a really great presentation recently about like recovery after a ransomware And I agreed with the vast majority of what the individual said. It was wonderful. Uh, but the one thing that again, just made me jump out of my chair is he was very adamant about, um, uh, he doesn't care about attribution.

Uh, you know, don't like throw that at me. I'm dealing with, well, you, if you don't know who did it and what you don't know. I mean, they walked out, they didn't just lock your systems. They walked out with a lot of your data, a ton your data. And, um, you don't know where that data went and you don't know what's going to happen with that data.

And that's actually like not to plug my company, but that's 

that I'm working [00:41:00] on now is specifically tracking the leak data a lot of these extortion sites and looking at like the secondary and tertiary victims don't know that they've been impacted by this? Um because it is so important because you you need to know is this a nation state actor?

Am I liable to be a victim of intellectual property theft? As a as a result are my plans now being discussed at some company that's an adversary in a foreign place. Um, at a hostile power. Uh, is this a hacktivist? Uh, is this some, some crazy individual, you know, we've seen individuals shooting up power plants.

Um, you know, is this something that is going to impact my physical security? So you can't just silo and say, you know what, all I care about is getting the systems back up, getting things running, you know, getting my shit. Back up again. Uh, excuse my language, 

aj_nash: it 

roman_y. sannikov: need to, [00:42:00] you need to have the background.

You need to incorporate that as well because you need to deal with that. Um, and, uh, and that's actually goes to one of the other things that you and I've talked about is, you know, sharing information within the industry. Um, I understand it. I don't know how to deal with this. Honestly, I don't. I'm not a lawyer.

Um, uh, I don't play one on TV. Uh, but you know, the advice to most victims of breaches is unless it's PII. Where you have to provide that information by law, um, provide as little information as possible. We've been impacted by an incident. Well, what does that mean? What does that mean to your suppliers?

What does that mean to your affiliates? What does that mean? So what's been breached? And there isn't that sharing of information and I've seen, and I'm sure you've seen as well, a lot of companies that are impacted, again, not to kind of toot my but that's why I'm like working on [00:43:00] this new project is to specifically allow for these other entities to understand what of their data is now out there as a result of this breach.

Because I think it's so critically important, um, we're kind of sometimes, you know, sticking our head in the sand and saying, uh, well, these are bad guys that throwing it up on, you know, bad guy, uh, channels, uh, and, uh, but. Just because we're not looking at doesn't mean that the initial access brokers aren't looking.

It doesn't mean that all these other individuals aren't looking at all of your data, uh, and, and now using it as a vector to go, uh, to go after you, um, or your, again, your clients, your affiliates, et cetera. And, and, and I think that's one of the other things that, that, um, the industry or we as in general, um, have.

to figure out a better way to share that information, to figure out a way to, uh, maybe they'll [00:44:00] kill my project and my company do that effectively. But I'm willing to take that chance, I'm, hoping that we get to the point where we figure out a way to, to, to share the information.

Hey, listen, somebody broke into my house, uh, and stole this data, uh, or stole these documents. And, and by the way, they happen to have, you know, that contract that you and I signed about this, whatever. And so basically now they have all of your information about your activities all that kind of stuff.

So if somebody all of a sudden starts to, you know, uh, come to you, uh, about this, uh, type of stuff, just remember that this is now out there in criminal hands. Um, so we need to figure out a way to, uh, to disperse that information, [00:45:00] [00:46:00] [00:47:00] 

aj_nash: Yep.

roman_y. sannikov: maybe partly it's our own fault because we don't present it in in the proper [00:48:00] way. I don't know. Um, but I think a lot of times because again, good threat intelligence can save you time. It's not just a cost center.

So instead of getting spun up, I mean, most companies still get some sort of alerting, um, about yeah. You know, various incidents that may impact them. So good threat intelligence will help you figure out, okay, is this threat actor, if we're talking about attribution, is this threat actor likely to do this?

Is this threat actor has to have the capability to do this? Is this someone who's just some random Joe Schmoe that most likely isn't selling a zero day company to, you know, an apple product for 5, 000, know, uh, and, um, so essentially it's a good way to actually get rid of a lot of the noise. People frequently think of intelligence as a noise, as additional stuff that I have to worry about.

Uh, but again, good threat intelligence or [00:49:00] properly tune threat intelligence actually helps you figure out what to focus on and what to ignore, uh, and make that calculated decision, uh, and then defended that decision because sometimes you'll get it wrong sometimes. But if you can say, Hey, look, based on these criteria, I decided to give this Less, uh, attention, uh, and, you know, and chances are your leadership is going to be okay.

You know, they didn't screw up just because they were lazy. They had some sort of a factor why they didn't focus on this, et cetera. [00:50:00] 

Chill, Winston.[00:51:00] [00:52:00] 

So as you've pointed out several times, I've been doing this for quite some so I have a large library to choose from. Uh, so I'm just going to give you a few teasers because, uh, you know, these things can, can, uh, you know, uh, uh, go on for quite some time, but, um, one of the things that I remember being, uh, really fun was, um, man, this is probably around, I Uh, 10 years ago, maybe a little bit more.

There was a really big case in, uh, in the New York office and other offices called aching mules. Um, and you can actually look it up. There was actually a CNBC special on this where some of my friends were interviewed if, uh, FBI agents. Um, and, uh, uh, but the way, one of the ways this started was actually three young ladies from Kazakhstan came into the New York office of the FBI.

Um, and because they had their, [00:53:00] they were J1 students, they were here and they were kind of taking advantage of, uh, some guys, uh, um, got them to do some illegal things, open bank accounts and stuff like that. And they were really freaked out and their boyfriends told them, you're stupid. You're going to go to jail, you know, blah, blah, blah.

So they came and they kind of gave themselves up. And they were, uh, you know, uh, and this was actually kind of how this case started. And, um, they came to the office on a Saturday. Um, you know, New York office is one of the biggest FBI offices in the U. S. or in world. Um, and, uh, they, the the kind of intake agents downstairs.

They had no idea what to do with these people. Um, and so they called the Russian squad, uh, and one of my friends who's not a cyber guy, but was an interpreter on the, on the Russian squad. He took down some of the notes and he's like, I, you know, the Russian organized crime squad has no idea what to do with people, you know, opening bank accounts [00:54:00] and stuff like that.

That's not what they usually deal with. And so this stuff kind of got. to my desk. Um, and I wound up looking through this. I'm like, holy crap. They're talking about, you know, literally driving with somebody who's got a laptop open this older woman who was like, I think she owned a flower shop and she was transferring funds live from various victim accounts.

To this business account and then having this money, um, transferred to these young ladies, um, bank accounts as though they were employees and stuff like that. And it wound up being actually a really big case that, uh, spun, spanned several years. And there was eventually a really big arrest where over 20, uh, people were arrested at the same time across several different states.

Uh, and it was, it was really big, but, um, One of the ways that it started out was actually just these, you know, young ladies coming in and it totally, you know, kind of by accident, it came [00:55:00] across my desk. Um, and then I went to the supervisor of the cybercrime squad and I said, dude, this is our purview. This is, know, us.

Uh, and it took a little while to convince him. He's, he's actually a friend of mine as well. Uh, but, uh, finally he's like, all right, yeah, you're right. This does seem like there's some cyber criminal activity here. Um, and again, it wound up being, there was like millions of dollars 

aj_nash: the advantage doing this 

roman_y. sannikov: Yes.

aj_nash: here Yeah [00:56:00] 

roman_y. sannikov: So, 1 other case, just really quick, um, so going back to my organized crime squad, uh, those of you who are actually looking at this on, on, on YouTube or something, you see that I've got my, my golden locks, uh, hanging down. Um, I, uh, was involved in a case where I was interpreting, uh, for, um, a Russian organized crime investigation.

And, uh, part of the case was, uh, we had, I was working out of the Albany office. of, uh, New York, uh, at the time, uh, going to school up there. And, uh, we had this Russian, [00:57:00] uh, for lack of a better word, a head of a criminal family. Um, and we invited him. We were trying to get him to do some criminal activity. We, the FBI essentially, we're trying to get him to do some criminal activity there that they can monitor and the rest, et cetera, and break up so it went up. to this very fancy schmancy resort in Northern, uh, New York, uh, called, uh, Saranac Lake, I believe it was. And again, like really expensive with very, uh, kind of a lot of Hoi Poloi people. Um, and we, uh, this was up kind of in Adirondacks or just outside the Adirondacks. So the reception there wasn't great.

And we were, we had to monitor the cooperating witness who was there hosting this, this bad guy, because. operating witness at the time had, I think, a million dollar bounty on his head. Uh, he had been arrested. He was being, he was kind of one of these accountants, uh, for Russian organized crime groups. Um, and so we have to make sure that he was going to be [00:58:00] safe.

And so what I was doing as I was walking around with this back then, we have to have a suitcase, uh, the silver suitcase that, uh, the receiver. Uh, and so I was listening to everything that he was saying, uh, and the bad guy was saying, to know that he's not taking him out to the woods and, and doing something horrible to him.

Uh, like in one of these, you know, Russian gangster movies. Um, and one point we lost him and we lost the, the, the guys and we're, it's a fairly big resort and we're running around trying to find where are they, you know, want to make sure that they didn't. Take him out to the woodshed. and I come around the corner and I'm face to face with these guys and I've got one of those like big ear pieces coming out of my ear, you know, very inconspicuous, kind of like one of those old fashioned, uh, Secret Service agents with like wires hanging and all 

aj_nash: Did you pretend I was a aid 

roman_y. sannikov: took my hair down. [00:59:00] and it covered it and covered it really well. And so I wound up sitting down and listening and the guy had, um, everybody there is wearing like white and very Hamptons kind of thing. this guy's there in these little tiny shorts And he's got his huge son, uh, tattooed all on his back.

Um, and, uh, you know, again, just like something out of Eastern Promises or something that. And so I'm sitting behind them and just kind of like listening to make sure. Uh, but, uh, but yeah, so that's where, uh, you know, one fun time where my, uh, my cloth, uh, helped. The FBI case and make sure that this guy wasn't, uh, uh, the cooperating witness wasn't, uh, harmed.

So, uh, yeah, fun case.

aj_nash: that's awesome[01:00:00] 

It's brilliant 

roman_y. sannikov: All right. So, okay. So, so, so another one that was really fun, um, and I'll try to make this 

aj_nash: it 

roman_y. sannikov: time, um, I, uh, actually got to go to Russia and, um, uh, with a victim of a cybercrime. This was one of the very first cyber criminal cases that I've worked on. And there's, again, this was back around 2001.

And I got to go to, uh, the Russians actually arrested the individual who had hacked into this institution. And the institution was actually provided. Um, so the Russian law enforcement and the court invited them to come testify to the losses. And they actually did. Which, uh, the, the bank is no longer around, they've been bought several times but I still won't mention, uh, but it was really cool.

Uh, the problem was that, uh, the case was in, uh, late November, uh, in, uh, [01:01:00] Siberia. So, we flew to this place and, and the, the MVD guys in Moscow were making fun of us, saying that, you know, like, uh, the air, the air port would like drop us off the airplane and then the reindeer would pick us up take us to the uh, and so that wasn't the case.

The went to was actually a fairly, um, you know, it's kind of little Houston because that's where all the Russian oil and gas companies were based at time. So we had a really, you know, they, they treated us amazingly. We went to, we testified in court. Um, I got special permission because theoretically you're only allowed to What to interpret in court, uh, in Russian court, if you are a citizen, um, but the judge gave me dispensation since I'm not a Russian citizen, but because we wanted to limit the number of people who knew about this with the victim want to limit, um, and the, you know, but after all the testifying and everything, the Russian.

Cops, they, they took us to this dacha, this, this bath house, and which was way [01:02:00] out there. And they drove us through these snowy roads and there was a lot of drinking. Uh, there was some, uh, some young ladies there who they introduced as, uh, as secretaries. Although I don't think that's what they 

aj_nash: They 

roman_y. sannikov: uh, no, they, they weren't.

yeah, they were, uh, they were spending a lot of time in, in the, in the, The Banya with the, uh, with the various individuals and stuff like that. Um, but I just remember, um, them, you know, the, the, the cops and driving us, getting like incredibly drunk and driving us at very high speed. back along very snowy, icy roads and myself and the representative of the victim institution sitting in the back, you know, kind of between these, these young ladies and thinking to myself, man, uh, you know, if I crash and This stuff is, you know, somehow gets into the, into the news, uh, later, [01:03:00] uh, then, uh, you know, it's, it's going to be very difficult to, to explain, uh, this, uh, so, uh, so yeah, that was, that was, uh, uh, a funny story.

Fortunately, everything was safe. Nobody's, uh, at least from the American side, nobody's honor was, uh, was compromised, uh, in this case. Uh, but, uh, but it was a very interesting situation, kind of surreal. Uh, my, my co the, the victim, he had a special sat phone. Uh, and he goes, he's looking at it. It's like the sat phone is saying where the fuck are you?

out. wasn't able to pick up anything. Uh, so yeah.

aj_nash: realistic[01:04:00] 

this was 

roman_y. sannikov: My, my liver survived and, uh, I, uh, yes, I'm, uh, I'm good.

So this is, uh, this is kind of embarrassing, um, 

aj_nash: start 

roman_y. sannikov: it's, it's probably something that a lot of people feel, and I think actually some of your other guests have, have mentioned something similar. Um, but, um. I am just really amazed that anyone knows who the hell I am and very flattered, um, because I, I don't know if you want to call it imposter syndrome or, or what it is, but you know, in my mind, I'm still some [01:05:00] 25 year old kid who just got out of college and is trying to figure out what the hell he wants to be when he grows up.

Um, and, um, so when people come to me and say, Oh, I read this work of yours, or I heard this interview with you, or, you know, one young man who's brilliant once talked to me and actually called me legend and I almost fell off the chair, uh, because I was just like, uh, I mean, and, and I'm not going to pretend false modesty.

I went down, ran to my wife and I was 

aj_nash: of 

roman_y. sannikov: somebody called the a legend and, and so it was, it was really cool, but I've had, like, I frequently just feel like a, you know, depending on your age, you'll get this either Zellig or Forrest Gump, um, but that I find myself in these instances, like I've literally Been standing between, um, the, the former director of the FBI, Robert Mueller and, [01:06:00] uh, the current and former head of the FSB, Bordnikov and Petresov and Spaso House, which is the, the residents of the ambassador of of, of, uh, US in, in Moscow.

I was interpreting. Between them, the, these and, and really in this close proximity and just literally standing with them. Um, and, uh, and afterwards, as we were leaving, the ambassador actually pulled me aside and told me I did a great job. And I was just like, I I was going to pass out. But that's, you know, it's one of those things where for any of you out there who's, who experiences imposter syndrome, um, everybody does, um, I'm, I'm, uh, you know, as, uh, AJ mentioned, uh, I'm in my fifties, um, and I've, uh, been, uh, working, um, In intelligence since I was in my early twenties, uh, and I still feel like I'm just some kid who's trying to [01:07:00] figure it out.

Um, and so, um, don't be embarrassed. If you feel that way, you can't succeed. If you try, uh, you know, you work hard, um, and you don't have to feel like you've got everything and all the answers and stuff like that. But I don't think I've ever actually Said the extent of how frequently kind of unsure and stunned I am by these various things and sometimes have to kind of like, uh, do a little tap dance when people come to me with with questions.

Um, but, you know, that's where, where research comes in and being a curious person comes in. Uh, so, yeah, that's that's my kind of unspoken[01:08:00] [01:09:00] 

aj_nash: that thing[01:10:00] 

roman_y. sannikov: a final comment on you said. I think a lot of times, you know, like one of my favorite sayings is like, you can tell the worth of an individual by their [01:11:00] friends. And so like whenever I'm feeling a little bit kind of, um, you know, a little down or a little unsure of myself, I look around and I've got, I've got some kick ass friends.

I've got some really great people that I can call on when I need help with something. My network has some amazing individuals in it. Um, and I'm so proud of that. And that says, you know what? I, I trust their judgment enough. To say that I must be doing something right, you know, because otherwise what the hell would they be doing, you know, like picking up the phone?

Like I, you know, I, I've reached out to CEOs who I really respect. Um, and they'll respond to me. Um, and these are individuals who are like way more powerful, more successful, uh, and wealthier than I am. And so, um, and again, not to say that. Yeah. You know, it's all about CEOs. There's this junior analyst who I reach out to who I'm like, Oh, this is awesome that this person [01:12:00] is willing to help me answer this question.

but, uh, I think that's something that also, um, you know, trust yourself when you have other individuals who, whose opinion you respect, you know, Trust you and see value in you. That says a lot about your, uh, capabilities.[01:13:00] 

Next time I'm coming out to Minnesota and we'll be in the same location. It'll be like one of those, again, like sports things where we'll be sitting and talking to each [01:14:00] other in So that'll be, that'll be 

Thank you.

aj_nash: Hello, and welcome to another episode of Unspoken Security, brought to you by ZeroFox, the only unified external cybersecurity platform. I'm your host, AJ Nash. For those who don't know me personally or are first-time listeners, I'm a traditional intelligence guy. I spent about 20 years in the intelligence community, both with the US Air Force and then as a defense contractor.

Most of that time was spent at NSA. I've been in the private sector for about eight years now. I primarily build or help other people build, uh, effective intelligence driven security practices. I'm passionate about intelligence, security, public speaking, mentoring, and teaching. I'm also deeply committed to servant leadership.[01:15:00] 

Which is why I completed my master's degree in organizational leadership at Gonzaga university. Go Zags! We're having a tough year this year on the courts, but I think they'll pull it out. So listen, the goal of this podcast is to bring all these kind of elements together with some incredible guests, like we have today.

And we're going to have some authentic conversations, unfiltered conversations, really debate sometimes how we might argue with each other about a whole wide range of challenging topics. It's not your typical podcast. This isn't gonna be all polished. It's not a bunch of fancy, you know, audio and video graphics going through and it's not a big sales pitch.

We're not doing that crap. Uh, here it could be anything. It's gonna be really just gritty, right? You might hear or see my dog. She's around here someplace. Uh, people might swear here. I know I'm known to, and, uh, we might argue, as I've said before, and that's all okay. So think of this podcast as the conversation you might overhear at a bar after a long day at one of the larger cybersecurity conferences that we're all going to be at here pretty soon.

So these are the conversations we usually have when nobody's listening. Now, today, my guest [01:16:00] is Roman Sannikov. Roman's awesome. He's an expert on all things related to cyber and threat intelligence, particularly when it comes to the cyber criminal underground. I've been lucky enough to travel a little bit with him and speak on these subjects and actually watch him speak more than anything, and he's just brilliant.

So, he started his career, uh, working at FBI. Uh, and then after that, moved into the private sector. He's worked with some of the biggest and, you know, most well known companies in our industry. Uh, right now, he's leading his own consulting firm. Uh, as president of Constellation Cyber LLC. Where he helps companies around the world produce and benefit from threat intelligence.

Roman, welcome to the show today. And is there anything I left out that you want to add to your intro?[01:17:00] 

Well, I'm glad.

We'll figure it out. I'm glad you're gassed up. I, this is non alcoholic, so I won't be able to catch up, but, uh, you know, as anybody who knows me, I'm fiery enough all on my own, we should be all right. But no, man, I appreciate it. Yeah. Maybe we'll find some things that we do disagree on.

We'll see as we get in. Uh, you know, it hasn't been much yet, but you know, if we do, that's, that's what this is all about. So listen, the title of today's episode is true stories of the dark web. Now, listen, that's the kind of title, you know, it's the topic that Almost everyone wants to learn more about, because there's all the mysteries surrounding what goes on in all these areas where most people can't see, or they just can't participate.

Right? So, [01:18:00] but before we get into the real discussion, it occurs to me, there's a lot of different terminology here. Right? And so there's a lot of possible misconceptions or misunderstandings when we talk about, say, the deep web versus the dark web versus the cyber criminal underground versus, you know, criminal marketplaces, all these other terms.

Right? So as an expert. One of the, one of the, uh, measures of an expert is how, how somebody can take something complicated and large and quickly boil it down into something that any dope like myself can understand. So can you help make sure myself, the audience, we're all speaking the same language here on, on deep web, dark web, cyber criminal, underground, all these terms, right?

What are we talking about, man.

I I'd like your royalty You're going to owe 8%. I don't Go ahead, man.[01:19:00] [01:20:00] 

Got it. All right. So they're, they're sort of closed environments, right? And, and so let's not mistaken, you know, they're just in the deep in the dark, you know, it's, I mean, it's. It sort of depends on how you look at it. Right? There's, there's the open web we all know about. That's that indexable Google web.

Right. And then people talk about, you know, that's, what's that 10%, 20 percent of the web. It's number always changes, but on which structure you want to look at that's in a graphic on somebody's slide, but it's a small fraction. Right. And then, then you got the deep and then the dark, if I understand is, is that's where the dangerous stuff is.

Like the deep is just stuff that's not easy to get through Google, but it's not necessarily [01:21:00] nefarious. It's just, just the rest of the web. It's sort of like the radio stations that aren't assigned, but they're out there, right, for those who are old enough to care about radio Got it. Okay. So this is the place where you can buy or sell pretty much anything when it comes down to it, right? Whether it's product services, uh, you know, or horrible things, right? Happen. So got it. All right, cool. So I think we're all on the same page now. Hopefully that makes it easy for people to [01:22:00] understand, you know, what we're talking about here.

So let's just jump in, man. You've been doing this for a long time. I'm not to be insulting. We're both kind of old at this point. Um, so, you know, experience, right? Seasoned, uh, those are better words for old, I think. Uh, but we've been doing this a while. You've been doing this a lot specifically, which means, you know, you're one of the most knowledgeable people I know on the subject and you go back away and again, not to poke at this case, but things have changed over time.

Like somebody who's been doing this a long time, like any environment, you know, just like anything, pick a social media platform, right? We've seen them change over the years. But you've seen all that going on in these spaces and these deep and dark spaces. Right? So can you talk a little bit about what have you seen in terms of changes over the last, you know, years, 10 years, decades, and maybe what have you seen that hasn't changed?

What are the consistencies when we get into these environments in the deep and the dark web now?

Sure. Why not? I mean, it's not like I wrote it for us or anything. No, go ahead, man. Switch it around. gonna flip it That's [01:23:00] you're just reversing the order. Oh yeah. All right. That's sure. for it. All right, cool. [01:24:00] [01:25:00] [01:26:00] Well, that, that makes a good, you know, you made a good point there, right? Are a couple of them actually several, but you talked about, I know people talk about, Hey, there, you know, this is going to [01:27:00] go away. People can go to one on one relationships, et cetera. And I think you're exactly right. There's supposed to be a place to meet.

You know, I, I mean, it's, it's sort of like, it's not the world's best example, but sort of like dating. Um, people still go and meet people, you know, they meet bars. I realized people go to apps now too, but even that's it's on community at some level before you meet, you meet in the app or whatever, there's still got to be someplace where you can come in and meet strangers.

Right? And then from there, you figure out if you can split off and go to this one on one relationship to these small group relationships, but there has to be a place to start, know, and as you said, criminals, not surprisingly, not the most trustworthy group of people or the most trusting group of people.

So you, and you don't have a better business bureau. You don't have anybody. You know, to be these middle, middle men and women, this reading, so you have to have something, you know, I know we talked about it before. It's, it's a community for people who aren't good at community, basically, like, by definition, criminals aren't generally great at being part of society, right?

To a point, right? Uh, you know, we can go into a lot of detail there, but the fact is, they live a little outside the boundaries usually, right? So a community for people who aren't great at community. That's not going to go away. I agree with you. I [01:28:00] think we are seeing more of that move to let's do this quickly and let's move someplace quieter and, and, you know, discord and telegram and those kinds of things.

Right. And there's, there's collections in those areas now too, but there has to be a place to meet. There has to be a place to start. You know, you can't just get on telegram and find a person necessarily, right? You got to have a place where you're going to start. And, and you mentioned some really important pieces that I don't think people think about is, is the other services go with this, like escrow services, um, you know, like I know there's an appeals process or somebody has complaint, like there's a whole system to this that has been around for a while, you know, and these reputation pieces, that's a pretty strong infrastructure.

So I'm with you in that. I think this is still going to continue to be like that first area that a lot of these criminals come to. So it's nice to hear you say. That hasn't really changed much over the years. That seems to be enduring. Um, so, uh, what have you seen? I think, I think you were done with what, what hasn't changed.

If you're not, you'll just tell me, keep going. But, uh, what have you seen that have been the big changes, you know, in your mind, what are the trends over the decades that you've been seeing this go on? What are you seeing as big changes, man?[01:29:00] [01:30:00] [01:31:00] 

Yep. [01:32:00] [01:33:00] Maybe you can't trust them. Is that where we're back to that can't, can't trust these guys. [01:34:00] That's have a [01:35:00] [01:36:00] [01:37:00] Well, it's interesting. Uh, I, I, this reminds me of something, uh, years ago now, but psychological profiles have been done, uh, and the psychological profile between a police officer and a criminal are almost identical. Like you can't tell who's who apparently I'm not a psychiatrist or a psychologist. So if somebody's listening and wants to correct me on all the details, I'm good with that.

But as I recall, If you put them next to each other, they're essentially the same profile. And it's one of those mysteries of what makes somebody choose one side or the other, right? Because people are very much wired the same in terms of their, their, uh, you know, acceptance of risk, uh, and you know, and, and some of the other motivations they have, it's just, you end up on one side or the other.

So it's not surprising to hear, you know, you mentioned with organized crime, uh, you know, both in the physical world and talk about the cyber criminals, it's [01:38:00] not, not surprising to hear that they want to mingle and mix. These are same kinds of people that are on the opposite side of, of the discussion.

Right. So, um, but it's interesting. I think the point you made, I remember the presentation years ago, uh, when, when there was a prestation and you guys were talking about this specific actor, which everybody knew who this guy was anyway, it's not like you guys made him famous, but I remember some of that hubbub of, ah, should they have done that or not?

You know, these guys want fame and fortune and now you're highlighting this. And it's, it is interesting. You mentioned how much that's changed now. Cause that was, Oh God, that had to be seven years ago, I bet. Uh, give or take. Um, you know, so it's interesting now that you're saying, yeah, it's just kind of a normal thing, which it is.

I've seen, I know researchers that talk with, you know, Criminals out there and get information that, like you said, they won't rat on themselves, but they'll tell you trends and some interesting stuff. And knowing your enemy is really important, you know, any way you can find out about them. And, you know, so I, I agree with you.

I think that's, that's a really interesting point that that's changed a lot. What about specific like TTPs or scams out there? Like, you know, romance scams, for instance, or Like there's a lot of them [01:39:00] out there. Are these, have you seen that evolution of things that new things arrived that didn't used to exist or have things just improved over time?

Like, what have you seen in some specific scams or TTPs?

roman_y. sannikov: same

aj_nash: backwards.

roman_y. sannikov: yeah Yes. Right. [01:40:00] [01:41:00] you No, no empathy, no [01:42:00] or whatever Uh[01:43:00] [01:44:00] 

aj_nash: Right. Well, yeah. And they piece it out, right? I mean, these are smart business people, you know, so if you're in carding, you're not, like you said, you're not, you're not getting the cards. You're not also doing, you're not doing the skimming. You're not doing the, [01:45:00] the fraud work. You're not doing the cash as you know, you've got mules do bits and pieces.

You're selling pieces around. Like you're not doing everything because you can specialize. It also, you know, it lowers your exposure. Like you got little bits and pieces to handle some of that. So the exposure changes and then you're taking, you know, your fractions off of all of that stuff. So it's, yeah. I mean, it's smart business.

Listen, these are not dummies, right? I mean, the people in this enterprise are very bright, uh, generally speaking and savvy business people. They just happen to have a business model. It's not legal. Uh, but it is really, really effective and efficient. You know, I hear things like half a million dollars in cash and I think maybe I'm, maybe I'm on the wrong side of the business, but I'm not, don't worry.

Don't call the FBI. Uh, but I get a little jealous by the money occasionally, but a lot of these guys go down. So, uh, Okay. So we've talked a bit about, you know, what you've seen in terms of what, what didn't change over time, some of the things that have changed and some of the new, new trends and new technologies are out there and tactics and techniques like ransomware.

Frankly, I've just had a discussion on ransomware, um, you know, an episode that, that just went out actually not too long [01:46:00] ago. Uh, and we went into detail on, you know, Uh, ransomware and double ransomware and triple ransomware and quadruple. So if anybody's listening to this and didn't listen to the episode with Brian Stack, uh, from Experian, I recommend you go back and catch that.

Uh, cause he did a real good deep dive on that as well. You know, that's a very cool piece, but knowing all of that, the next question is what are people. What are people doing wrong in terms of deep dark web, or how are they thinking wrong about the deep and dark web? We have all these misconceptions. Like you said, there's vendors out there that are doing this work.

We've got companies that are, in my opinion, foolishly setting up their own, uh, efforts to try to do it, which is really dangerous. I will say this, you know, for the 80th time, probably in my career at this point, first of all, you shouldn't set up your own deep and dark web collections. Don't do it. Don't get out there.

If you're not a professional and expert, it's a bad idea. I tell people it's sort of like going into a biker bar, wearing a suit and Even if you can get in the door and you probably shouldn't, it's going to be clear. You don't belong. Nobody's going to really interact with you. And there's a chance you're going to get hurt.

Uh, so I, you're right. You'll be fine. Fake [01:47:00] mustache. You'll be good. But I always tell people, and I know, you know, people have said it seems self serving because I work in this industry on the vendor side, but listen, I worked at a bank before and I said the same thing. Don't set this stuff up yourself.

There are certain things you. Always want to outsource. And I would say deep and dark web is one of those things that you just want to outsource that the time, the effort, the energy, the risk, uh, it's, it's just not worth trying to do yourself. But anyway, the question was for you, not for me. What are people doing wrong in terms of deep and dark web?

Or what are they, what are their misconceptions when it comes to these [01:48:00] good marketing.[01:49:00] [01:50:00] [01:51:00] 

Well, it sounds like organizations that are saying they might be saying, we don't care. I'm going to tell you my translation of that is they've just given up. They can't do it. So they've changed the message. We don't want to say we failed. So we'll just say, well, we don't care about that. We're not gonna worry about that.

We're worried about it here, but you're waving the white flag. Listen, you know, we're in security business. We're in Intel business. It would be like saying, Oh, I don't care if you break in my front door. I assume everybody's coming in the house. I'm just gonna try to keep you from stealing my television.

No, I'm actually try to keep you from getting in the front door. I've got a lock on the door. I've got camera. I've got alarms. I've got dogs. I'm going to try and keep you from getting in the door. Like you may get to the door, but I'm gonna make that hard first. And then if you get in, I've got, you know, depth defense in depth and all that, you know, people talk about, [01:52:00] right.

It sounds me like people have just changed that conversation to say, well, we're not going to worry about that. It's because they've given up because they can't stop it. So they've given up, which is a weak position to take.

No, it's the opposite. This isn't criminals learn. All right, if I breach you and it works, I'm gonna come back I'm gonna keep coming [01:53:00] back until you prove I can't get in the door Like if you broke into my house, like, you know using that same analogy the door open you come in you steal my stuff You're gonna come back.

You already know you can get in the door Like why wouldn't you come back until I either run out of things to steal or I lock the door Like, you know, I put an alarm up and I, I, you know, do some other things from a security standpoint, why wouldn't a criminal continue to commit criminals care about success.

They, they care about whatever they want to do, they want to succeed at. They want to, they want to steal the thing. They want to cash out, you know, they care about success, care about not getting caught and they care about, you know, value and they're like water. They look for the path, at least resistance.

If you're not provide resistance, as you said, to the 50 yard line, well, yeah, I'll take the ball there. I got a better chance of getting through. So, you know, it's, it's interesting cause I hadn't thought about it, but yeah, I. There are some folks who've just kind of given up on stopping these things, which is, it's sad.

And you're right. We've all said you're going to get breached eventually. It's true. We got to make sure they understand everybody gets breached. It doesn't mean you don't stop trying to get from getting breached. Cause if you stop, you can get breached a hell of a lot more. You know, this isn't binary, you know, have been or haven't been, you're all going but are you going to be breached once [01:54:00] or 138 times?

Like you still have to try to keep them out at the door. Um, so I think that's, that's interesting. You mentioned it, you know, the other one that comes to mind, I'm gonna steal some of this little bit. We talked a little about it is. Is the organization say, we don't care who did it drives me crazy. What do you mean?

You don't carry it. I will carry it. We just want to stop it. Well, if you don't care who did it, you're gonna have a real hard time because you don't know what their motives were. You don't know how to stop it necessarily. You don't know where they're going now that they're in your org. You don't know if they're going to come back.

Like attribution matters. It's, it's not, you can do things without attribution. You absolutely want to stop the bleeding immediately, but I think it's much more important than people seem to think. But what are you seeing? Are you seeing the same thing when we talk about attribution?[01:55:00] 

Sure you can. ahead. [01:56:00] no. We swear all the time here. Don't worry about [01:57:00] [01:58:00] Nobody's done it yet. So you're probably I'm[01:59:00] 

Well, like you said, we got, we have a PII, right? So, you know, if your PII is compromised, I don't know about you. I've had letters from so many companies, Hey, you know, we're going to give you this free tracking of your credit, you know, cause we screwed up and all your stuff's been stolen so many times more than I count.

Right? Right. Right. But at least I get notified. Oh, okay. I gotta watch my credit a little bit. See if somebody's using my information. See if somebody's stealing my ID. Because with PII, they were required to tell us. And we all know this, right? Uh, and other things, they keep quiet. I know I used to work in finance.

And, you know, this is what the ISACs were designed in part to do. Was, you know, they're sharing organizations. So, if a bank gets breached, We should all get on a call. We should, you know, they should be able to share. Here's everything we know. Here's the T. T. P. S. Here's what they've taken. Here's what we think their motives are.

Here's we think it is everybody else combating on the hatches and get ahead so it doesn't become a series of events. But then the lawyers get involved. None of that [02:00:00] happens. And again, I'm with you. I'm not blaming lawyers. They got a job to do. It's you know, where is the line between being transparent and taking on risk and how it's gonna work.

But ultimately, you end up having what would be what in physical criminal terms, a murderer Becomes a serial killer because nobody mentioned the murder. And then the next one and the next one, and nobody's sharing the information. There's a pattern here, it turns out. And so this, this same person goes on murdering, uh, in this case, just, you know, robbing banks digitally because people didn't share the information.

So it becomes one after another, after another great win for the criminals. Um, or you run into it, you have, we see the same thing with, with, you know. If you talk about pig butchering for that matter, you come back to that, even that's personal, but people don't want to share because they're ashamed, right?

So you, you have the risk factors with lawyers, you know, and all those things that go with it from a business standpoint, but also people don't often share because they're ashamed and that can even happen in business too, or some executive got briefs. They don't want to tell anybody. I know you've seen it.

I have two ransomwares where they sideline it and pay it off themselves because they don't want anybody to know about it. They just want to get their laptop back. And it never goes well, by the way, for anybody wondering if you get compromised, if you're going to go grab yourself some [02:01:00] Bitcoin, I think you're going to solve it yourself.

Chances are pretty good. You're not. I'm sure it's not within your company policies. You're probably gonna make things a lot worse. You're just going to pay off somebody who probably doesn't give you your stuff back anyway. So if you get had, just go talk to your security people immediately. And just, you know, this is what happened and try to deal with it.

Don't, don't go buying crypto and trying to solve it yourself. It doesn't go well. Um, so anyway, yeah, I think that's all interesting stuff. And again, you talked about the attribution piece. I wonder if that isn't again, just like the whole ad, we don't care about breach. If it isn't just that people have said.

They've just given up. It's hard. Attribution is really hard. So maybe instead of saying we can't do it or it's hard, it's just, ah, we don't want it. It's almost a sour grapes. We don't want that anyway. Or maybe it's a matter of, and I'm curious what your thoughts are here on just prioritization. We can only do so many things in a day.

We've just accepted these are too hard to get done. So we're just going to say, we're not going to worry about it important or not. We're just going to punt it because I don't have the time or the energy or the money to fix it. Even though, as you said, it's going to cause all these other problems by not really knowing.

Who did this and what their motives are and what the likelihood of return is and what they're likely to do with the things they've stolen. It's it's [02:02:00] critical. It's very valuable, but organizations just move quickly and say, well, it's just too hard. It would take a lot of energy and a lot of time and money to try to figure it out.

So I wonder if they're just punting because it's just hard and they just say, well, we're not going to do it. [02:03:00] Yeah, you've got a methodology for [02:04:00] scoring risk essentially, right? And so figure out which things, because again, nobody has enough time or energy or money to do everything. Nobody has enough people. So you gotta be able to prioritize, but I'm with you. I tell people a lot of times Intel, it's, you know, tell them what happened.

Tell them what they can do about it or tell them what happened. Tell them why it's important. Tell me what they can do about it. Right. Those are three, the three things, but also one of the things I say is that Intel, we're the only ones that can tell them not to worry about it, or at least with some level of confidence, you know, uh, I.

I know when I first went to the private sector, my first gig was at a bank, and I learned very quickly little differences between the government space. The private sector is people really freaked out about almost everything that was in the news right away. It seemed like and context was an issue. And early on, you know, you're learning this stuff and you got, you know, see those and they come down.

They're just freaking out. They want to know everything about everything and everything's everything's on fire. But getting the point where you could say, Hey, boss, you You really don't have to worry about this. And here's why, like, I know the headline said that, but really, this is actually not a new thing that's been on for years.

It's a minor variation, or this is, this is an organization that's not gonna attack us. They've never attacked a bank ever. This is not their motivations or whatever they are, right? Helping the C level or the CISOs. Say, okay, I don't have to worry [02:05:00] about this. Great. Cause I only got 612 other things got to worry about.

So that one I can take off my Yes. So, I mean, it's nice be able to take one away. Right. And, and Intel can be really good at that with some level of confidence. This doesn't have to be your top thing today, boss. It might be tomorrow. We'll, we'll talk again. I'm sure. But being able to tell them this isn't the thing, right.

And so I think that's really important. And like you said, you know, that does come from some of this attribution component, which is, which is really, really challenging. So, all right, listen, we got, we got one more question here. We're running a little behind. We're a little long. one two things will happen.

It has to be a really long episode or editing. They'll get in there and cut out. Some of the times we just chatted with each other, or if it gets super long, maybe we'll split it into two episodes. We'll figure it out, but I don't care. Cause this is an important question. We're definitely going through it.

So again, the show was really about like, you know, stories from the deep and dark web, right? We haven't even gotten into the really cool stories. We talked a little bit here and there, but. You've been doing this a long time, man. So I keep saying that I keep picking on you. I'm probably older, but, uh, the best part, I think of all these discussions is the really cool [02:06:00] stories, right?

So what do you have, man? What do you have? That's just, you know, I'm sure you got a couple of things without name and names or shaming anybody, of course. You know, whether it's customers or or, or employers or whatever, but do you have some very cool stories or some myths you wanna bust? You know, can I honestly hire, you know, somebody to murder somebody on the dark web?

Can I buy, you know, can I buy human beings on the dark web or kidneys? You know, are there myths you wanna bust? Are there stories you wanna share? What do you got? That's really the cool stuff. People are gonna walk away going, holy cow. That's amazing.[02:07:00] [02:08:00] [02:09:00] 

million. Yeah, I'm, I'm cheating. You told me was. I looked it up. It's, it's for those who want to look up the full story on this one, by the way, it's September 2010 when all broke out. It's 37 mules, 3 million. Uh, very interesting [02:10:00] story. The, the actual indictment is out there. If you, if you actually Google aching mules, uh, that comes up and some interesting names there in the, in the southern district of time, but also wired has a good article on it.

I'm, Sneaking a peek here. It's live and having a bunch of computers. So, uh, yeah, 3 million, 37 people, 21 separate cases. Um, lots of Russian names, this Long list of Russian names, basically ages anywhere from 21 to 26. Oh, well, there's one 29 year old in the group.

So, um, really interesting stuff, man. And. That must've been just really wild to work on. And this is 2010. So this is a while ago. I mean, you're talking not to make fun of you and age. This isn't about that anymore, but 14 years ago, you know, when you said they didn't know what to do, right. This was not a common thing yet.

And this is, this is pretty new still comparatively. So like that's some of the early days and that's a pretty sophisticated ring. Um, that's awesome stuff. [02:11:00] the gang And[02:12:00] 

roman_y. sannikov: Um [02:13:00] Please tell me you had pretend you were deaf or something. Oh yeah, sure, the hair. [02:14:00] I didn't think about sure the hair makes perfect sense. And again, for those who aren't watching, if you're just listening, which is perfectly fine because with me, you're much better to listen than to watch me. promise. But, uh, if you're not and you get on YouTube, you can see, you know, Romans cut some pretty great hair.

aj_nash: Uh, and yeah, it probably would do a really good job of covering that up. So that's brilliant. Just let your head down. Um, listen, you got one more story, man. I know you, I know you have a lot, you know, one more, we got time. Come on. No, you're good, man. Don't worry about [02:15:00] [02:16:00] weren't taking any a lot of going on?[02:17:00] 

That's a [02:18:00] good It's, I'm picturing the Rocky movie where he has to go to Russia, fight Ivan Drago. I'm just picturing that I was Siberia, right? And just, you know, the cars, the old Mercedes and the, you know, the heavy snow and not be able to get anywhere. I'm just picturing that except Apparently everyone was drunk in this case too, they should have had the movie, that's probably more So. Um, but I, I'm assuming you didn't knock out Ivan Drago at the end of this or anything. You didn't win a big fight and turn Gorbachev onto our side and all that. I'm guessing nice. All right, listen. So we always close out the show with the same question for everybody. And this has been my most fun part of the show.

Usually in this case, your stories, I think are more fun. But that being said, the name of the show is Unspoken Security. So with that in mind, tell me something you have never told anyone before. Something that's been unspoken so far.

Oh, I like We're off to a good [02:19:00] 

roman_y. sannikov: like 

aj_nash: Yeah, 

roman_y. sannikov: you know[02:20:00] [02:21:00] [02:22:00] 

aj_nash: But, and I love that man and I appreciate it. And I'm sure a lot of people will because listen, it does come up occasionally. Right. And it probably will continue to, as I do this, I've been told that people with imposter syndrome, like it's a sign that you're, you're probably both good at what you do and humble.

Right. People listen, narcissists don't have imposter syndrome. It's not, it's not an issue for them. Right. Uh, you know, it's the opposite of Dunning Kruger. There's plenty of Dunning Kruger. There's plenty of people out there who think they're great at everything and they aren't really good at much of anything.

Uh, and, and they don't even know it because they're, they're so out of touch. They don't even know they're not good at things. Right. So I have been told people with imposter syndrome generally are high functioning performers, but they're also just humble and they don't see it. Right. Or they're so good at what they do.

They don't realize how hard it is for other people to do. That's what people have told me before. Cause I, I, I suffer the same thing. I don't know why anybody listens to anything I have to say about virtually anything at all, frankly. And when people ask for my advice, I keep looking around, trying to figure out who they really mean.

But I also recognize, yeah, but I also recognize there's things I've had people [02:23:00] say, you know, Yeah, you did a great job. I'm like, yeah, but it wasn't hard. And they're like, no, it wasn't hard for you. And I have to remember that we all have our own skills, right? There's things I can't do that you could do amazingly.

I'm sure. Uh, I know for a fact, in fact, uh, I'm sure there's some things I do that I find afterwards. I'm like, it wasn't that hard. And they're like, no, I couldn't do that. And we don't realize that about ourselves. I don't think, you know, a lot of people in this industry, and it's really prevalent in our industry, I think, uh, even more so than others of just.

We don't realize that we do things differently than somebody else might do it. Might be faster, might be better. Whatever it is, you find your niche. And I think that's the key, right? If you find where you're supposed to be, and you're, you're good at that thing, and it just comes sort of easy. I mean, it's work, but it fits, right?

I think that's when we get into this track, right? If you're constantly struggling and fight and do something, cause it's just not your nature and you're in a bad fit or whatever, you never really worry about it too much. You don't have imposter syndrome cause you're barely getting through as it is.

Right. And when it gets kind of where it's just, it's a good fit, you know, I've had plenty of things where I get done and people give me accolades for whatever the thing is I did. And I'm like, geez, I [02:24:00] kind of feel guilty about it. Cause I think knew how little it worked, it took to do you wouldn't be so proud of me anymore.

Uh, but it's, you know, it's all relative. So, but I think it's a great message. I think I appreciate you sharing it. I'm sure a lot of people will because yeah, you are a legend, dude, you've been, you've been doing this as I said, a long time. I keep telling but. But you've done amazing things. Like you could tell stories.

We could have you for hours. We could go on and on. Your stories are awesome. You, you've, your knowledge is amazing. I've been lucky enough to present with you and, and to see you present separately as well. And you are a legend. It's true. Uh, but it's hard to see when you're in that. You know, when you're in those shoes sometimes, I think so.

And I think it's a good message for people to know no matter where they are. You know, if it's somebody you're just getting into the industry, uh, or if you've been doing it, you know, as long as we have or longer and you have these feelings, just everybody does, man. I don't know anybody who's really good at this stuff.

Who doesn't have that feeling. Cause again, if they don't, they're probably just a narcissist. And I don't spend a lot of time with those guys. So, um, like if you, if you're doubting whether you belong, just keep driving through, like you, [02:25:00] you probably do. And especially if other people think so, I've gotten to the point where I look around and like, they think I'm doing a good job, I guess I must be.

Uh, cause I, I've long ago given up on thinking I'm doing a good job. So, um, but anyway, go ahead. [02:26:00] 

Yeah, no, I agree. That's a really good point. I mean, I often joke, you know, when you're on or somebody else, whoever's, you know, I don't know why this person hangs out with me. I don't know why they're friends with They just haven't, they haven't done a better job of picking their friends. But you know, putting the joke aside, you're right.

There's lots of [02:27:00] people I know that I'm like, all right, this is a pretty good group and they seem to think all right. I mean, so like, it is a reflection at some point, right? If, if so many mm hmm. Impressive people are willing to pick up the phone are willing to take time, you know, prioritize you, you're important enough to them that they value your opinion or input or, or whatever it might be.

Yeah, it's a reflection at some point you got to accept. Hey, I'm, I guess we're doing okay. Right. Um, but I also like. Having this like a little humility is good. So I don't know if I'd ever want to get to the point where I thought I was good at anything. Um, I'm good enough apparently to get by on some things.

And I think comfortable with that because nobody wants to hang out with the asshole who thinks he's good at everything. Um, you know, nobody likes those people. So. All right. Listen, man, this has been great. I really appreciate you coming on. You've done an amazing job. Awesome stories. Uh, you know, we could, we probably have you on again at some point, cause I don't have a bunch more of them too, but I really appreciate you taking the time to be here, Roman.

Uh, know, I can't, can't thank you enough for it, man. I'm going to wrap it up here. Uh, for everybody listening, please, if you like the [02:28:00] show, you know, like it. Download it, subscribe, tell your friends and neighbors, you know, get on the highest mountain and scream about it, uh, whatever it is. Right. And if you don't like it, then just shut up and don't tell anybody.

No, it's fine. Tell me if you don't like it too, we'll, we'll, we'll see what you did to make it better. But

yeah, man, 

on out and do it. Or maybe we'll do it on site at one of the locations. I mean, we did conferences, but yeah, anytime, man, I'd love to have you back on. So listen, that's going to wrap it up for this one. Again, for everybody out there. Thank you very much. This has been another episode of.

Unspoken security. Uh, and until next time, you know, be safe and we'll talk to you again soon.

Hello, and welcome to another episode of Unspoken Security, brought to you by ZeroFox, the only unified external cybersecurity platform. I'm your host, AJ Nash. For those who don't [02:29:00] know me personally or are first-time listeners, I'm a traditional intelligence guy. I spent about 20 years in the intelligence community, both with the US Air Force and then as a defense contractor.

Most of that time was spent at NSA. I've been in the private sector for about eight years now. I primarily build or help other people build, uh, effective intelligence driven security practices. I'm passionate about intelligence, security, public speaking, mentoring, and teaching. I'm also deeply committed to servant leadership.

Which is why I completed my master's degree in organizational leadership at Gonzaga university. Go Zags! We're having a tough year this year on the courts, but I think they'll pull it out. So listen, the goal of this podcast is to bring all these kind of elements together with some incredible guests, like we have today.

And we're going to have some authentic conversations, unfiltered conversations, really debate sometimes how we might argue with each other about a whole wide range of challenging topics. It's not your typical podcast. This isn't gonna be all polished. It's not a bunch of fancy, you know, audio and video graphics going through and it's not a big sales pitch.

We're not doing that crap. Uh, here it could be anything. It's gonna be [02:30:00] really just gritty, right? You might hear or see my dog. She's around here someplace. Uh, people might swear here. I know I'm known to, and, uh, we might argue, as I've said before, and that's all okay. So think of this podcast as the conversation you might overhear at a bar after a long day at one of the larger cybersecurity conferences that we're all going to be at here pretty soon.

So these are the conversations we usually have when nobody's listening. Now, today, my guest is Roman Sannikov Roman's awesome. He's an expert on all things related to cyber and threat intelligence, particularly when it comes to the cyber criminal underground. I've been lucky enough to travel a little bit with him and speak on these subjects and actually watch him speak more than anything, and he's just brilliant.

So, he started his career, uh, working at FBI. Uh, and then after that, moved into the private sector. He's worked with some of the biggest and, you know, most well known companies in our industry. Uh, right now, he's leading his own consulting firm. Uh, as president of Constellation Cyber LLC. Where he helps companies around the world produce and benefit from threat intelligence.

Roman, welcome to the [02:31:00] show today. And is there anything I left out that you want to add to your intro?

roman_y. sannikov: AJ, thank you so much for having me. This is great. So my goal for today is to find a topic that we vehemently disagree on so can have actual argument. And, uh, and to get that going, I actually had, you know, three or four, uh, beers before this. So that, you the spirit of that, uh, happy hour after, uh, you know, after DEF CON meetings and stuff like that.

So I really got into, into the mood here and, uh, yeah.

aj_nash: Well, I'm glad.

roman_y. sannikov: find a heated. topic that we disagree on. It's probably it's unlikely because I know we've we've spent time chatting and unfortunately we pretty much agree on on most anything but uh maybe if we have time maybe we get into some sort of a sports disagreement or something at uh at the end or

aj_nash: We'll figure it out. I'm glad you're gassed up. I, this is non alcoholic, so I won't be able to catch up, but, uh, you know, as anybody who knows me, I'm fiery enough all on my own, so we should be all right. [02:32:00] But no, man, I appreciate it. Yeah. Maybe we'll find some things that we do disagree on.

We'll see as we get in. Uh, you know, it hasn't been much yet, but you know, if we do, that's, that's what this is all about. So listen, the title of today's episode is true stories of the dark web. Now, listen, that's the kind of title, you know, it's the topic that Almost everyone wants to learn more about, because there's all the mysteries surrounding what goes on in all these areas where most people can't see, or they just can't participate.

Right? So, but before we get into the real discussion, it occurs to me, there's a lot of different terminology here. Right? And so there's a lot of possible misconceptions or misunderstandings when we talk about, say, the deep web versus the dark web versus the cyber criminal underground versus, you know, criminal marketplaces, all these other terms.

Right? So as an expert. One of the, one of the, uh, measures of an expert is how, how somebody can take something complicated and large and quickly boil it down into something that any dope like myself can understand. So can you help make sure myself, the audience, we're all speaking the same language here on, on deep web, dark web, cyber criminal, underground, all these terms, right?

What are we talking about, man?[02:33:00] 

roman_y. sannikov: Sure. Before I say that, gave me the subtitle from the book I'm going to write. So the title was going to be How Dark is the Dark Web? And the subtitle is going to be True Tales from the Dark Web. Um,

aj_nash: I I'd like your royalty

roman_y. sannikov: thank you.

aj_nash: You're going to owe 8%. I don't know. don't what it is. Go ahead, man.

roman_y. sannikov: so, so, yeah, so it's actually a great question.

And part of the problem is something that we might actually talk about later is that a lot of times these terms are used partly as marketing. Um, so everybody has their own. Way to describe it. And I know some organizations actually, uh, vehemently disagree about what to call this. Essentially, what we're talking about is a, um, an area of the web of the Internet that is difficult.

To access so that has barriers to access. So typically the way we used to define it is it's something that, you know, Google isn't [02:34:00] going to, uh, analyze isn't going to scrape. Although even that's not necessarily the case. You know, I've seen, uh, posts from, uh, from exploit and from other major forums, uh, commented, uh, or reflected on Google searches and things like that.

Uh, but essentially we're talking about is an area of. The Internet, an area where individuals communicate relatively openly because there is a barrier to entry, so the barrier could be either financial, meaning you have to pay, or it could be reputational. You have to be vouched in by someone. You have to know someone to gain access to this platform, or in a lot of times, in a lot of cases, both you have to both know someone and you have to pay.

Um, so, but essentially that's, uh, kind of what we're talking about. It's something that, um, barrier to entry.

aj_nash: Got it. All right. So they're, they're sort of closed environments, right? And, and so let's not mistaken, you know, they're just in the [02:35:00] deep in the dark, you know, it's, I mean, it's. It sort of depends on how you look at it. Right? There's, there's the open web we all know about. That's that indexable Google web.

Right. And then people talk about, you know, that's, what's that 10%, 20 percent of the web. It's number always changes, but on which structure you want to look at that's in a graphic on somebody's slide, but it's a small fraction. Right. And then, then you got the deep and then the dark, if I understand is, is that's where the dangerous stuff is.

Like the deep is just stuff that's not easy to get through Google, but it's not necessarily nefarious. It's just, just the rest of the web. It's sort of like the radio stations that aren't assigned, but they're out there, right, for those who are old enough to care about radio

roman_y. sannikov: could. It could also just be things that are proprietary things that are part of a corporation, a part of some sort of network that again is somehow closed off. Uh, and, uh, and things like that. So, the dark web typically is what we talk about when we're talking about malicious activity. It's something that The reason I think we call it dark is because it's hiding in the shadows.

It specifically wants us as researchers, as law enforcement, as [02:36:00] other individuals to not be able to see what they're doing. So I think that's the easiest way to kind of look at it is really something that is purposely hidden from view.

aj_nash: Got it. Okay. So this is the place where you can buy or sell pretty much anything when it comes down to it, right? Whether it's product services, uh, you know, or horrible things, right? Happen. So got it. All right, cool. So I think we're all on the same page now. Hopefully that makes it easy for people to understand, you know, what we're talking about here.

So let's just jump in, man. You've been doing this for a long time. I'm not to be insulting. We're both kind of old at this point. Um, so, you know, experience, right? Seasoned, uh, those are better words for old, I think. Uh, but we've been doing this a while. You've been doing this a lot specifically, which means, you know, you're one of the most knowledgeable people I know on the subject and you go back away and again, not to poke at this case, but things have changed over time.

Like somebody who's been doing this a long time, like any environment, you know, just like anything, pick a social media platform, right? We've seen them change over the years. But you've seen all that going on in these spaces and these deep and dark spaces. Right? So can you [02:37:00] talk a little bit about what have you seen in terms of changes over the last, you know, years, 10 years, decades, and maybe what have you seen that hasn't changed?

What are the consistencies when we get into these environments in the deep and the dark web now?

roman_y. sannikov: So I'm going to switch that question around a little bit. I think I'm going to

aj_nash: Sure. Why not? I mean, it's not like I wrote it for us or anything.

roman_y. sannikov: haven't changed.

aj_nash: No, go ahead, man. Switch it around.

roman_y. sannikov: it. Don't get offended. I'm just gonna flip it. That's all. I'll

aj_nash: you're just reversing the order. Oh yeah. All right. That's sure. for it. All right, cool.

roman_y. sannikov: Um, so I'm going to focus on what hasn't changed because I that's kind of fundamental to what's The purpose of the dark web is of, um, this underground, let me just call it that so we offend any companies about the So is the reason you have this area is because you have essentially when you're talking about cybercrime, you're talking about individuals conducting business. People who don't know each other, people who [02:38:00] have never seen each other. Most of the time, people have very little kind of control over each other and each other's actions.

And at the same time, they have to trust individuals who are criminals, who are inherently not very trustworthy. Uh, that's why there's that saying, you know, no honor among thieves, uh, is, uh. They're not very trustworthy. Uh, they will rip you off if they can. Um, and essentially the underground provides a some sort of community that allows these, uh, threat actors, these individuals, these criminals, uh, to have some sort of recourse.

So if you're in a community, like a forum, like a telegram channel, like a discord channel where there's, uh, Other individuals, if you do something illicit, if you rip somebody off, if you do something that will, that has the potential of ruining your reputation with others. So then you will have a harder [02:39:00] time conducting business with other individuals, be it selling it, buying it, et cetera.

So essentially, I know, I think sometimes for sales purposes, companies will say, you know, Forums are dead, or this or chat is dead, or this and that is dead. Um, and I disagree. I think there's always going to be a need for some sort of place. Yes. Threat actors may eventually. Go to private messaging, but there's a need for this initial area where individuals who don't know each other, who haven't worked together can come together and have some level of comfort in giving money to someone who's a criminal and think that you're going to get something back from them that somehow resembles what you want.

Um, and forums in these places, um, Channels and et cetera. [02:40:00] Uh, they've created things like escrow services, similar to when you're buying a house or something like that. There's reputational damage. There's all sorts of ways that they've worked out over the years to create that level of, um, trust so that they can work together.

Um, Obviously, they're working together for a bad cause, but still, you have to look at it from just the operational needs and operational necessities. Um, so I think that's something that's stayed even when people have. When again, the threat actors, the bad guys, the criminals have moved from be it from forum to forum, from forum to shop, uh, from shop to telegram channel, to discord, to Jabber, to whatever it may be.

The idea behind all of this has been the same, that there has to be some way to communicate, to conduct transactions, uh, [02:41:00] when you're not. Being able to like literally hand somebody a, uh, suitcase or a duffel bag full of cash, uh, and receive some, some drugs, uh, right there on the spot in return. Um, so I think that's something that's, that's maintained.

Um,

aj_nash: Well, that, that makes a good, you know, you made a good point there, right? Are a couple of them actually several, but you talked about, I know people talk about, Hey, there, you know, this is going to go away. People can go to one on one relationships, et cetera. And I think you're exactly right. There's supposed to be a place to meet.

You know, I, I mean, it's, it's sort of like, it's not the world's best example, but sort of like dating. Um, people still go and meet people, you know, they meet bars. I realized people go to apps now too, but even that's it's on community at some level before you meet, you meet in the app or whatever, there's still got to be someplace where you can come in and meet strangers.

Right? And then from there, you figure out if you can split off and go to this one on one relationship to these small group relationships, but there has to be a place to start, know, and as you said, criminals, not surprisingly, not the most trustworthy group of people or the most trusting group of people.

So you, and you don't have a better business bureau. You don't [02:42:00] have anybody. You know, to be these middle, middle men and women, this reading, so you have to have something, you know, I know we talked about it before. It's, it's a community for people who aren't good at community, basically, like, by definition, criminals aren't generally great at being part of society, right?

To a point, right? Uh, you know, we can go into a lot of detail there, but the fact is, they live a little outside the boundaries usually, right? So a community for people who aren't great at community. That's not going to go away. I agree with you. I think we are seeing more of that move to let's do this quickly and let's move someplace quieter and, and, you know, discord and telegram and those kinds of things.

Right. And there's, there's collections in those areas now too, but there has to be a place to meet. There has to be a place to start. You know, you can't just get on telegram and find a person necessarily, right? You got to have a place where you're going to start. And, and you mentioned. Some really important pieces that I don't think people think about is, is the other services go with this, like escrow services, um, you know, like I know there's an appeals process or somebody has complaint, like there's a whole system to this that has been around for a while, you know, and these reputation pieces, that's a pretty strong infrastructure.

So [02:43:00] I'm with you in that. I think this is still going to continue to be like that first area that a lot of these criminals come to. So it's nice to hear you say. That hasn't really changed much over the years. That seems to be enduring. Um, so, uh, what have you seen? I think, I think you were done with what, what hasn't changed.

If you're not, you'll just tell me, keep going. But, uh, what have you seen that have been the big changes, you know, in your mind, what are the trends over the decades that you've been seeing this go on? What are you seeing as big changes, man?

roman_y. sannikov: Just to follow up on what you said, I agree completely with what you said. It kind of makes me think of those T shirts that you see, the Anti Social Social Club. I see those, that's what I think of is these dark web forums and channels and exactly. But for those who may not No, um, things like escrow services are literally where you have a trusted individual on a platform like a forum, uh, and, uh, you go to them and you say, okay, I'm going to conduct the transaction.

I'm going to sell a bunch of credit cards, stolen credit cards to someone else. Uh, you [02:44:00] know, uh, once they send you the agreed upon amount, you tell me that you have the money. I send the cards to that individual, uh, and then. Once that individual confirms that they have the cards, uh, they'll let you know you released the money to me.

That's how it works again. Very similar to when you're buying a house or something like that. And I know that the mechanics are different between things like telegram channels and discord channels like that. But I think that's more important for, um, the threat Intel providers, uh, because of how they collect the information, how they scrape the information, how they get access to this information.

But for real Intel, I don't think it matters that much. I think these are all still that dark web platforms where the communication happens. Um, getting back to your question, um, how things have changed is, I think that when this started out, um, the idea behind a lot of these was privacy. Um, [02:45:00] a lot of these, uh, platforms had very high level of privacy.

It was very difficult to get into these platforms. forms. Uh, the idea was that everyone was trying to, uh, conduct these, um, uh, negotiations, just conduct their business in, in the private away from the eyes of researchers, from law enforcement, et cetera. At some point over the course of the last, maybe, um, six, seven years, there's been a bit of a shift.

And that is the way I see it is. There's kind of this more open communication between researchers and threat actors. You'll see, uh, when I was at one of the companies that I won't mention right now, but one of the companies, we got into a little bit of heat because we've published, uh, a, an interview with a pretty prominent.

Uh, threat actor

aj_nash: Yep. I my colleagues that, uh, and I, uh, I had the fun, the [02:46:00] pleasure of actually translating, uh, this, uh, interview and editing for clarity and, and helping with some of the questions and stuff like that. And we got some heat, uh, because it was seen as we were promoting, uh, and kind of making this individual more of a celebrity.

roman_y. sannikov: Um, I disagree because, um, I. think that to me, it seems silly that somehow individuals who would read this, um, interview would somehow think, Oh yeah, this guy is 100 percent correct. It's kind of like, I don't know, listening to the interview would Putin and saying, Hmm, you know, maybe this guy isn't the killer.

Maybe he's, uh, you got some good points. Yeah, exactly. I don't think that a lot of people in the industry all of a sudden decided that, you know what? I don't think I'm going to go after these ransomware guys anymore. I think they are just a bunch of good. Pen testers, uh, et cetera. Um, so I think that that was just kind of this, this [02:47:00] level of animosity that some people in our industry have against these individuals, and it prevents us from kind of opening up our minds and really seeing the world through their eyes, which I think is really.

Key to understanding their motivation, what they're doing, how they're doing it. It's like, uh, you know, uh, uh, really you need to know the enemy, uh, uh, to understand, uh, uh, what's going on. Um, and so I, I think, so I'm kind of going off the topic a little bit, Point is that I think over the course of the last five, six years, there's been like more of this openness.

So you're communicating, uh, relatively openly. I've been able to ping individuals, um, uh, openly as They know who I am. They know what they do. And I've asked them, I said, Hey, um, you know, I think that this is happening in the cyber [02:48:00] criminal. Uh, you know, what is your take on this? And, you know, again, not to say that I take everything they say as gospel truth, but

aj_nash: Maybe you can't trust them. Is that where we're back to that can't, can't trust these guys.

roman_y. sannikov: Trust, trust, but verify. So Yes. Um, but, uh, but yeah, but I think it is important to, um, and honestly they like being listened to. So believe it or not. Um, when they have a bit of a platform and people ask them, I think a lot of times, maybe not. Maybe they won't be completely honest about what they're doing specifically, but when you ask him a more general question about trends and about methodologies and TTPs, I found that they're actually fairly open, uh, in in this collaboration.

Um, and kind of a funny Twist to that back when I used to work with with the FBI and when we used to arrest individuals who were engaged in criminal activity and cybercrime, [02:49:00] particularly cybercrime, maybe not all criminal activity, but cybercrime very frequently after we had our kind of sit down and we'd arrest and go through all of this stuff like that.

You know, literally within like a day or two, they'd be like, Hey, Roman, how do you become an FBI agent? Uh, you know, and I would invariably say, well, you kind of start out by not committing felonies. That's

aj_nash: have a

roman_y. sannikov: good start. Yeah, but, uh, but it's like they would, a lot of them would. Cooperate and they would feel like all of a sudden they're part of the team and they're on, you know, team America or team, whatever country they had been picked up by.

But, um, but again, I think that one of the things I've seen again. This transition is that there is a much more open level off communication between the bad guys and the researchers. And I'm not saying that that's necessarily, um, improved everything. [02:50:00] Uh, because obviously we still have a huge. problem with, um, with cybercrime or with criminal activity.

But I think that if we as researchers, as security professionals are smart, uh, we will take that information. We'll incorporate that information. Um, I've listened to a few of your podcasts before, and we will. into intelligence, we will help make the better decisions, uh, for, for our clients. Um, so I think that's one of the things that's definitely changed is this kind of, uh, new level of, of openness.

Um, and, uh, and I think a lot of that has come out of the fact that a lot of these threat actors realize, uh, that a lot of their platforms have been infiltrated. By law enforcement, by researchers. Um, and so it's kind of this bit of a cat mouse, uh, thing. And to some extent it reminds me of, um. Again, when I was [02:51:00] working with, with the FBI, um, a lot of the, uh, work I did contractually, uh, was, uh, also, um, uh, investigating organized crime.

And a lot of times we would monitor these, uh, Russian organized crime groups. And sometimes it would be other organized crime as well, not just Russian, but a lot of times they would be hanging out literally in the same bars and restaurants as the cops and the agents and stuff like that. And so there were essentially, they were kind of rubbing elbows, uh, and And it reminds me what's happening in the cybercrime now, kind of reminds me of that a little bit, is, uh, essentially we're kind of rubbing virtual elbows, uh, very frequently with these, uh, with these threat actors.

aj_nash: Well, it's interesting. Uh, I, I, this reminds me of something, uh, years ago now, but psychological profiles have been done, uh, and the psychological profile between a police officer and a criminal are almost identical. Like you can't tell who's who apparently I'm not a psychiatrist or a psychologist. So if [02:52:00] somebody's listening and wants to correct me on all the details, I'm good with that.

But as I recall, If you put them next to each other, they're essentially the same profile. And it's one of those mysteries of what makes somebody choose one side or the other, right? Because people are very much wired the same in terms of their, their, uh, you know, acceptance of risk, uh, and you know, and, and some of the other motivations they have, it's just, you end up on one side or the other.

So it's not surprising to hear, you know, you mentioned with organized crime, uh, you know, both in the physical world and talk about the cyber criminals, it's not, not surprising to hear that they want to mingle and mix. These are same kinds of people that are on the opposite side of, of the discussion.

Right. So, um, but it's interesting. I think the point you made, I remember the presentation years ago, uh, when, when there was a prestation and you guys were talking about this specific actor, which everybody knew who this guy was anyway, it's not like you guys made him famous, but I remember some of that hubbub of, ah, should they have done that or not?

You know, these guys want fame and fortune and now you're highlighting this. And it's, it is interesting. You mentioned how much that's changed now. Cause that was, Oh God, that had to be seven years ago, I bet. Uh, give or take. Um, you know, so it's interesting now that you're saying, yeah, [02:53:00] it's just kind of a normal thing, which it is.

I've seen, I know researchers that talk with, you know, Criminals out there and get information that, like you said, they won't rat on themselves, but they'll tell you trends and some interesting stuff. And knowing your enemy is really important, you know, any way you can find out about them. And, you know, so I, I agree with you.

I think that's, that's a really interesting point that that's changed a lot. What about specific like TTPs or scams out there? Like, you know, romance scams, for instance, or Like there's a lot of them out there. Are these, have you seen that evolution of things that new things arrived that didn't used to exist or have things just improved over time?

Like, what have you seen in some specific scams or TTPs?

roman_y. sannikov: Man, so those the couple that you mentioned, and I know we've talked about this before, this is something that kind of like breaks my heart. Um, because these are some of the earliest scams that I helped work on. Um, 1 of the very 1st cyber related scams, uh, or cases I worked on back around 2002 was actually a, um, uh, so we're working with some Russian law enforcement to [02:54:00] MVD individuals.

And this is back when we were all. sort of on the same side. Yeah, exactly. Um, and kind of this halcyon years for about, maybe 10 years or so before things went, uh, uh,

aj_nash: backwards.

roman_y. sannikov: yeah. Um, I was going to use a slightly more

aj_nash: Yes. Right. Uh

roman_y. sannikov: they came to us and they said, look, we've got these three individuals in this, uh, you know, fairly large city in the middle of Russia that are scamming people all over the world, uh, like three or 4, 000 at a time.

But they've gotten to the point where they have about half a million dollars worth of scams that they've, uh, that they've done and, um, they, um, wanted people to, uh. to, um, submit cases to them. They needed, they need, because all the crimes are committed outside of Russia. And so they needed victims. They needed individuals to, um, and they had victims from Australia, from Canada, from various States in the United States, [02:55:00] Finland, just all over the world.

Um, and, uh, I remember specifically, uh, again. with the FBI's blessing and through the FBI, but reaching out to some of the law enforcement organizations, uh, regional organizations in Texas and a couple of other places where these victims had, uh, were located. Um, and the attitude was really, if they sent, you know, 3, 000 to some Natasha, uh, you know, thinking she was going to come over then, you know, that's, uh, you know, uh, that's, uh, on them, uh, kind of

aj_nash: No, no empathy, no

roman_y. sannikov: No, absolutely not. Um, and in the end, only country that did file that submit these was China. Um, from what I recall. Um, but none of the Western countries took it seriously enough. And that's what's heartbreaking is because now, you know, 20 years later, over 20 years later, we have people who are essentially falling for the same scams.

The pig butchering scams. Almost all the pig butchering scams [02:56:00] start with a romantic relationship, there's some sort of, you know, uh, and I can't help but think that had we taken this more seriously 20 years ago, had we done more education 20 years ago, or how do we have more empathy, um, 20 years ago, then I think there would be a level of maturity, um, in. Victims and individuals that would prevent a lot of this from happening. Um, and so, like I said, that really breaks my heart. Um, in terms of one of the things that has changed is really what we're seeing is a lot of people kind of outside the industry and. Surprisingly to me, even inside the industry, sometimes people at that clients that we talked to, they still have this image of a hacker from like a 1990s movie or something like that, where it's some, some usually guy who basically does everything [02:57:00] from, you know, hacks in the computer, transfer funds, cashes out funds, goes, you know, to the ATM, grabs the funds or whatever, you know, starts exactly.

Uh, and Exactly. And this is something that really hasn't been the case for many, many years now. And it seems like almost every year, they're coming up with a new platform, a new way to, you know, ransomware as a service. Before that, was DDoS as a service, you know, exploit kits, um, uh, It's almost kind of like when you think about, uh, I don't know how many people of your viewers remember Jack London, but this is a person who went to the Klondike to strike it rich, found no gold, figured out that he could make it rich by, by writing stories and by all that kind of stuff.

In a lot of these places, the people who are actually making rich, making a lot of the money are the ones who are providing the infrastructure. So ransomware, uh, these aren't the individuals who are breaking in and who are literally. ransoming you. These are the individuals that [02:58:00] are providing it as a service.

They created a platform. They created this business model. Um, and the same thing, you know, I worked with one of the first individuals who created malware as a service where they rented malware, which made it so much more difficult for us because in the before that we could get a sample, we could buy the malware, and then we have control over it.

We could reverse it. We have something. And this young man, me a very smart guy who I still, uh, keep in touch with. Fortunately, he's on the straight and narrow now and is a, is a productive member of society. Um, but, uh, uh, he created the idea that, Hey, why would I give something to them? Let me rent it.

That's why I still maintain control over it. And it was so much harder for us because we didn't get the samples. We couldn't. Um, so that's something that's changed. And again, now you're seeing. Fraud is a service. You've seen all of these as a service things where people are, are with the criminals are really, uh, [02:59:00] specializing on specific services and really making their money, um, that way, as opposed to, you know, doing the whole soup to nuts and opening themselves up to so much more, um, risk.

aj_nash: Right. Well, yeah. And they piece it out, right? I mean, these are smart business people, you know, so if you're in carding, you're not, like you said, you're not, you're not getting the cards. You're not also doing, you're not doing the skimming. You're not doing the, the fraud work. You're not doing the cash as you know, you've got mules do bits and pieces.

You're selling pieces around. Like you're not doing everything because you can specialize. It also, you know, it lowers your exposure. Like you got little bits and pieces to handle some of that. So the exposure changes and then you're taking, you know, your fractions off of all of that stuff. So it's, yeah. I mean, it's smart business.

Listen, these are not dummies, right? I mean, the people in this enterprise are very bright, uh, generally speaking and savvy business people. They just happen to have a business model. It's not legal. Uh, but it is really, really effective and efficient. You know, I hear things like half a million dollars in cash and I think maybe I'm, maybe I'm on the wrong side of the business, but I'm not, don't [03:00:00] worry.

Don't call the FBI. Uh, but I get a little jealous by the money occasionally, but a lot of these guys go down. So, uh, Okay. So we've talked a bit about, you know, what you've seen in terms of what, what didn't change over time, some of the things that have changed and some of the new, new trends and new technologies are out there and tactics and techniques like ransomware.

Frankly, I've just had a discussion on ransomware, um, you know, an episode that, that just went out actually not too long ago. Uh, and we went into detail on, you know, Uh, ransomware and double ransomware and triple ransomware and quadruple. So if anybody's listening to this and didn't listen to the episode with Brian stack, uh, from Experian, I recommend you go back and catch that.

Uh, cause he did a real good deep dive on that as well. You know, that's a very cool piece, but knowing all of that, the next question is what are people. What are people doing wrong in terms of deep dark web, or how are they thinking wrong about the deep and dark web? We have all these misconceptions. Like you said, there's vendors out there that are doing this work.

We've got companies that are, in my opinion, foolishly setting up their own, uh, efforts to try to do it, which is really dangerous. I will say this, you know, for the [03:01:00] 80th time, probably in my career at this point, first of all, you shouldn't set up your own deep and dark web collections. Don't do it. Don't get out there.

If you're not a professional and expert, it's a bad idea. I tell people it's sort of like going into a biker bar, wearing a suit and tie. Even if you can get in the door and you probably shouldn't, it's going to be clear. You don't belong. Nobody's going to really interact with you. And there's a chance you're going to get hurt.

Uh, so I,

roman_y. sannikov: put a helmet on and some dark and you're right. You'll be fine. Fake mustache. You'll be good. But I always tell people, and I know, you know, people have said it seems self serving because I work in this industry on the vendor side, but listen, I worked at a bank before and I said the same thing. Don't set this stuff up yourself.

aj_nash: There are certain things you. Always want to outsource. And I would say deep and dark web is one of those things that you just want to outsource that the time, the effort, the energy, the risk, uh, it's, it's just not worth trying to do yourself. But anyway, the question was for you, not for me. What are people doing wrong in terms of deep and dark web?

Or what are they, what are their misconceptions when it comes to these spaces,

roman_y. sannikov: a lot of things that, you how hours do we have? Um, so one of the [03:02:00] things I'll just touch on really quickly because I already kind of mentioned it earlier. think we as an industry have a little bit, uh, kind of too much of this us versus them mentality. Um, you know, they're all scumbags and they're all horrible and they're all evil, which may be the case.

I wouldn't, I would say that probably not all of them are scumbags, but a good. Percentage of them are, you know, people of low moral values, but that doesn't mean that we shouldn't, uh, uh, interact with them that we shouldn't, uh, listen to them when they say things, um, that we shouldn't, um. Try to see things through their eyes.

Um, and that's something that I think a lot of times there is a lack of, I think a lot of times there's too adversarial a relationship. There's kind of, you know, uh, I mean, I'm sure you've seen like, uh, my job is punching bad guys in the nose kind of thing. And it's, it's funny, you know, it's, it's,

aj_nash: It's good marketing.

roman_y. sannikov: but when you really, you know, again, I laugh at that.

[03:03:00] That's, that's, that's cool. You know, I, I want to do that too. Yeah. But when you take that too seriously, and when that's really your attitude, then you're, I think you're closing yourself off from a lot of valuable intelligence and from really understanding, um, Hey, the way I got into this, I was actually a translator and interpreter for many years working with the, with the FBI, um, as a contractor.

And, uh, it turned out that I, Was able to understand the criminal, uh, element, uh, at first, uh, organized crime, and then it's cyber crime, all these things, um, because I was able to kind of, uh, again, I'm not saying I'm special in this, there's a lot of people who are wonderful at this, but I think my, uh, my approach was, why are they doing this?

How is it, you know? And so I think that really helped. Um, whereas a lot of people are like, these guys are just. You know, uh, take them out to the woodshed and [03:04:00] stuff like that in the long run that doesn't help us understand. And that doesn't help us stop them. And that doesn't help us. So I think that's 1 of the things that we, as an industry frequently get wrong.

Um, I can go into a lot more detail on that. The especially around things like ransomware, where I've gotten into some, uh, some heated discussions with, with some people. Um, but the other thing that also drives me nuts that I've come across recently is, you know, talking to client companies and, you know, I've heard some people say this, that, you know, they're going to people and they're like, well, we don't really care about, um, the initial access, we don't really care about.

Credentials. We don't really care about this stuff. We know that they're going to get in. We need to stop them. Once they get in, we need to, uh, and it blows my mind and it's kind of like, you know, we just saw the super bowl. And to me, like the analogy is kind of like, all right, it's like giving the other team the ball on the 50 yard line, because chances [03:05:00] are, they're probably going to cross the 50 yard line sooner or later.

Anyway, you know, most, even when they don't make, uh, even when they don't get a touchdown or a field goal. Most of the time, they at least cross the 50 yard line. So then why don't we just give them the ball at the 50 and focus on stopping them during that last, you know, that drive stuff like that.

That's essentially what we're saying. What we're saying, we don't care about the initial access. And, uh, my argument is if you're, if you're really focused on ransomware, you're too late should be. Focused on that initial access. I'm trying to stop them from, from coming in. Um, and it's not easy.

I know credentials and all that stuff, but you can't, you know, Intel is important.

aj_nash: Well, it sounds like organizations that are saying they might be saying, we don't care. I'm going to tell you my translation of that is they've just given up. They can't do it. So they've changed the message. We don't want to say we failed. So we'll just say, well, we don't care about that. We're not gonna worry about that.

We're worried about it here, [03:06:00] but you're waving the white flag. Listen, you know, we're in security business. We're in Intel business. It would be like saying, Oh, I don't care if you break in my front door. I assume everybody's coming in the house. I'm just gonna try to keep you from stealing my television.

No, I'm actually try to keep you from getting in the front door. I've got a lock on the door. I've got camera. I've got alarms. I've got dogs. I'm going to try and keep you from getting in the door. Like you may get to the door, but I'm gonna make that hard first. And then if you get in, I've got, you know, depth defense in depth and all that, you know, people talk about, right.

It sounds me like people have just changed that conversation to say, well, we're not going to worry about that. It's because they've given up because they can't stop it. So they've given up, which is a weak position to take.

roman_y. sannikov: absolutely, I think, and partly maybe it's our fault or maybe it's the marketing fault because, you know, everybody's talking about it's not if you get breached, it's when, but the thing is that you're not just going to get breached one time. It's not like, it's not like if anybody ever saw the movie, the world, according to GARP, where, know, buy a house and the, uh, the.

Plane crashes into it and the garb says, you know what, we should buy it anyway, because it's kind of, it's, it's disaster [03:07:00] proof, already. So that's not the case with cyber crime. I've talked to several companies, uh, this year, they got popped by ransomware multiple times. So it's not like, okay, we got breached.

All right. Now we don't have to worry about that ever again. Um,

aj_nash: No, it's the opposite. This isn't lightning striking criminals learn. All right, if I breach you and it works, I'm gonna come back I'm gonna keep coming back until you prove I can't get in the door Like if you broke into my house, like, you know using that same analogy the door open you come in you steal my stuff You're gonna come back.

You already know you can get in the door Like why wouldn't you come back until I either run out of things to steal or I lock the door Like, you know, I put an alarm up and I, I, you know, do some other things from a security standpoint, why wouldn't a criminal continue to commit criminals care about success.

They, they care about whatever they want to do, they want to succeed at. They want to, they want to steal the thing. They want to cash out, you know, they care about success, care about not getting caught and they care about, you know, value and they're like water. They look for the path, at least resistance.

If you're not provide resistance, as you said, to the 50 [03:08:00] yard line, well, yeah, I'll take the ball there. I got a better chance of getting through. So, you know, it's, it's interesting cause I hadn't thought about it, but yeah, I. There are some folks who've just kind of given up on stopping these things, which is, it's sad.

And you're right. We've all said you're going to get breached eventually. It's true. We got to make sure they understand everybody gets breached. It doesn't mean you don't stop trying to get from getting breached. Cause if you stop, you can get breached a hell of a lot more. You know, this isn't binary, you know, have been or haven't been, you're all going but are you going to be breached once or 138 times?

Like you still have to try to keep them out at the door. Um, so I think that's, that's interesting. You mentioned it, you know, the other one that comes to mind, I'm gonna steal some of this little bit. We talked a little about it is. Is the organization say, we don't care who did it

roman_y. sannikov: hmm.

aj_nash: drives me crazy. What do you mean?

You don't carry it. I will carry it. We just want to stop it. Well, if you don't care who did it, you're gonna have a real hard time because you don't know what their motives were. You don't know how to stop it necessarily. You don't know where they're going now that they're in your org. You don't know if they're going to come back.

Like attribution matters. It's, it's not, you can do things without attribution. You absolutely want to stop the bleeding immediately, but I [03:09:00] think it's much more important than people seem to think. But what are you seeing? Are you seeing the same thing when we talk about attribution?

roman_y. sannikov: I, I saw a really great presentation recently about like recovery after a ransomware And I agreed with the vast majority of what the individual said. It was wonderful. Uh, but the one thing that again, just made me jump out of my chair is he was very adamant about, um, uh, he doesn't care about attribution.

Uh, you know, don't like throw that at me. I'm dealing with, well, you, if you don't know who Did it and what you don't know. I mean, they walked out, they didn't just lock your systems. They walked out with a lot of your data, a ton your data. And, um, you don't know where that data went and you don't know what's going to happen with that data.

And that's actually like not to plug my company, but that's

aj_nash: Sure you can. ahead.

roman_y. sannikov: that I'm working on now is specifically tracking the leak. Data a lot of these extortion sites and looking at like the secondary and tertiary victims don't know that they've been impacted by this? [03:10:00] Um because it is so important because you you need to know is this a nation state actor?

Am I liable to be a victim of intellectual property theft? As a as a result are my plans now being discussed at some company that's an adversary in a foreign place. Um, at a hostile power. Uh, is this a hacktivist? Uh, is this some, some crazy individual, you know, we've seen individuals shooting up power plants.

Um, you know, is this something that is going to impact my physical security? So you can't just silo and say, you know what, all I care about is getting the systems back up, getting things running, you know, getting my shit. Back up again. Uh, excuse my language,

aj_nash: no. We swear all the time here. Don't worry about it.

roman_y. sannikov: need to, you need to have the background.

You need to incorporate that as well because you need to deal with that. Um, and, uh, and that's actually goes to one of the other things that you and I've talked about is, [03:11:00] you know, sharing information within the industry. Um, I understand it. I don't know how to deal with this. Honestly, I don't. I'm not a lawyer.

Um, uh, I don't play one on TV. Uh, but you know, the advice to most victims of breaches is unless it's PII Where you have to provide that information by law, um, provide as little information as possible. We've been impacted by an incident. Well, what does that mean? What does that mean to your suppliers?

What does that mean to your affiliates? What does that mean? So what's been breached? And there isn't that sharing of information and I've seen, and I'm sure you've seen as well, a lot of companies that are impacted, again, not to kind of. Toot my but that's why I'm like working on this new project is to specifically allow for these other entities to understand what of their data is now out there as a result of [03:12:00] this breach.

Because I think it's so critically important, um, we're kind of sometimes, you know, sticking our head in the sand and saying, uh, well, these are bad guys that throwing it up on, you know, bad guy, uh, channels, uh, and, uh, but. Just because we're not looking at doesn't mean that the initial access brokers aren't looking.

It doesn't mean that all these other individuals aren't looking at all of your data, uh, and, and now using it as a vector to go, uh, to go after you, um, or your, again, your clients, your affiliates, et cetera. And, and, and I think that's one of the other things that, that, um, the industry or we as in general, um, have.

to figure out a better way to share that information, to figure out a way to, uh, maybe they'll kill my project and my company do that effectively. But I'm willing to take that chance,

aj_nash: Nobody's done it yet. So you're probably

roman_y. sannikov: I'm, I'm hoping that we get to the point where we figure [03:13:00] out a way to, to, to share the information.

Hey, listen, somebody broke into my house, uh, and stole this data, uh, or stole these documents. And, and by the way, They happen to have, you know, that contract that you and I signed about this, whatever. And so basically now they have all of your information about your activities all that kind of stuff.

So if somebody all of a sudden starts to, you know, uh, come to you, uh, about this, uh, type of stuff, just remember that this is now out there in criminal hands. Um, so we need to figure out a way to, uh, to disperse that information,

aj_nash: Well, like you said, we got, we have a PII, right? So, you know, if your PII is compromised, I don't know about you. I've had letters from so many companies, Hey, you know, we're going to give you this free tracking of your credit, you know, cause we screwed up and all your stuff's been stolen so many times more than I count.

Right? Right. Right. But at least I get notified. Oh, okay. I gotta watch my credit a little bit. See if somebody's using my information. See if somebody's stealing my ID. Because with PII, they were required to tell us. And we all [03:14:00] know this, right? Uh, and other things, they keep quiet. I know I used to work in finance.

And, you know, this is what the ISACs were designed in part to do. Was, you know, they're sharing organizations. So, if a bank gets breached, We should all get on a call. We should, you know, they should be able to share. Here's everything we know. Here's the T. T. P. S. Here's what they've taken. Here's what we think their motives are.

Here's we think it is everybody else combating on the hatches and get ahead so it doesn't become a series of events. But then the lawyers get involved. None of that happens. And again, I'm with you. I'm not blaming lawyers. They got a job to do. It's you know, where is the line between being transparent and taking on risk and how it's gonna work.

But ultimately, you end up having what would be what in physical criminal terms, a murderer Becomes a serial killer because nobody mentioned the murder. And then the next one and the next one, and nobody's sharing the information. There's a pattern here, it turns out. And so this, this same person goes on murdering, uh, in this case, just, you know, robbing banks digitally because people didn't share the information.

So it becomes one after another, after another great win for the criminals. Um, or you run into it, you have, we see the same thing with, with, you know. If you talk about pig butchering [03:15:00] for that matter, you come back to that, even that's personal, but people don't want to share because they're ashamed, right?

So you, you have the risk factors with lawyers, you know, and all those things that go with it from a business standpoint, but also people don't often share because they're ashamed and that can even happen in business too, or some executive got briefs. They don't want to tell anybody. I know you've seen it.

I have two ransomwares where they sideline it and pay it off themselves because they don't want anybody to know about it. They just want to get their laptop back. And it never goes well, by the way, for anybody wondering if you get compromised, if you're going to go grab yourself some Bitcoin, I think you're going to solve it yourself.

Chances are pretty good. You're not. I'm sure it's not within your company policies. You're probably gonna make things a lot worse. You're just going to pay off somebody who probably doesn't give you your stuff back anyway. So if you get had, just go talk to your security people immediately. And just, you know, this is what happened and try to deal with it.

Don't, don't go buying crypto and trying to solve it yourself. It doesn't go well. Um, so anyway, yeah, I think that's all interesting stuff. And again, you talked about the attribution piece. I wonder if that isn't again, just like the whole ad, we don't care about breach. If it isn't just that people have said.

They've just given up. It's hard. Attribution is really hard. So maybe instead of saying we can't do it or it's hard, it's just, ah, we don't want it. It's almost a sour [03:16:00] grapes. We don't want that anyway. Or maybe it's a matter of, and I'm curious what your thoughts are here on just prioritization. We can only do so many things in a day.

We've just accepted these are too hard to get done. So we're just going to say, we're not going to worry about it important or not. We're just going to punt it because I don't have the time or the energy or the money to fix it. Even though, as you said, it's going to cause all these other problems by not really knowing.

Who did this and what their motives are and what the likelihood of return is and what they're likely to do with the things they've stolen. It's it's critical. It's very valuable, but organizations just move quickly and say, well, it's just too hard. It would take a lot of energy and a lot of time and money to try to figure it out.

So I wonder if they're just punting because it's just hard and they just say, well, we're not going to do it. Yep.

roman_y. sannikov: maybe partly it's our own fault because we don't present it in in the proper way. I don't know. Um, but I think a lot of times because again, good threat intelligence can save you time. It's not just a cost center.

So instead of getting spun up, I mean, most [03:17:00] companies still get some sort of alerting, um, about yeah. You know, various incidents that may impact them. So good threat intelligence will help you figure out, okay, is this threat actor, if we're talking about attribution, is this threat actor likely to do this?

Is this threat actor has to have the capability to do this? Is this someone who's just some random Joe Schmoe that most likely isn't selling a zero day company. To, you know, an apple product for 5, 000, know, uh, and, um, so essentially it's a good way to actually get rid of a lot of the noise. People frequently think of intelligence as a noise, as additional stuff that I have to worry about.

Uh, but again, good threat intelligence or properly. Tune threat intelligence actually helps you figure out what to focus on and what to ignore, uh, and make that calculated decision, uh, and then defended that decision [03:18:00] because sometimes you'll get it wrong sometimes. But if you can say, Hey, look, based on these criteria, I decided to give this Less, uh, attention, uh, and, you know, and chances are your leadership is going to be okay.

You know, they didn't screw up just because they were lazy. They had some sort of a factor why they didn't focus on this, et cetera.

aj_nash: Yeah, you've got a methodology for scoring risk essentially, right? And so figure out which things, because again, nobody has enough time or energy or money to do everything. Nobody has enough people. So you gotta be able to prioritize, but I'm with you. I tell people a lot of times Intel, it's, you know, tell them what happened.

Tell them what they can do about it or tell them what happened. Tell them why it's important. Tell me what they can do about it. Right. Those are three, the three things, but also one of the things I say is that Intel, we're the only ones that can tell them not to worry about it, or at least with some level of confidence, you know, uh, I.

I know when I first went to the private sector, my first gig was at a bank, and I learned very quickly little differences between the government space. The private sector is people really freaked out about almost everything that was in the news right away. It seemed like and context was an issue. And early on, you know, [03:19:00] you're learning this stuff and you got, you know, see those and they come down.

They're just freaking out. They want to know everything about everything and everything's everything's on fire. But getting the point where you could say, Hey, boss, you You really don't have to worry about this. And here's why, like, I know the headline said that, but really, this is actually not a new thing that's been on for years.

It's a minor variation, or this is, this is an organization that's not gonna attack us. They've never attacked a bank ever. This is not their motivations or whatever they are, right? Helping the C level or the CISOs. Say, okay, I don't have to worry about this. Great. Cause I only got 612 other things got to worry about.

So that one I can take off my

roman_y. sannikov: Chill, Winston.

aj_nash: Yes. So, I mean, it's nice be able to take one away. Right. And, and Intel can be really good at that with some level of confidence. This doesn't have to be your top thing today, boss. It might be tomorrow. We'll, we'll talk again. I'm sure. But being able to tell them this isn't the thing, right.

And so I think that's really important. And like you said, you know, that does come from some of this attribution component, which is, which is really, really challenging. So, all right, listen, we got, we got one more question here. We're running a little behind. We're a little long. one two things will happen.

It has to be a really long episode or editing. They'll get in there [03:20:00] and cut out. Some of the times we just chatted with each other, or if it gets super long, maybe we'll split it into two episodes. We'll figure it out, but I don't care. Cause this is an important question. We're definitely going through it.

So again, the show was really about like, you know, stories from the deep and dark web, right? We haven't even gotten into the really cool stories. We talked a little bit here and there, but. You've been doing this a long time, man. So I keep saying that I keep picking on you. I'm probably older, but, uh, the best part, I think of all these discussions is the really cool stories, right?

So what do you have, man? What do you have? That's just, you know, I'm sure you got a couple of things without name and names or shaming anybody, of course. You know, whether it's customers or or, or employers or whatever, but do you have some very cool stories or some myths you wanna bust? You know, can I honestly hire, you know, somebody to murder somebody on the dark web?

Can I buy, you know, can I buy human beings on the dark web or kidneys? You know, are there myths you wanna bust? Are there stories you wanna share? What do you got? That's really the cool stuff. People are gonna walk away going, holy cow. That's amazing.

roman_y. sannikov: So as you've pointed out several times, I've been doing this for quite some so I [03:21:00] have a large library to choose from. Uh, so I'm just going to give you a few teasers because, uh, you know, these things can, can, uh, you know, uh, uh, go on for quite some time, but, um, one of the things that I remember being, uh, really fun was, um, man, this is probably around, I Uh, 10 years ago, maybe a little bit more.

There was a really big case in, uh, in the New York office and other offices called aching mules. Um, and you can actually look it up. There was actually a CNBC special on this where some of my friends were interviewed if, uh, FBI agents. Um, and, uh, uh, but the way, one of the ways this started was actually three young ladies from Kazakhstan came into the New York office of the FBI.

Um, and because they had their, they were J1 students, they were here and they were kind of taking advantage of, uh, some guys, uh, um, got them to do some illegal things, open bank accounts and stuff like [03:22:00] that. And they were really freaked out and their boyfriends told them, you're stupid. You're going to go to jail, you know, blah, blah, blah.

So they came and they kind of gave themselves up. And they were, uh, you know, uh, and this was actually kind of how this case started. And, um, they came to the office on a Saturday. Um, you know, New York office is one of the biggest FBI offices in the U. S. or in world. Um, and, uh, they, the the kind of intake agents downstairs.

They had no idea what to do with these people. Um, and so they called the Russian squad, uh, and one of my friends who's not a cyber guy, but was an interpreter on the, on the Russian squad. He took down some of the notes and he's like, I, you know, the Russian organized crime squad has no idea what to do with people, you know, opening bank accounts and stuff like that.

That's not what they usually deal with. And so this stuff kind of got. to my desk. Um, and I wound up looking through this. I'm like, holy crap. They're talking about, you know, [03:23:00] literally driving with somebody who's got a laptop open this older woman who was like, I think she owned a flower shop and she was transferring funds live from various victim accounts.

To this business account and then having this money, um, transferred to these young ladies, um, bank accounts as though they were employees and stuff like that. And it wound up being actually a really big case that, uh, spun, spanned several years. And there was eventually a really big arrest where over 20, uh, people were arrested at the same time across several different states.

Uh, and it was, it was really big, but, um, One of the ways that it started out was actually just these, you know, young ladies coming in and it totally, you know, kind of by accident, it came across my desk. Um, and then I went to the supervisor of the cybercrime squad and I said, dude, this is our purview. This is, know, us.

Uh, and it took a little while to [03:24:00] convince him. He's, he's actually a friend of mine as well. Uh, but, uh, finally he's like, all right, yeah, you're right. This does seem like there's some cyber criminal activity here. Um, and again, it wound up being, there was like millions of dollars

aj_nash: million. Yeah, I'm, I'm cheating. You told me was. I looked it up. It's, it's for those who want to look up the full story on this one, by the way, it's September 2010 when all broke out. It's 37 mules, 3 million. Uh, very interesting story. The, the actual indictment is out there. If you, if you actually Google aching mules, uh, that comes up and some interesting names there in the, in the southern district of time, but also wired has a good article on it.

I'm, Sneaking a peek here. It's the advantage doing this live and having a bunch of computers. So, uh, yeah, 3 million, 37 people, 21 separate cases. Um, lots of Russian names, this

roman_y. sannikov: Yes.

aj_nash: here. Yeah. Long list of Russian names, basically ages anywhere from 21 to 26. Oh, well, there's one 29 year old in the group.

So, um, really interesting stuff, man. And. That must've been just really wild to work on. And this is 2010. So this is a while ago. I mean, you're talking [03:25:00] not to make fun of you and age. This isn't about that anymore, but 14 years ago, you know, when you said they didn't know what to do, right. This was not a common thing yet.

And this is, this is pretty new still comparatively. So like that's some of the early days and that's a pretty sophisticated ring. Um, that's awesome stuff.

roman_y. sannikov: So, 1 other case, just really quick, um, so going back to my organized crime squad, uh, those of you who are actually looking at this on, on, on YouTube or something, you see that I've got my, my golden locks, uh, hanging down. Um, I, uh, was involved in a case where I was interpreting, uh, for, um, a Russian organized crime investigation.

And, uh, part of the case was, uh, we had, I was working out of the Albany office. of, uh, New York, uh, at the time, uh, going to school up there. And, uh, we had this Russian, uh, for lack of a better word, a head of a criminal family. Um, and we invited him. We were trying to get him to do some criminal activity. We, the FBI essentially, we're trying to get [03:26:00] him to do some criminal activity there that they can monitor and the rest, et cetera, and break up the gang.

And so it went up. to this very fancy schmancy resort in Northern, uh, New York, uh, called, uh, Saranac Lake, I believe it was. And again, like really expensive with very, uh, kind of a lot of Hoi Poloi people. Um, and we, uh, this was up kind of in Adirondacks or just outside the Adirondacks. So the reception there wasn't great.

And we were, we had to monitor the cooperating witness who was there hosting this, this bad guy, because. operating witness at the time had, I think, a million dollar bounty on his head. Uh, he had been arrested. He was being, he was kind of one of these accountants, uh, for Russian organized crime groups. Um, and so we have to make sure that he was going to be safe.

And so what I was doing as I was walking around with this back then, we have to have a suitcase, uh, the silver suitcase that, uh, the receiver. Uh, and so I was listening to everything that he was [03:27:00] saying, uh, and the bad guy was saying, to know that he's not taking him out to the woods and, and doing something horrible to him.

Uh, like in one of these, you know, Russian gangster movies. Um, and one point we lost him and we lost the, the, the guys and we're, it's a fairly big resort and we're running around trying to find where are they, you know, want to make sure that they didn't. Take him out to the woodshed. Um, and I come around the corner and I'm face to face with these guys and I've got one of those like big ear pieces coming out of my ear, you know, very inconspicuous, kind of like one of those old fashioned, uh, Secret Service agents with like wires hanging and all

aj_nash: Please tell me you had pretend you were deaf or something. Did you pretend I was a aid? took my hair down.

Oh yeah, sure, the hair.

roman_y. sannikov: and it covered it and covered it really well. And so I wound up sitting down and listening and the guy had, um, everybody there is wearing like white and very Hamptons kind of thing. [03:28:00] this guy's there in these little tiny shorts And he's got his huge son, uh, tattooed all on his back.

Um, and, uh, you know, again, just like something out of Eastern Promises or something that. And so I'm sitting behind them and just kind of like listening to make sure. Uh, but, uh, but yeah, so that's where, uh, you know, one fun time where my, uh, my cloth, uh, helped. The FBI case and make sure that this guy wasn't, uh, uh, the cooperating witness wasn't, uh, harmed.

So, uh, yeah, fun case.

aj_nash: that's awesome. I didn't think about sure the hair makes perfect sense. And again, for those who aren't watching, if you're just listening, which is perfectly fine because with me, you're much better to listen than to watch me. promise. But, uh, if you're not and you get on YouTube, you can see, you know, Romans cut some pretty great hair.

Uh, and yeah, it probably would do a really good job of covering that up. So that's brilliant. Just let your head down. It's brilliant. Um, listen, you got one more story, man. I know you, I know you have a lot, you know, one more, we got time. Come on.

roman_y. sannikov: All right. So, okay. So, so, so another one that was really fun, um, and I'll [03:29:00] try to make this

aj_nash: No, you're good, man. Don't worry about it.

roman_y. sannikov: time, um, I, uh, actually got to go to Russia and, um, uh, with a victim of a cybercrime. This was one of the very first cyber criminal cases that I've worked on. And there's, again, this was back around 2001.

And I got to go to, uh, the Russians actually arrested the individual who had hacked into this institution. And the institution was actually provided. Um, so the Russian law enforcement and the court invited them to come testify to the losses. And they actually did. Which, uh, the, the bank is no longer around, they've been bought several times but I still won't mention, uh, but it was really cool.

Uh, the problem was that, uh, the case was in, uh, late November, uh, in, uh, Siberia. So, we flew to this place and, and the, the MVD guys in Moscow were making fun of us, saying that, you know, like, uh, the air, the air Port would like drop us off the airplane and then the [03:30:00] reindeer would pick us up take us to the uh, and so that wasn't the case.

The went to was actually a fairly, um, you know, it's kind of little Houston because that's where all the Russian oil and gas companies were based at time. So we had a really, you know, they, they treated us amazingly. We went to, we testified in court. Um, I got special permission because theoretically you're only allowed to What to interpret in court, uh, in Russian court, if you are a citizen, um, but the judge gave me dispensation since I'm not a Russian citizen, but because we wanted to limit the number of people who knew about this with the victim want to limit, um, and the, you know, but after all the testifying and everything, the Russian.

Cops, they, they took us to this dacha, this, this bath house, and which was way out there. And they drove us through these snowy roads and there was a lot of drinking. Uh, there was some, uh, some young ladies there who they introduced as, uh, as secretaries. [03:31:00] Although I don't think that's what they

aj_nash: They weren't taking any

roman_y. sannikov: uh, no, they, they weren't.

aj_nash: a lot of going on?

roman_y. sannikov: yeah, they were, uh, they were spending a lot of time in, in the, in the, The Banya with the, uh, with the various individuals and stuff like that. Um, but I just remember, um, them, you know, the, the, the cops and driving us getting like incredibly drunk and driving us at very high speed. back along very snowy, icy roads and myself and the representative of the victim institution sitting in the back, you know, kind of between these, these young ladies and thinking to myself, man, uh, you know, if I crash and This stuff is, you know, somehow gets into the, into the news, uh, later, uh, then, uh, you know, it's, it's going to be very difficult to, to explain, uh, this, uh, so, uh, so yeah, that was, that was, uh, uh, a funny story.

Fortunately, everything was safe. Nobody's, uh, at least [03:32:00] from the American side, nobody's honor was, uh, was compromised, uh, in this case. Uh, but, uh, but it was a very interesting situation, kind of surreal. Uh, my, my co the, the victim, he had a special sat phone. Uh, and he goes, he's looking at it. It's like the sat phone is saying where the fuck are you?

aj_nash: That's a good

roman_y. sannikov: out. wasn't able to pick up anything. Uh, so yeah.

aj_nash: It's I'm picturing the Rocky movie where he has to go to Russia, fight Ivan Drago. I'm just picturing that I was Siberia, right? And just, you know, the cars, the old Mercedes and the, you know, the heavy snow and not be able to get anywhere. I'm just picturing that except Apparently everyone was drunk in this case too, they should have had the movie, that's probably more realistic.

So. Um, but I, I'm assuming you didn't knock out Ivan Drago at the end of this or anything. You didn't win a big fight and turn Gorbachev onto our side and all that. I'm guessing this was

roman_y. sannikov: My, my liver survived and, uh, I, uh, yes, I'm, uh, I'm good.

aj_nash: nice. All right, listen. So [03:33:00] we always close out the show with the same question for everybody. And this has been my most fun part of the show.

Usually in this case, your stories, I think are more fun. But that being said, the name of the show is Unspoken Security. So with that in mind, tell me something you have never told anyone before. Something that's been unspoken so far.

roman_y. sannikov: So this is, uh, this is kind of embarrassing, um,

aj_nash: Oh, I like We're off to a good start.

roman_y. sannikov: it's, it's probably something that a lot of people feel, and I think actually some of your other guests have, have mentioned something similar. Um, but, um. I am just really amazed that anyone knows who the hell I am and very flattered, um, because I, I don't know if you want to call it imposter syndrome or, or what it is, but you know, in my mind, I'm still some 25 year old kid who just got out of college and is trying to figure out what the hell he wants to be when he grows up.

Um, and, um, so when people come to me and say, Oh, I read this work [03:34:00] of yours, or I heard this interview with you, or, you know, one young man who's brilliant once talked to me and actually called me legend and I almost fell off the chair, uh, because I was just like, uh, I mean, and, and I'm not going to Pretend false modesty.

I went down, ran to my wife and I was like,

aj_nash: Yeah, of

roman_y. sannikov: somebody called the a legend you know, and, and so it was, it was really cool, but I've had, like, I frequently just feel like a, you know, depending on your age, you'll get this either Zellig or Forrest Gump, um, but that I find myself in these instances, like I've literally Been standing between, um, the, the former director of the FBI, Robert Mueller and, uh, the current and former head of the FSB, Bordnikov and Patra Show Petresov and Spaso house, which is the, the residents of the ambassador of of, of, [03:35:00] uh, US in, in Moscow.

I was interpreting. Between them, the, these and, and really in this close proximity and just literally standing with them. Um, and, uh, and afterwards, as we were leaving, the ambassador actually pulled me aside and told me I did a great job. And I was just like, I I was going to pass out. But that's, you know, it's one of those things where for any of you out there who's, who experiences imposter syndrome, um, everybody does, um, I'm, I'm, uh, you know, as, uh, AJ mentioned, uh, I'm in my fifties, um, and I've, uh, been, uh, working, um, In intelligence since I was in my early twenties, uh, and I still feel like I'm just some kid who's trying to figure it out.

Um, and so, um, don't be embarrassed. If you feel that way, you can't succeed. If you try, uh, you know, you work hard, [03:36:00] um, and you don't have to feel like you've got everything and all the answers and stuff like that. But I don't think I've ever actually Said the extent of how frequently kind of unsure and stunned I am by these various things and sometimes have to kind of like, uh, do a little tap dance when people come to me with with questions.

Um, but, you know, that's where, where research comes in and being a curious person comes in. Uh, so, yeah, that's that's my kind of unspoken

aj_nash: But, and I love that man and I appreciate it. And I'm sure a lot of people will because listen, it does come up occasionally. Right. And it probably will continue to, as I do this, I've been told that people with imposter syndrome, like it's a sign that you're, you're probably both good at what you do and humble.

Right. People listen, narcissists don't have imposter syndrome. It's not, it's not an issue for them. Right. Uh, you know, it's the opposite of Dunning Kruger. There's plenty of Dunning Kruger. There's plenty of people out there who think they're great at everything and they aren't really good at much of anything.

Uh, and, and they don't even know it because they're, they're so out of [03:37:00] touch. They don't even know they're not good at things. Right. So I have been told people with imposter syndrome generally are high functioning performers, but they're also just humble and they don't see it. Right. Or they're so good at what they do.

They don't realize how hard it is for other people to do. That's what people have told me before. Cause I, I, I suffer the same thing. I don't know why anybody listens to anything I have to say about virtually anything at all, frankly. And when people ask for my advice, I keep looking around, trying to figure out who they really mean.

But I also recognize, yeah, but I also recognize there's things I've had people say, you know, Yeah, you did a great job. I'm like, yeah, but it wasn't hard. And they're like, no, it wasn't hard for you. And I have to remember that we all have our own skills, right? There's things I can't do that you could do amazingly.

I'm sure. Uh, I know for a fact, in fact, uh, I'm sure there's some things I do that I find afterwards. I'm like, it wasn't that hard. And they're like, no, I couldn't do that. And we don't realize that about ourselves. I don't think, you know, a lot of people in this industry, and it's really prevalent in our industry, I think, uh, even more so than others of just.

We don't realize that we do things differently than somebody else might do it. Might be faster, might be better. Whatever it is, you find your niche. And I think that's the key, right? If you find where you're supposed [03:38:00] to be, and you're, you're good at that thing, and it just comes sort of easy. I mean, it's work, but it fits, right?

I think that's when we get into this track, right? If you're constantly struggling and fight and do something, cause it's just not your nature and you're in a bad fit or whatever, you never really worry about it too much. You don't have imposter syndrome cause you're barely getting through as it is.

Right. And when it gets kind of where it's just, it's a good fit, you know, I've had plenty of things where I get done and people give me accolades for whatever the thing is I did. And I'm like, geez, I kind of feel guilty about it. Cause I think knew how little it worked, it took to do that thing, you wouldn't be so proud of me anymore.

Uh, but it's, you know, it's all relative. So, but I think it's a great message. I think I appreciate you sharing it. I'm sure a lot of people will because yeah, you are a legend, dude, you've been, you've been doing this as I said, a long time. I keep telling but. But you've done amazing things. Like you could tell stories.

We could have you for hours. We could go on and on. Your stories are awesome. You, you've, your knowledge is amazing. I've been lucky enough to present with you and, and to see you present separately as well. And you are a legend. It's true. Uh, but it's hard to see when you're in that. You know, when you're in those shoes sometimes, I think [03:39:00] so.

And I think it's a good message for people to know no matter where they are. You know, if it's somebody you're just getting into the industry, uh, or if you've been doing it, you know, as long as we have or longer and you have these feelings, just everybody does, man. I don't know anybody who's really good at this stuff.

Who doesn't have that feeling. Cause again, if they don't, they're probably just a narcissist. And I don't spend a lot of time with those guys. So, um, like if you, if you're doubting whether you belong, just keep driving through, like you, you probably do. And especially if other people think so, I've gotten to the point where I look around and like, they think I'm doing a good job, I guess I must be.

Uh, cause I, I've long ago given up on thinking I'm doing a good job. So, um, but anyway, go ahead.

roman_y. sannikov: a final comment on you said. I think a lot of times, you know, like one of my favorite sayings is like, you can tell the worth of an individual by their friends. And so like whenever I'm feeling a little bit kind of, um, you know, a little down or a little unsure of myself, I look around and I've got, I've got some kick ass friends.

I've got [03:40:00] some really great people that I can call on when I need help with something. My network has some amazing individuals in it. Um, and I'm so proud of that. And that says, you know what? I, I trust their judgment enough. To say that I must be doing something right, you know, because otherwise what the hell would they be doing, you know, like picking up the phone?

Like I, you know, I, I've reached out to CEOs who I really respect. Um, and they'll respond to me. Um, and these are individuals who are like way more powerful, more successful, uh, and wealthier than I am. And so, um, and again, not to say that. Yeah. You know, it's all about CEOs. There's this junior analyst who I reach out to who I'm like, Oh, this is awesome that this person is willing to help me answer this question.

but, uh, I think that's something that also, um, you know, trust yourself when you have other [03:41:00] individuals who, whose opinion you respect, you know, Trust you and see value in you. That says a lot about your, uh, capabilities.

aj_nash: Yeah, no, I agree. That's a really good point. I mean, I often joke, you know, when you're on or somebody else, whoever's, you know, I don't know why this person hangs out with me. I don't know why they're friends with They just haven't, they haven't done a better job of picking their friends. But you know, putting the joke aside, you're right.

There's lots of people I know that I'm like, all right, this is a pretty good group and they seem to think all right. I mean, so like, it is a reflection at some point, right? If, if so many mm hmm. Impressive people are willing to pick up the phone are willing to take time, you know, prioritize you, you're important enough to them that they value your opinion or input or, or whatever it might be.

Yeah, it's a reflection at some point you got to accept. Hey, I'm, I guess we're doing okay. Right. Um, but I also like. Having this like a little humility is good. So I don't know if I'd ever want to get to the point where I thought I was good at anything. Um, I'm good enough apparently to get by on some things.

And I think comfortable with that because nobody [03:42:00] wants to hang out with the asshole who thinks he's good at everything. Um, you know, nobody likes those people. So. All right. Listen, man, this has been great. I really appreciate you coming on. You've done an amazing job. Awesome stories. Uh, you know, we could, we probably have you on again at some point, cause I don't have a bunch more of them too, but I really appreciate you taking the time to be here, Roman.

Uh, know, I can't, can't thank you enough for it, man. I'm going to wrap it up here. Uh, for everybody listening, please, if you like the show, you know, like it. Download it, subscribe, tell your friends and neighbors, you know, get on the highest mountain and scream about it, uh, whatever it is. Right. And if you don't like it, then just shut up and don't tell anybody.

No, it's fine. Tell me if you don't like it too, we'll, we'll, we'll see what you did to make it better. But

roman_y. sannikov: Next time I'm coming out to Minnesota and we'll be in the same location. It'll be like one of those, again, like sports things where we'll be sitting

aj_nash: yeah, man,

roman_y. sannikov: and talking to each other in So that'll be, that'll be

aj_nash: on out and do it. Or maybe we'll do it on site at one of the locations. I mean, we did conferences, but yeah, anytime, man, I'd love to have you back on. So listen, that's going to wrap it up for this one. [03:43:00] Again, for everybody out there. Thank you very much. This has been another episode of

unspoken Security. Uh, and until next time, you know, be safe and we'll talk to you again soon.

roman_y. sannikov: Thank you.