.gif)
Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
AI, Deepfakes, & the New Ransomware Playbook
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode of Unspoken Security, host A.J. Nash sits down with Cynthia Kaiser, SVP at Halcyon’s Ransomware Research Center. They explore how ransomware grew from a niche crime into a business, and why security teams now face faster attacks, extortion, and a threat landscape that blurs crime and state activity.
Cynthia traces the shift from early encryption schemes to double and triple extortion, then explains how professional crews use access brokers, deepfakes, and AI-assisted phishing to move in hours, not weeks. She also breaks down how Russian-speaking groups, Iranian actors, and state-linked operations use cybercrime for profit, cover, and pressure.
She argues that defenders still need the basics: harden identity, patch fast, assume breach, and build response plans that include PR. Cynthia closes with a blunt point: ransomware and fraud are not side issues. They hit hospitals, businesses, and families every day in ways nation-state threats often do not.
Unspoken Security Ep 57 - AI, Deepfakes, & the New Ransomware Playbook
[00:00:00] Cynthia Kaiser: We can actually do something here and we can make a big difference here. And so that conversion took me a little while. And I say that because I think it's really important for organizations to think about too. 'cause I think there's a lot of people that's like, oh, it's just a criminal.
[00:00:13] AJ Nash: Yep.
[00:00:13] Cynthia Kaiser: It's just fraud.
[00:00:14] Right. Or there's so much fraud. Like we can't even get like local police officers to like, right. They don't care. Be able to handle it because it's just too much. Or like an FBI is getting 3000 tips a day on it. They can't like Right. They can't do that. There's only so many people.
[00:00:25] AJ Nash: Yeah.
[00:00:26] Cynthia Kaiser: And so. To me, like haven't talked about that as much as I could.
[00:00:31] But it's important to say because organizations need to know that too. Like it's not just these large existential threats that you're thinking about.
[00:00:41] AJ Nash: Yep.
[00:00:41] Cynthia Kaiser: It's a lot of different tiny threats.
[00:00:49] Outro: Welcome to Unspoken Security, the raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including [00:01:00] intelligence driven security risks, and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboard.
[00:01:11] In each episode, host AJ Nash, engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
[00:01:30] AJ Nash: Hello, and welcome to another episode of Unspoken Security. I'm your host, AJ Nash. I've been doing Intel a long time. I'm an old guy now. I got about 20, 20 years in the government states, well, 19 counter-terrorism, counter insurgency trafficking persons chase war criminals. Been at the private sector about 10 years, focused on intelligence driven security practices, building security programs, consulting, and doing all this thought leadership type stuff.
[00:01:49] Today, as you might notice, different location because I'm live from RS AC conference here in San Francisco. Very excited to be here. It's a very cool conference. We're gonna do a lot of fun stuff today, and it starts for me right [00:02:00] now today because we have an awesome guest. So Cynthia Kaiser, she's the SVP of Halcyon's Ransomware Research Center.
[00:02:06] She spearheads their threat research program and public-private partnerships dedicated to ending cyber isolationism. Joining Halon, Cynthia was deputy assistant director of the FBI's Cyber Division, so she's served in two presidential administrations as a member of the Cyber Safety Review Board. She's also been named a top cyber executive by the Cyber Guild, by Fedco, by Cyber Scoop, by Washington Exec, by gov, CIO.
[00:02:30] I'll throw in by unspoken security. Why not? We'll just add one more Prudential. Right? Anything you wanna add to that resume?
[00:02:35] Cynthia Kaiser: No. I'm excited to be here and I am excited to learn from you because you have a lot more time in industry than I do. I'm only nine months like a baby, an industry. So, uh, it's,
[00:02:45] AJ Nash: it's a fun transition
[00:02:46] Cynthia Kaiser: for sure.
[00:02:46] It's been a great transition.
[00:02:47] AJ Nash: Well, I'll be happy to talk about that with you. We won't do it today 'cause they want a camera. You can definitely do that today. You're a better guest than I probably deserve, so I'll try to make the most of your time while you're here. So the interesting thing that we're gonna talk about today is we talk about ransomware, right?
[00:02:59] Mm-hmm. And [00:03:00] ransomware, it's an industrial business at this point, right? I mean, this is not. Kids, you know, script kitties. This is not a minor affair. Right. So I wanna jump right into that. Tell me, we'll do a little background for those who don't know. Right. Okay. Let's talk about the history of ransomware.
[00:03:12] Can you kind of run us through where we've been and where we're going at this point?
[00:03:15] Cynthia Kaiser: Yeah. I'm gonna start a little earlier. Right? Right. Because ransomware has been around since 1989.
[00:03:19] AJ Nash: Ooh.
[00:03:19] Cynthia Kaiser: When I think a bi, I think it's a biologist, created some kind of snail mail campaign that encrypted, you know, a bunch of researchers data and demanded money in return.
[00:03:29] Really love it. Yeah. So, you know, started there, but there was a money problem. Like, how do you actually take money in an anonymous way where law enforcement can't track? So then you fast forward to like 2010, so 2013 ish, and you have the introduction to Bitcoin. So as Bitcoin's been introduced, this is a little bit more of an anonymous way in which the actors can actually obtain information and so, or obtain money.
[00:03:53] And so a, you know, one variant starts becoming multiple variants and it really [00:04:00] kicks off so. You see that that's kind of that 2013 period, like you're going, you're going, you're going 20 19, 20, 20. The actors say, I can do more than encryption. I can actually steal data too. Mm-hmm. And I can hold that for ransom as well.
[00:04:17] And like, is that the double ransomware? That means That's double extortion.
[00:04:19] AJ Nash: Double
[00:04:19] Cynthia Kaiser: extortion, yeah. Got it. Yeah. And now even you see triple extortion, right? Mm-hmm. Where they're like calling CEOs threaten to brick their houses or their DDoSing groups, or they're
[00:04:28] AJ Nash: calling customers, right? Aren't
[00:04:29] Cynthia Kaiser: they?
[00:04:30] They've called patients at hospitals.
[00:04:31] AJ Nash: Unbelievable.
[00:04:32] Cynthia Kaiser: It's crazy.
[00:04:33] AJ Nash: Yeah.
[00:04:33] Cynthia Kaiser: So, you know, and the backdrop of all this is, this professionalization. In the underground and, uh, you have almost what's an entire business model behind them. We get a glimpse of that in about 2022 when Conti is Mercedes. Leaks come out of all of their chats and it basically, it looks like a small tech company.
[00:04:54] They have HR support, they've got these, you know, they have affiliates, they've got good customer
[00:04:58] AJ Nash: support to help you
[00:04:58] Cynthia Kaiser: pay your rent. They, they would love [00:05:00] to help you pay.
[00:05:00] AJ Nash: Yeah. They're really good at that. Yeah. Better customer support than most companies I've worked with.
[00:05:03] Cynthia Kaiser: That's right. And so you kind of get this glimmer of, hey, this isn't just a bunch of people in their basements, you know, on a computer.
[00:05:13] Like they've really figured out how to make this an industry behind the scenes. And I think some of the people even doing this in other countries, they think of it as their job. Mm-hmm. They're not even thinking about. Those ugly ramifications that we see on our end.
[00:05:26] AJ Nash: Sure. Yeah. It's unbelievable when you see how far come, you know, like you said, you know, from ransomware, I mean, I didn't know that was all way back to 89, so that's a great story, obviously.
[00:05:34] Mm-hmm. But you know, the double ransomware or the double extortion, the triple extortion, and like you said, these are professional criminals, right? Mm-hmm. I mean, anybody could do it. I guess I could pick up as a hobby, I could be a ransomware criminal, I suppose. It's not hard to do. The tools are readily available now, would appear.
[00:05:48] Cynthia Kaiser: I, you just go and you get a kit. Say you wanna target someone, then you go to a different part of the underground and you get passwords, usernames. You buy 'em from those people. Sure. They're called international access brokers. Right? Sure. And you can [00:06:00] just put it all together. I mean, yeah, you gonna have a high success rate.
[00:06:03] You know what I mean? Yeah. Maybe not, but like I don't need a lot though. You don't need a lot. If you go from zero to 10, that's pretty good.
[00:06:07] AJ Nash: I mean, how much money are we talking about? In ransomware.
[00:06:11] Cynthia Kaiser: Oh goodness. I mean,
[00:06:13] AJ Nash: hundreds of billions, million.
[00:06:15] Cynthia Kaiser: It's interesting. I don't think I, I'd have to look at the numbers that come out for 2025, but let's take 2023 to 2024 and 2023.
[00:06:23] It was over a billion. But then when you got to 2024, analysis puts out these reports, and they're tracking this across the ecosystem, so across the blockchain, they're looking at this, it actually went down by over 30% between 2023 and 2024. Yeah, of course. I like to attribute that to some of the FBI's actions.
[00:06:41] Yeah. But I, I really think that's true. I think what happened is you had FBI doing a lot of these operations where they took down these really big groups and had huge market shares, the nefarious activities that were going, and then when they've all broke up, they got into these smaller groups. They're a little more closed off, [00:07:00] makes 'em a little more durable to law enforcement disruption.
[00:07:04] Sure. However. Also means they're not getting the benefit of the full marketplace of technical skills, Uhhuh. So they have to go after smaller victims,
[00:07:16] AJ Nash: not whales, just fish.
[00:07:17] Cynthia Kaiser: Yes. And so it's funny, attack percentage went up that same year, but what's happening, you're going after a dentist office and it's $10,000.
[00:07:24] So you have this kind of to
[00:07:25] AJ Nash: make up in volume. Then you gotta have more targets. More attacks.
[00:07:27] Cynthia Kaiser: Right? You do. You do. But I think it's this pendulum, you saw that breakup of a lot of these big groups throughout, you know, 2020. Four. But then I think you probably by the end of last year, we were seeing a lot more consolidation around big groups like Chilan, Akira play.
[00:07:43] Mm-hmm.
[00:07:43] AJ Nash: So it's. It's actually like being in tech. I know you, you said you're relatively new to the private sector, you're gonna see the same thing in tech. You have all these little companies and then there's consumption. Big companies buy 'em up and then a bunch of other new little companies come out.
[00:07:55] It's the same thing we see in tech.
[00:07:56] Cynthia Kaiser: What a great analogy. I
[00:07:57] AJ Nash: like that. Yeah. You'll see the same things here and a lot of in tech, a lot of it's [00:08:00] tied to budget, obviously. Mm-hmm. Uh, people don't wanna manage so many vendors, so they. They consume things together and then they want to, you know, have more innovation and, and wanna pay less.
[00:08:07] They get a bunch of little people and then it all cuts over. Yeah. So the FBI is less involved in that one. Hopefully. That's the,
[00:08:11] Cynthia Kaiser: I think so,
[00:08:12] AJ Nash: but, but it's interesting to see that pattern is gonna hold. So that'll be interesting to watch. So when we talk about the past, obviously, right. What's changed over the last five to 10 years?
[00:08:22] I have, we seen major leaps forward in their technical capabilities in their TTPs. What's, what's been the change?
[00:08:27] Cynthia Kaiser: Absolutely. I mean right now I think it's really hard to see where cybercrime ends and state sophisticated actor activity begins. And some of that's because it's really convenient for nation state actors to use cyber criminal tactics.
[00:08:39] Uh, it allows 'em to obscure what they're doing, give 'em strategic ambiguity. And you might also just have nation state actors who are like, I can make money in my evenings doing this activity
[00:08:48] AJ Nash: Moonlighting.
[00:08:48] Cynthia Kaiser: Yeah, right, exactly. So, you know, it's really difficult to even tell the difference. These criminal groups are very sophisticated.
[00:08:55] And part of that's because they just had experience and they've had time. And [00:09:00] part of it's because they're almost, they actually are almost the startups.
[00:09:03] AJ Nash: Oh yeah.
[00:09:03] Cynthia Kaiser: Just the entire cyber threat world. Because they can innovate fast, try. It doesn't matter if they fail, right? Mm-hmm. They can keep going. And so you really see some of these tactics at the forefront of the criminal groups.
[00:09:15] And let me give you a good example. Yep. Speed. Just even in the last two years mm-hmm. Attacks have gone from, we maybe thought like, oh, we had weeks. Right. They got on wait and then they initialized their attack. We had this dwell time, right. Time to detect them. Mm-hmm. Now we're seeing attacks in under a day, and actually we'll be having some research from Halcyon come out.
[00:09:39] We've seen one of the major groups, Akira.
[00:09:41] AJ Nash: Hmm.
[00:09:42] Cynthia Kaiser: Be able to conduct attacks in less than an hour.
[00:09:45] AJ Nash: So most of the processes that we have in the SOC then are not gonna catch that. I mean,
[00:09:49] Cynthia Kaiser: they're, they're
[00:09:50] AJ Nash: not, we're not set up to do things that fast.
[00:09:51] Cynthia Kaiser: But you have to have automation to be able to set that up. I mean, imagine most of these are also happening after hours, right?
[00:09:56] So it's not gonna happen at 10 o'clock in the morning when all the folks are [00:10:00] copied up and ready to go, right? Right. It's gonna happen at 8:00 PM at night. And so it's really difficult, and this is part of this overall industrialization though, because not only do we see Akira getting really fast. We see them putting a ton of effort into developing decryptions, which is like the key to the lock.
[00:10:18] Right. And that's what they give out to victims when you pay the ransom. Now, in most cases, those decryptor, I mean, criminals don't put a ton of effort into fixing things, but they've like Right. They're gonna put effort into breaking. Kidding. I know you're shocked. Kidding. They're not
[00:10:31] working
[00:10:31] AJ Nash: out for us, huh?
[00:10:31] Cynthia Kaiser: Yeah. Can't trust anyone. But because, but, but Akira wants your trust. They want you to know that if you pay their ransom. You will get a functioning decryptor. Sure. They're actually putting more effort into those. So they get a reputation. Sure. And they get more.
[00:10:46] AJ Nash: They get more. If you have a reputation of somebody who doesn't actually give you back the data anyway, why would I pay you?
[00:10:50] Right? Mm-hmm. And I have heard that, I was gonna ask, that was one of the questions I was gonna ask. I've heard that there are plenty of these cases where people pay and nothing comes back to them.
[00:10:56] Cynthia Kaiser: Absolutely.
[00:10:56] AJ Nash: Find out they don't capable it. They've, they've encrypted, they don't know how to decrypt, they're just gonna take [00:11:00] your money anyway.
[00:11:00] So it's interesting that you're saying a group has figured out, hey, we're gonna actually have to build a better reputation so people pay us. Everybody knows paying us is you're not gonna get your stuff back anyway. Then your business model's just completely broken.
[00:11:11] Cynthia Kaiser: That's right. So Helland, we'd also put out it, it's really fun to be in this position now to be on the forefront of like really new threats and getting ahead of them.
[00:11:18] One of them was a group called Sari.
[00:11:21] AJ Nash: Mm-hmm.
[00:11:21] Cynthia Kaiser: They'd obviously used AI in an ugly way. Ai, right? Like ai, like each step and then like tried to like ugly chain it together. I'm not gonna go into all of it, but, but they forgot to do is create something called a master key. And let me explain this. Oh, oh please.
[00:11:35] So lemme explain this, right? You need three things. For ransomware to act to work. Right. You need a lock. You need to encrypt it. You need a key, you need to be able to decrypt it. Sure. Then you need, I mean, they call it a master key. Really. It's like a hole, like it's that. It's that hole that you're gonna put the key in.
[00:11:51] Yeah, right. They forgot to build that. So
[00:11:54] AJ Nash: they've got a lock and a key.
[00:11:55] Cynthia Kaiser: They can't use the key, but you might well set your money up. They lock themselves everything. Yeah. Yeah. I mean like you're never gonna be able to get it. And [00:12:00] it's interesting, at the beginning of the Iram conflict, we saw this group go out, say, I know our stuff doesn't work, but go encrypt everything at anyways.
[00:12:08] So they knew it's
[00:12:09] AJ Nash: destructive at that point.
[00:12:09] Cynthia Kaiser: It's destruction where, yeah.
[00:12:11] AJ Nash: They're not trying to make money at it. They know. They know they're just trying to cause harm, which,
[00:12:15] Cynthia Kaiser: you
[00:12:15] AJ Nash: know, big shock, right? They're bad guys. Right. That's kind
[00:12:17] Cynthia Kaiser: of, yeah, I would call it like a mixture of like criminals, AI edition and contend.
[00:12:20] Right. But
[00:12:22] AJ Nash: that's, so we talked about, you mentioned a couple of these groups, right? Where, who's most prevalent? Is it by nation? You know, by nation and criminal organization? Is it Russians? Is it Eastern Europeans? Is it Europe? Is it Asia? Is it everywhere? Like, what are the most prominent groups in their origin?
[00:12:38] Cynthia Kaiser: We typically say Russian speaking, and that means that they are probably mostly in Russia, but they may be in, you know, former kind of Soviet bloc countries. The reason we know this is the ransomware actually created in a way so that it will not encrypt if they find that LIC is the primary language. On a computer.
[00:12:57] So that's a big tell.
[00:12:58] AJ Nash: That is a tell. They read the computer
[00:12:59] Outro: [00:13:00] settings
[00:13:00] AJ Nash: to figure
[00:13:00] Cynthia Kaiser: out
[00:13:00] AJ Nash: who your primary language is, and if it's lic then it has to be the primary though, right? It should be a secondary language. I can't load,
[00:13:05] Cynthia Kaiser: I, I, I don't know that I, so, yeah, it's really interesting and I think that's why I was actually really excited when the latest executive order on cyber crime came out.
[00:13:15] No, from the White House, because it talked about Ashley holding the states. Allowing these actors to be in their country, like holding them accountable, which is huge if we can get it done
[00:13:25] Outro: Right.
[00:13:25] Cynthia Kaiser: Huge. Because you know the Russians know, right? Whether it's their FSP they went to school with or you know, the intelligence service, right?
[00:13:33] Yeah, exactly. Like guys, they went to school with it just strategically, they, Russians would want our network security to be worse, of course, right? They want chaos. They don't have to say Go attack. ACME Corporation on this day to say, you're fine. Go have fun.
[00:13:50] AJ Nash: Right.
[00:13:51] Cynthia Kaiser: And it meets their strategic interests and like we should hold that accountable.
[00:13:54] Right?
[00:13:54] AJ Nash: Yeah. I mean, we've known for a long time the Russian government and the criminal enterprise there have a relationship. Exactly. I mean, it's been understood [00:14:00] that if, as long as you don't do harm domestically in Russia mm-hmm. And as long as you're willing to do whatever the government asks, if they tap you on the shoulder mm-hmm.
[00:14:07] You're pretty much good to go. You break one of those two rules, you fall out of a window. I mean, that's kind of a known thing. Right? But I'm also thinking, and I don't know if you've seen this, I'm asking a question when I ask China and North Korea is money motivated as a country, right? They're almost, the country is a criminal enterprise in and of itself.
[00:14:21] So I'm curious if you've seen a lot of that in the ransomware space since it's so profitable. And then I, you mentioned moonlighting earlier, and I know I've seen some of this in the past, where some Chinese military have been known to moonlight other things. Is that also including ransomware?
[00:14:32] Cynthia Kaiser: So a little bit in, in China in particular, we saw ransomware deployed right after an espionage operation last summer.
[00:14:41] So a Chinese state sponsored espionage operation had been compromising on premise SharePoint servers. Well, right before it was about to be disclosed publicly. A bunch of ran Smart one. I'm sure it's enough. Shocking. I'm sure. I'm sure, right. We got a hold of a sample. Our team looked at it and they're [00:15:00] like, this is professional grade, right?
[00:15:01] This is profession. This is not what a new criminal group that we never heard of before, Uhhuh, how they would've developed this is how a state would've developed. Now does that mean it was the state? Does it mean it was somebody, people who used, used to work like with the state or Boin lighting those answers?
[00:15:15] Outro: Sure.
[00:15:15] Cynthia Kaiser: You know, hopefully the intelligence community does. But I can tell you it was Chinese state aligned or State Thai.
[00:15:20] AJ Nash: Yep. Got
[00:15:20] Cynthia Kaiser: it. And I think that's important. There's less in China, but there is. Chinese ransomware. So you see ransomware from Iran, that's where you see the moonlighting. Oh. In a big way.
[00:15:32] So people in their free times going out and as long as they don't go, they don't do it too bad. Right, right. As long as you don't go after targets that like really bring the heat, you're gonna be fine to put a blind eye towards it. You have a lot of contractors. But I also, it was interesting 'cause when we were at the FBI
[00:15:49] AJ Nash: right.
[00:15:50] Cynthia Kaiser: We found that especially if you're a contractor or like someone slightly tied to the regime, if we were able to name you to put out sanctions [00:16:00] against you, hey, there's a $10 million reward from State Department if it leads to your arrest, most. Iran aren't moonlighting so that they can stay in Iran forever.
[00:16:10] Mm-hmm.
[00:16:10] AJ Nash: Yeah. The goal is to escape. Right?
[00:16:11] Cynthia Kaiser: Right. So that was actually a big deterrence. We found that, especially that naming, it really helped deter these kind of quasi state, like half aligned to the state actors. That was an interesting evolution. Our mindset on, okay, let's do things that make sense and things that are effective.
[00:16:28] Let's go after them. We see Iran, you asked about North Korea though. I'll flag we FBI put out it has done indictments against North Korea. Sure. Conducting ransomware attacks. Some of it was against hospitals, which is a whole,
[00:16:41] AJ Nash: yeah. It used to be off limits and then suddenly it wasn't anymore.
[00:16:43] Cynthia Kaiser: It's awful.
[00:16:44] Right. If you ask Kaiser, it's terrorism. It is. What we've actually seen from North Korea is, yeah, you sometimes see that occasionally, but they've put a lot more effort into those IT workers and the crypto thefts. And the crypto thefts have allowed them really to have like get bigger [00:17:00] payouts. So it's not that we don't see ransomware from North Korea, we do.
[00:17:04] I would also say it might just be, looks like more kind of like funding their own activities. Sure. Not like. That's not their main profit.
[00:17:11] AJ Nash: Well, I know they're, you mentioned the crypto exchanges. I know they've been very big on hitting
[00:17:14] Cynthia Kaiser: crypto
[00:17:15] AJ Nash: exchange. Absolutely. I think they're the world leader in that. I suppose there's
[00:17:17] Cynthia Kaiser: such a thing they've stole over a billion in one heist.
[00:17:20] AJ Nash: Yeah, it's pretty incredible.
[00:17:21] Cynthia Kaiser: It's crazy. I mean, I think it buys a lot. North Korea,
[00:17:24] AJ Nash: a billion. Oh yeah. It buys a lot everywhere. I'm pretty sure it still buys a lot here. Even in San Francisco it buys, you know, a. House, you know,
[00:17:30] Cynthia Kaiser: I was like, may maybe right
[00:17:31] AJ Nash: by
[00:17:31] Cynthia Kaiser: as, but make a duplex.
[00:17:32] AJ Nash: Right. So when we talked about how things have moved forward in the technology, you talked a little bit, I wanna dig a little deeper AI component, right?
[00:17:38] You talked about how poorly it could be used, right? And people can stitch things together. It's clearly AI stitched, AI vibe, coding. You don't really know what you're doing. You get a mess. But where are adversaries using ai? Well, I mean, what are you seeing as far as speeding them up? Is it giving them better hooks, getting them better technology?
[00:17:53] Uh, what are they doing with ai?
[00:17:54] Cynthia Kaiser: Well, it's a lot easier to lie with ai.
[00:17:57] AJ Nash: Oh yeah, that's true.
[00:17:58] Cynthia Kaiser: So we [00:18:00] see it primarily deployed in initial access. Okay. That means in a lot more, and we're convincing phishing emails. Yeah. The just deluge of these phishing emails that are coming into them.
[00:18:10] AJ Nash: Yep.
[00:18:10] Cynthia Kaiser: Deep fakes. So by that I mean both synthetic video and synthetic voice.
[00:18:16] That's harder because security professionals like us, we know not to click on a weird link in an email you aren't expecting. Yeah. Right. I mean,
[00:18:23] AJ Nash: I don't know any Nigerian princes that kind of a
[00:18:24] Cynthia Kaiser: thing. But if you get a call from your CEO who says to get on this, I'm get on this other call right now, I'm sending you a link.
[00:18:30] AJ Nash: Right. Or you get on a call and they get you on a Zoom and you look at right at somebody who's supposed to be the person you think they are.
[00:18:35] Cynthia Kaiser: Exactly. Exactly. And it can end up giving them access. We saw Scattered Spider, which is that, uh, more Western based ransomware group. Over the summer, they were using DeepFakes to do some of their help desk, like right impersonate employees.
[00:18:47] A lot of times those employees weren't in the office at the time they were on vacation.
[00:18:51] AJ Nash: Sure.
[00:18:52] Cynthia Kaiser: And they're impersonating these employees to get their help desk resets, like activate multifactor authentication, uh, [00:19:00] registrations for themselves. So it's a problem, and this is where AI can really help these actors.
[00:19:06] There's the rapid exploitation of vulnerabilities once some vulnerability is known.
[00:19:11] AJ Nash: So fast, like you said, right. An hour less
[00:19:13] Cynthia Kaiser: right
[00:19:13] AJ Nash: now. So it used to be days, they don't have any
[00:19:15] Cynthia Kaiser: of
[00:19:15] AJ Nash: that time anymore.
[00:19:16] Cynthia Kaiser: Right. Which is
[00:19:17] AJ Nash: interesting. And
[00:19:17] Cynthia Kaiser: I think you also see the adversaries, they're using it to make their code, like to check their code to make them a little more efficient.
[00:19:23] Sure. And a lot of the business processes we see, what I would say is mostly an initial access. You have these discreet tasks that they're doing. They're not creating this whole orchestrated campaign because they're really effective the way they are now. They what? They're not gonna take some agent.
[00:19:41] Orchestrated campaign has a much lower success rate than what they're doing now and start using it. That's the purview of wannabe. It doesn't mean they won't get there. It doesn't mean as you play with the technology, that's how you experiment. Right. And you get better and then you can integrate. But we're not there yet.
[00:19:54] The one thing I'd flagged that really worries me, your report from November where they came out there, [00:20:00] they had an AI orchestrated Chinese espionage campaign.
[00:20:02] AJ Nash: Yep. Yep.
[00:20:03] Cynthia Kaiser: We can talk on that an but what was really interesting. The actors were using AI once they were on a network to identify high value information and then take it off the network in small amounts,
[00:20:17] AJ Nash: so it was it detected
[00:20:18] Cynthia Kaiser: so it doesn't get detected with our normal detections.
[00:20:21] That's right. Kinda stuff worries me levels. Yeah.
[00:20:22] AJ Nash: Well, it's interesting you made two points in there. Many, but two that come to mind that that show that professionalization one. If they're gonna do this, you know, Deepak impersonating somebody, oh, they're on vacation at the time, what that says, they did recon first.
[00:20:33] That wasn't accidental. They weren lucky enough to know that this person was on vacation, which means they're, they're either getting into their systems first to get the information or they're, it's social media. They know that person probably posted social somewhere. I'm going to Hawaii for the week, or whatever it was.
[00:20:44] Right. They're doing their recon first. So it's still traditional intel process. Mm-hmm. To get here. Right. And then as you said, when you're getting in there. Using the tools to know exactly what to look for. They also understand how our tools work to detect things. Small exfiltration, it looks like it should be normal activity.
[00:20:59] 'cause it's tied to [00:21:00] an an authenticated user. You know, oh, this person should be grabbing these things. This would be normal for them to move these files around because our systems are set up. You can't alert every file that moves everywhere. We'd be inundated. Right. We'd overwhelmed. So it, that's interesting 'cause that shows.
[00:21:13] To me that that level of professionalization, these are not amateurs. These people have done their research. They know their background, they know their target, they know our technologies. I mean, I guess it brings up the tough questions. What's next? How do we, how do we fix that? What do we do about it? How are we gonna get better?
[00:21:27] Cynthia Kaiser: So I still actually really believe that AI benefits of AI are weighted towards cybersecurity. But I mean by that,
[00:21:35] AJ Nash: yeah.
[00:21:36] Cynthia Kaiser: Right now. The way in which you can deploy kind of behavioral detection and really look, see like what looks weird be happening on my network. Mm-hmm. There's a lot of cool tools now that weren't available even a few years ago, so it's kind of a fun time, right, to be in industry and be able to see those tools.
[00:21:52] One of the things I'm really excited about too is being able to have almost self-healing hardware, self-healing software [00:22:00] where you identify the vulnerability and it's fixed rapidly that they can't be excluded and we don't have to have all of us humans who make mistakes. I don't wanna be in that loop.
[00:22:09] There's a lot of good reasons ai, human in the loop. But for that one, like I, I'd love for us all to be out of that. Right. A good point.
[00:22:16] AJ Nash: Zero day. As soon as it's reported, you can say, Hey, you know, ai go fix this thing. Exactly. Have it be constantly monitoring and, and make these, these changes faster than humans could.
[00:22:23] So we can get ahead, as you were saying,
[00:22:24] Cynthia Kaiser: but we're gonna have like a decade of legacy hardware, software that's gonna be more vulnerable too. And so, you know, it's good, it's bad, but I think that element is really important. But really. Cyber hygiene. Mm-hmm. Like the basics, like identity. Good, like Right.
[00:22:38] Harden your identity. Rapid patch, like patching of vulnerabilities. You want to have also though, like resilient, I'd say detection, but it's like detection that's on your system. Mm-hmm. Like assume breach.
[00:22:50] Outro: Yep.
[00:22:51] Cynthia Kaiser: Assume someone's gonna get in. So how do you quickly identify? Then in an autonomous way. Right.
[00:22:57] Actually contain and stop them from getting [00:23:00] further. We can't, you can't stop every attack from happening on your network and you just have to have that mindset.
[00:23:04] AJ Nash: Yeah. Well I agree. I mean it's like I said, I did a lot of counter terrorism work in the past. You're not gonna stop every attack goal is stop it all, but you're not going to.
[00:23:11] Right. So you also have to have compensating controls. Same thing here as we try to understand what happens. And I think, I think you're right, and the technology help us see things faster and adapt faster and respond because. We, there's no way to do it manually, right? The systems just aren't built, fed, the process aren't built, fed.
[00:23:26] If the adversary's gonna use AI and gonna be able to turn a zero day into exploit that they've actually taken action on within an hour, do that with people. Yeah. So it's gonna take the tech. I think it's also interesting. So you had said when we opened, you mentioned, you know, you're new to the private sector, right?
[00:23:38] How long were you FBI Again?
[00:23:40] Cynthia Kaiser: 20 years.
[00:23:40] AJ Nash: 20 years, right. Okay. I, I chuckle a little bit 'cause I think you're right by the way before I, I say this, but when you start talking about, you know, basic hygiene. Been saying it for a decade out here, and you know how bored people get when they hear it, but keep saying it like, stop telling me to, you know, passwords and that, that two factor authentication.
[00:23:56] I said, well start doing it and I'll stop telling you. I've been saying the same thing for a decade [00:24:00] because it's still, Hmm. People don't do the basics. They're gonna come to places like this and they're getting very excited about all these amazing technologies, right? And they're very cool and AI and agent AI and all these things.
[00:24:10] They won't do the most basic things still of just, you know, two factor authentication, you know, password, you know, complicated words. Right? It's, it's amazing. You know, how the simple things keep getting missed or ignored 'cause they're boring. Talk about them, but they're not gonna be, there's not gonna be a booth here this week that's gonna talk about two factor authentication probably.
[00:24:30] Mm-hmm. I wouldn't think so. A booth here talks about, Hey, let me teach you how to have a complicated password. Right. They're not selling that, so I'm glad you're saying it, especially. I've been outta the government now long enough and I wonder, all right, what's new? What have I missed? You know, when I came out to the private sector, I was, okay, let me bring everything I know, whatever that is, and help people.
[00:24:46] Mm-hmm. And it's good to find out that still there are brilliant people like you coming out here and saying some variable things that are new, but also saying a lot of the same things we've been saying for so long. 'cause it's still some of the same problems.
[00:24:56] Cynthia Kaiser: It is. I, I do wonder sometimes if we haven't come up with some of the [00:25:00] right solutions to help.
[00:25:00] I think especially in the operational technology real, where we say, oh, you just patch your vulnerabilities, some of this OT equipment. It can cause this cascading failure effects, and I'm not sure we've had the right nuanced conversations around that to really help some of these OT operators get back and figure out how to patch in a way that helps them.
[00:25:22] But like, look at Iran. I mean, Iran is going to target unpatched ot.
[00:25:28] AJ Nash: Oh
[00:25:28] Cynthia Kaiser: yeah. Part of this conflict. The F fbi, I just warn last fall, they were already like looking at that back in the Gaza conflict. They were targeting U, they end up targeting us and sure. Israeli, you know, water infrastructure, I mean this, this happens because they wanna get onto something and then lie about it.
[00:25:41] Right? More. But you, you see how vulnerable still some of our most critical infrastructure is because there isn't patching, because there isn't a two factor, because there's shared admin passwords.
[00:25:50] AJ Nash: Some of the biggest breaches are still misconfigured S3. Buckets, you know, and cloud, you're like, yep, it happened, right?
[00:25:55] Mm-hmm. And, and as you mentioned earlier, Iran, I mean, they have a history, right? Going back, I mean, they've taken [00:26:00] shots at the infrastructure before. They're taken shots at the banking system. If you wanna go back, you know, 15 years or or so, it's public knowledge. I'm reasonably sure now it
[00:26:05] Cynthia Kaiser: is.
[00:26:06] AJ Nash: So it's, I'm over here talking about, I'm pretty sure I'm not saying them gonna get in trouble for, but yeah, I mean this is what they do.
[00:26:10] And I mean, let's say symmetric warfare, those are the things they have available that, right? So that's causes much harm. So you're right it, and we're gonna see this. So I'm gonna ask one question, which one? But it comes up because of that. So one of the other things I noticed in the private sector, and you will, is that people don't emphasize or focus enough on the geopolitical aspects when we talk about intelligence driven security, right?
[00:26:30] It's, it's very technical. Very tactical, makes sense. There's a lot of numbers that go with it. I can, you know, a lot of ways of, you know, showing value, et cetera, and it's very hard to consume the geopolitical on the bigger picture of things, but. It matters, right? Put more sanctions on North Korea. The North Koreans are going to do things in response to generate revenue.
[00:26:48] If we attack Iran, the Iranians are going to do things in response to cause harm and try to deter, right? As somebody who's relatively new to the private sector, do you have [00:27:00] any ideas on how we're gonna help people understand how much the big picture matters? Because this isn't actionable, right? A lot of big picture on day one isn't actionable, so peoples keep ignoring it.
[00:27:09] It's all actionable, actionable. I'd be curious and, and you don't have to solve this by the way, it's a trick question 'cause nobody's solved it yet. But if I'd be curious about your thoughts on how you're doing it at Halon, how you're gonna tell other people how to take a look at this big picture and have this influence where you're planning and what you're expecting to see.
[00:27:24] Cynthia Kaiser: So I think we keep cybersecurity and it.
[00:27:30] AJ Nash: S. Mm-hmm.
[00:27:31] Cynthia Kaiser: We even found this at the FBI by the way, like the executives, especially early on was say, they're like, I guess like Right. We're gonna let the nerds do it. Keeps
[00:27:38] AJ Nash: rolling in the corner.
[00:27:38] Cynthia Kaiser: Yeah. Yeah. Do. And it wasn't that they didn't under like, and they didn't know it was an issue.
[00:27:42] They just didn't understand the technology. So it becomes easier to be like, I can focus on these things. I know,
[00:27:47] AJ Nash: right.
[00:27:47] Cynthia Kaiser: And so I think that happens in a lot of corporations that you have these IT teams and like they got security. That's what they're in charge of. I'm just gonna go over here.
[00:27:55] AJ Nash: Yep.
[00:27:56] Cynthia Kaiser: This understanding of the larger risk to business.
[00:27:59] [00:28:00] If something happens. I actually think they ran conflicts. A great way to talk about this because the advice I've been giving companies over the last few weeks is what I want you to do today is get out your incident response plan. Mm-hmm. And make sure your marketing or PR teams have seen it, thought about it, and know what your public stance will be compromised.
[00:28:22] It's your point because. Iran often lies, right? Sure. They do something, they get onto something, they're gonna come out and be like, Hey, look at all the things we did. Look at this massive attack we did. And I mean like, 'cause their points just so chaos. Yeah. And it points to message internally too, right?
[00:28:34] Mm-hmm. Mm-hmm. So they more likely than not, they're gonna go out publicly and live about it.
[00:28:39] AJ Nash: Sure.
[00:28:40] Cynthia Kaiser: So if you involved the people who are responsible for managing your public business risk. And so I think having those kind of conversations, a little more tactical, not like this, like larger, you should really think about geopolitics.
[00:28:54] That flag seems pretty thin.
[00:28:55] AJ Nash: It is, yeah.
[00:28:56] Cynthia Kaiser: But if you can talk through, like these actors go out in public and lie, [00:29:00] have you involved your pr, have you thought about your, your public risk? If someone, if they just compromise like this one HMI OT machine over here, but they're gonna go out and say the entire water infrastructure is compromised.
[00:29:13] AJ Nash: That's an interesting idea. I haven't, I don't think I've actually heard that one before either. I think that's a good idea because when you talk about business risk, you said business risk and you're right on, obviously in the private sector took, to be honest, that if you can't tie to business risk, nobody cares.
[00:29:24] Mm-hmm. So like, nope, it's just a reality. But I think it's interesting you, 'cause you made a point I hadn't thought about before, which is helping them understand, hey, you kinda tie this to the PR component and the messaging, how you mitigate a lot of business risk, not tank. When something happens, if you can say, Hey, it's not what they said it was.
[00:29:37] Here's all the research that shows it. Here's all the data. They said it was all this, it was really just this. We weren't really compromised. It was a third party. It was compromised and they got some data or this wasn't a new dump. A data dump of a new leak. This is actually recycled stuff from long ago.
[00:29:48] Exactly. Your messaging to your corporate messaging folks, uhhuh, the more you can mitigate that business risk, that damage. Mm-hmm. That's a really interesting way of looking at it. I haven't, I haven't pitched that damn before. Well now, 'cause [00:30:00] I've been the dummy for the last decade. You gotta know all these big things for all these reasons that I don't have time to know all this and I, I just go, no, but you have to, and I haven't had a very compelling story, frankly.
[00:30:08] So I think that might be a better story to tell about here's how you can action it, because actionable matters. And now you're talking about taking actions that can actually prevent things.
[00:30:15] Cynthia Kaiser: And I think it's just important to really contextualize and if we don't tell stories enough.
[00:30:18] AJ Nash: Mm-hmm.
[00:30:19] Cynthia Kaiser: In the cyber field, we talk on technology.
[00:30:22] Yes. This thing in this IT context, and that's all important for certain audiences. But people remember stories. True. They remember like, oh, this is what Iran did this time, and I'd like add something to that is I think a lot of organizations don't understand on ransomware that if you pay, you aren't automatically decrypted.
[00:30:40] Right?
[00:30:40] AJ Nash: Right.
[00:30:40] Cynthia Kaiser: It's not magic. Like, no, don't put, it's gonna be down for a few weeks. Mm-hmm. It's like, these are clunky. You may not get back all your data. You're known as somebody who pays,
[00:30:49] AJ Nash: so you're on a
[00:30:49] Cynthia Kaiser: list, so you're much more likely to get hit again.
[00:30:52] AJ Nash: Yeah. But the government's position, right. Don't pay ransomware.
[00:30:54] That's been the FBI's position officially. I know the government position officially forever is, and, and I, I'll be [00:31:00] honest, it's been my position to people too. I said, unless it's life or death, I get it. The hospital situations, there are times when I understand it, but I've said, if you pay, you're just gonna get hit.
[00:31:07] Again. What you're doing is creating more problems for yourself. People who don't pay don't get hit again. Not often, at least I wouldn't think. It doesn't make a lot of sense 'cause you're notorious for not paying. So have really strong backups, have the ability to account for this happening. Endure it so you don't have it, come back to your again.
[00:31:21] But it's hard to, it's a hard sell for people, especially when they're, they know if they can pay it, keep it quiet, you know, their stock will stay up. There's a lot of other valuation components. So you see like when the Vegas casinos were hit, right? The two major casinos were hit. Mm-hmm. Two different positions.
[00:31:34] One paid, one didn't, and then you got to watch the fall outta that. And you realize, by the way, casinos apparently print money. I had no idea how much revenue a casino can make in a day, but you end up seeing that business discussion of should be a paid, should we not have paid. But I, I, I tend to be one of those people who still says, don't pay.
[00:31:48] Cynthia Kaiser: Yeah. It's so hard, right. Hard to make that business decision. I will say I've seen a major corporation pay. Then the group leaked the data anyways 'cause they just made a mistake and they're not professionals.
[00:31:57] AJ Nash: Yeah. Oh sure.
[00:31:58] Cynthia Kaiser: But I understand. I [00:32:00] understand that business decision. But I think what organizations and C-Suites need to know is that this isn't a feelings based conversation where we're like, that's Hey, we really feel like they'll attack you more.
[00:32:11] Like
[00:32:11] AJ Nash: No, they will.
[00:32:11] Cynthia Kaiser: There's numbers behind that. Yeah. You will get hit.
[00:32:14] AJ Nash: Yeah.
[00:32:14] Cynthia Kaiser: Much more likely again.
[00:32:15] AJ Nash: Yeah, that's a good point. It's data driven. Again, in our industry matters. People does wanna know data. You're right. Fields don't matter. Mm-hmm. Show me data. Overwhelming data in some cases if necessary to say, if you do this, this will happen.
[00:32:25] It's your choice. Just understand, you will see this again. Will you be better prepared next time? Or are you just gonna keep paying criminals to give you back the stuff that you should already own?
[00:32:34] Cynthia Kaiser: Mm-hmm.
[00:32:34] AJ Nash: Which is a problem, obviously. Listen, I can talk to you all day. This is this. I know you have a busy calendar.
[00:32:38] Yeah. They're gonna kick us outta here eventually, but, so I'm gonna, I'm gonna wrap up now as you the name of the show's Unspoken Security, and with that mind, I ask every guest the same question. Tell me something you ever told anybody before. Something that's been unspoken until now.
[00:32:50] Cynthia Kaiser: So I'm gonna say something I haven't spoken a lot about before, which is I was a late convert to thinking ransomware was a huge problem.
[00:32:58] AJ Nash: Oh really?
[00:32:59] Cynthia Kaiser: [00:33:00] Yeah. So most of my career, I spent my career as a North Korean analyst for, for a lot missiles, counter intel, all that stuff. And came into cyber, really cared about it. I was on the nation state side, right? Russia, China, North Korea, Iran, and I was like, this is the existential threat. And like as the mm-hmm.
[00:33:16] Cyber crime stuff starts coming up. I'm like, yeah. But I mean like, they're not like trying to attack our way of life. They're just trying to steal money, right? Sure. Like, and you know, for a lo, I probably longer than I should have really put it in that bucket. And I think I really started to see, you saw a colonial pipeline come where you're like, mm-hmm.
[00:33:33] Oh
[00:33:34] AJ Nash: yeah,
[00:33:34] Cynthia Kaiser: this could have like, and like that wasn't even on the OT side, right? But it had, and like I started to see these implications and as I looked at it, I was like, oh gosh, but what affects Main Street? Is ransomware.
[00:33:48] Outro: Yep.
[00:33:48] Cynthia Kaiser: You know? Yeah. Like we can say like, I'm worried about China. I'm worried about them lying and right on lying in, wait on our infrastructure.
[00:33:54] Mm-hmm. And all of that. Yeah. But what's really a problem [00:34:00] to like. Our parents, our kids businesses in our town, it's ransomware, it's cyber crime, it's financial fraud. Yeah. They're stealing a generation of wealth.
[00:34:11] Outro: Exactly.
[00:34:12] Cynthia Kaiser: And I'm a little embarrassed yet thinking like, gosh, before I was really thinking like, it's like this is what I really need to focus on.
[00:34:17] China. Mm-hmm. Russia, right? All this, and I'm like, gosh. Like, we can actually do something here and we can make a big difference here. And so that conversion took me a little while. And I say that because I think it's really important for organizations to think about too. 'cause I think there's a lot of people, it's like, oh, it's just a criminal.
[00:34:34] Outro: Yep.
[00:34:34] Cynthia Kaiser: It's just fraud. Right. Or there's so much fraud. Like we can't even get like local police officers to like, right. They don't care. Be able to handle it because it's just too much. Or like an FBI is getting 3000 tips a day on it. They can't like Right. They can't do them. There's only so many people.
[00:34:47] AJ Nash: Yeah.
[00:34:48] Cynthia Kaiser: And so. To me, like haven't talked about that as much as I could. But it's important to say because organizations need to know that too. Like it's not [00:35:00] just these large existential threats that you're thinking about.
[00:35:02] AJ Nash: Yep.
[00:35:03] Cynthia Kaiser: It's a lot of different tiny threats and they're what's gonna really affect all of us.
[00:35:11] Sure. Like including attacks against our critical infrastructure that might feel financial to the criminal. But things like attacks against a hospital where patients die. Exactly right. So yeah, that's my kind of unspoken or little spoken thoughts.
[00:35:27] AJ Nash: I think that's, so first you, you'd no reason to be embarrassed.
[00:35:30] I think a lot of that is governmental. Mm-hmm. I, I was the same. So when I came outta the government space, again, a lot of counter-terrorism, et cetera. Mm-hmm. I was lucky enough, my first gig was actually at a financial institution. A lot of fraud, a lot of criminal activity. Mm-hmm. Obviously what we're focused on, I started seeing it as you were talking about the same kind of things, a much bigger deal.
[00:35:46] 'cause I was, I was very nation state, right. Counter-terrorism, et cetera. Mm-hmm. And crime existed, but like you, I was like, ah, it's crime. I mean, criminals are always gonna be that, that's how it works. Mm-hmm. Crime's crime, somebody will fight that. I started seeing the same thing you were, and I was like, no, this is a bigger issue.
[00:35:58] Mm-hmm. It causes more harm on [00:36:00] a daily basis for the average American now the nation state has, it's, it's got that big bang effect. Right. Nothing will happen, nothing will happen then a NAL drop. But we have to also worry about the really, really bad things. Right. But it's a death by a million cuts with the criminals.
[00:36:11] Mm-hmm. Every day. All the money that gets bled out of people's head. The elderly, you know, the vulnerable obviously a little bit worse off, but everybody really can get hit. Mm-hmm. It doesn't matter who you are. Right. I agree with you. And because there is that overlap, as you said, it can be, it can be financially still become detrimental to, you know, the infrastructure because there are a bit of both.
[00:36:28] You know, they attack a water system 'cause you wanna get money out of, you know, whoever the company is providing it. Nobody's got water, right? Mm-hmm. You attack a hospital, as you said, people die so. I, I think you're right. I think myself also at last, I don't know, five, seven years, something like that, I worry almost exclusively about criminal activity now.
[00:36:46] Now also to be fair on the private sector, we don't see the nation state the same way either. I had to get used to, and you will if you haven't already get used to not having access to it. Everything I had access to before, which is also one of those complicated. Think I know what might be happening here, but [00:37:00] I can't ask anybody any more questions.
[00:37:01] I would, 'cause I used to be in that room and now I don't have that opportunity anymore, which is a bit of a challenge. We have some sharing agreements with the government. They're not, you know,
[00:37:07] Outro: it's not the same. Right.
[00:37:08] AJ Nash: I appreciate that. I think that's a good message to share to people that, hey, this is a bigger deal.
[00:37:13] Realize it's not just crime, we can't just write it off. Affects everyone. It's massive. And as you pointed out, these are professionals who are continuing to get better faster. This isn't going away. Ransomware is is a huge problem. Next time I'll have you come back. We'll talk about business email compromise.
[00:37:28] Cynthia Kaiser: Oh, listen,
[00:37:29] AJ Nash: which is my pet favorite topics?
[00:37:30] Cynthia Kaiser: Oh my goodness. I mean, something that like right. Gets shuttled around who's gonna work it because it's not as complex.
[00:37:35] AJ Nash: 10 times more damage. Right. We're teasing that one. I don't do any that show plan anybody. So I'll get excited. I'll see. I'll see if she'll make time to come back.
[00:37:42] I would definitely do it, but. Thank you very much for taking the time here on the first day of RSA conference. I know it's very, very busy. I appreciate you taking time to, to meet with me. I definitely would come back, talk about BEC or pretty much anything and if anybody wants any more information, they can reach out to you.
[00:37:54] I assume at Halon you must have an email address, something to that effect or, oh yeah.
[00:37:57] Cynthia Kaiser: So you can always go to [00:38:00] halon.ai. You can go to the research tab and see all the research coming outta the research center. Or you can contact us at Ransomware Research center@halon.ai.
[00:38:07] AJ Nash: Very cool. Alright, well listen, I'm gonna go ahead and wrap it up.
[00:38:10] Get outta the way for other people. Thank you again. Thank you. We appreciate you being here.
[00:38:13] Cynthia Kaiser: It's been great being here.
[00:38:14] AJ Nash: And thank you everybody who's been watching and listening. If you like the show, please tell people about it, subscribe, all those things. If you don't like the show, shut up. I don't wanna know.
[00:38:21] No, I say that every time. The truth is, I do wanna know, help us make it better. 'cause this show's really about people out there and it's about guests. I like Cynthia. It has nothing to do with me. So I appreciate you all taking the time to be here. That in mind we're gonna have a great RSAC conference and we're gonna wrap it up.
[00:38:35] So this has been another episode of unspoken Security.
[00:38:42] Outro: That's a wrap for this episode of Unspoken Security. If you enjoyed this episode, follow us wherever you listen to your favorite podcasts. See you next time.