Know Your Adversary Podcast

EP8: KYA – Human Intelligence Recruitment of an Employee to Deliver Ransomware with Charles Finfrock

Episode 8 | February 16, 2021

Our guest is Vigilance CEO and founder, Charles Finfrock, a security intelligence professional.

Episode 8 | February 16, 2021

Our guest is Vigilance CEO and founder, Charles Finfrock, a security intelligence professional.

In Episode 8 of Know Your Adversary™, we detail an August 2020 investigation when a Russian gang member named Egor Igorevich Kriuchkov traveled to the United States to recruit an employee of a US-based manufacturing company and to install ransomware on the network via USB thumb drive. He offered the employee $500,000, and if the operation was successful, the Russian gang was going to extort the company for $5,000,000. 

Fortunately, the company prepared the employee for this type of scenario and reported Egor. A subsequent FBI investigation arrested Egor and deported him back to Moscow, since there was a minimal loss.

This investigation details the sophisticated roles and responsibilities of ransomware gangs, identifying them as having a unionized effort. More strikingly, the investigation points to a potentially growing trend of recruiting employees to deliver malware payloads instead of just conducting the infiltrations remotely. 

Our guest for this episode is Charles Finfrock, who was previously a security intelligence professional for the company.

Key Takeaways:

  1. Ransomware gangs can and will travel to the United States and recruit employees to deliver the payloads.
  2. A training and awareness program should empower employees to act as a sensor network to provide tips for a potential malicious nation-state or gang recruitment. 
  3. Mature security intelligence and investigations programs are critical to deter these attacks at scale. 
  4. Partnership with federal law enforcement should be established before an attack occurs to help expedite response.


Transcript Below:

– This is going to be a fantastic story, so buckle down. In August 2020, a pretty infamous story came out that a Russian gang recruited an employee of a manufacturing plant to install ransomware on a thumb drive and would receive a million dollars for delivering the payload. If the ransomware operation was successful, the gang was going to hold up the company for five million dollars. The investigation took place over two weeks that resulted in a Russian gang member named Egor Igorevich Kriuchkov being arrested and deported. The investigation happened so quickly due to the employee’s quick instincts to report a human intelligence outreach by Egor and his Russian gang. While no damage or loss resulted to the company, the resulting investigation paints a disturbing trend that ransomware operations are being enabled through a recruitment of employees, not just from sending spear phish emails. This is the eighth episode of Know Your Adversary. While ransomware gangs act with impunity out of Russia, how prevalent are human enabled ransomware gangs to recruit employees within organizations? That’s a pretty nuanced concept here.

– I don’t think it’s isolated and I don’t think it’s growing. I think it’s here. I think, and again, I’m just, I’m using a little bit of the bias of my experience. I would be surprised if in the vast majority of these cases are not insiders that are helping. And this is the deal with human, right? The greatest trick the devil ever pulled was convincing the world he didn’t exist. Well, this exists. People are out there hunting your people. People are out there pitching to your people. People are out there trying to identify and co-op your people. It’s happening. Whether you think it is or not, I promise you it is. And so I hope people are taking the appropriate level of defense to protect their people, to help bolster the security of their people and their network. You’ve gotta have good relationships between your investigators and your cybersecurity folks because sometimes those edge defense or detection and response, they don’t think in terms of human investigations, going back.

– This is Charles Finfrock who worked on the Insider Threat and Security Intelligence Team. We won’t provide details of the company and generally follow the criminal complaint that is in the public domain.

– It was a, I don’t know, Monday morning, Tuesday morning, and I got a call from our site security officer who contacted me and said, “Hey, I’ve got a story, a weird story,” and any good security or counterintelligence or intel officer knows whenever somebody says I got a good story, it’s usually worth listening to. And so he tells me about this employee that had come in and reported being approached over the weekend and offered a significant sum of money to plant malware on the network. He hadn’t spoken to the employee yet. He had spoken to the employee’s manager and that’s kind of where the story starts. It was a fantastic story. It was about, you know, malware and a $500,000 offer to put malware on the network. First thing I did, take a quick look, make sure the employee’s not a frequent flyer, doesn’t have some kind of mental issues or is constantly reporting something that seems a little odd. The employee checked out, everything looked normal. And then I just worked my way back down the chain. I talked to the site security officer. I talked to the employee’s manager. And all along the way, even though it was quite a fantastic story, everything kind of added up. And then I moved right to an interview of the employee and just asked him to recount the story. All that happened in a matter of hours. So the employee says, “I was contacted by a friend, a mutual acquaintance.” In my old world, I would’ve called that a social broker or an access agent, but let’s just call it a mutual friend at this point. And she said, “Hey, I’ve got a friend of ours who we knew years ago,” and this was a mutual friend from four or five years back when they were in a completely different state. “And he’s traveling to the US and wanted to reconnect with you. Do you mind if I give him your number?” And of course the guy says, yeah, you know, why not? Of course, would love to catch up with Egor.

– Is a reference to Egor Igorevich Kriuchkov who is arrested by the FBI for attempting to recruit the employee for $500,000.

– So then he tells us Egor flies into town, travels to the US from Moscow, drives to a town in Nevada, and they have a great time, right? Doing some tourist things and, you know, just catching up. And it was interesting because at the end of the weekend, when they were alone, they’d been with a small group, and he noted a couple of weird things like Egor didn’t wanna be in any pictures, which of course got my spidey sense up. So Egor stacks his phone on top of our guy’s phone and says, “I have a business proposition I wanna talk to you about.” “Okay, lay it on me.” And then Egor basically pitches our guy and says, “Listen, I work with a group on special projects and we put malware on companies’ computers and we are willing to offer you $500,000 to help facilitate malware being put on your company’s network.” And of course our guy’s saying, “What? Okay, let me think about this.”

– This is called the bump in espionage human intelligence trade craft. Having come from this background, in a sense, and talking to numerous operations officers, sometimes this rapport building stage takes months to cultivate. The criminal gangs have return on investment hours and days. So by knowing the plant employee, Egor flies to the United States and ideally builds rapport pretty quick that leads up to the bump. But imagine you haven’t talked to this person in a while and they fly to the United States to make this kind of criminal ask. It seems like sloppy trade craft for such a significant ask. But time is money.

– I would say it’s a significant ask, particularly for someone who’s traveling into another country to make this ask. So I would say they had a strong preexisting relationship, but four or five years previous, right? They hadn’t had contact since. And so they, but they’d spent the weekend together, right? They’d spent the weekend with the group. He’d rewarmed up the contact. Again, I would’ve said probably spent a lot of time building rapport, some light developmental work, probably was asking him questions to test his risk tolerance and probably spending that whole weekend to assess him, to determine, okay, am I going be able to deliver the pitch successfully here?

– Okay, let’s start dissecting and provide a little bit of context. As anyone follows the news and the press, ransomware is when a group of criminals seek payment for decrypting or actual trading data from a system or network. The active ransomware usually comes in two forms and they’re most always conducted remotely out of Russia or some Eastern European country where cyber criminals have safe haven. They either exfiltrate and extort or they exfiltrate, extort, and encrypt. Payment is usually accepted in some form of cryptocurrency like Bitcoin or Monero, so their tracks are, more but not completely, anonymized. People are probably familiar with some of the ransomware gangs, like Dark Side, Revil, and Maze, just to name some of the most infamous. They conducted attacks like the Colonial Pipeline and many others. But what is a bit nuanced about this attack is that the attackers traveled from Russia to the United States to recruit a human enabler of the malware. Why would they need to do that when they can conduct these attacks remotely and be protected or ignored by the Russian state?

– Our guy says, “Okay, so how would it work?” And Egor sketched out the broad strokes and said, “Well, the way that our group works, we put malware on computers, we steal their information, and then we encrypt the data. And then we extort the companies for money. First to unlock the data, but second, the reason why we steal the data first is in case they’ve got backup so that we can still extort them and threaten to make the data public.” Our guy, of course, is a little bit taken aback by this, he’s very nervous, very uncomfortable. He sort of asks a couple of other questions, Egor discloses that while this is happening, while the data is being stolen, they would conduct a concurrent distributed denial of service attack against the network that would serve to distract or overwhelm the detection and response teams from the company. He offered to our guy that he could either insert a thumb drive into the network, if that was possible. And if not, that our guy could just click a malware link on an email that he received and that it would look like it was just a accidental malware click. So at that point, our guy said, “You know, gosh, I’ve gotta think about this. Let me get back to you.” And Egor, God bless him, said, “You know, I’ve gotta travel to Los Angeles,” basically had another couple projects in play, disclosed that they had done this before with other companies, and the employees that were working on the inside that were co-conspirators had been successful and were still working at these companies. So that was kind of where the initial story stopped.

– Understanding that Charles’ job was not to find out how widespread this gang operates in the United States and only to protect the company that formally employed him, of course it’s very interesting how widespread this problem could be and gives you an idea of the scale of the ransomware problem. If there are gangs within the United States attempting to recruit insiders at companies to deliver ransomware, just imagine how many people are sitting in Russia trying to conduct these crimes remotely.

– I would say just professional experience tells me maybe he’s portraying this as more successful, maybe this is the first time out of the shoot that they’ve tried this technique. Maybe not, maybe it’s the 20th time they’ve tried the technique. Don’t know, but it was enough for me to say, okay. And the other thing I should say, it was all plausible, right? The employee’s demeanor was appropriate. The setting was appropriate. There were enough pieces of trade craft that I said, okay, this isn’t someone who’s making up some fantastical story for whatever, you know, motivation he had. Everything that he was saying lined up with his demeanor, lined up with the way that, I don’t wanna say I would expect something like this to happen, but let’s just say in my professional experience, this didn’t seem out of the ordinary.

– In the ransomware landscape, there are generally four types of positions: sellers, initial access brokers, exploit developers, and the technical operators. We will get into these different types of roles as the story moves along. To start, sellers and often initial access brokers have low to moderate technical sophistication and possess a desirable commodity. They typically provide access to a set of product brokers, but also personally operate on public marketplaces. They sell illicit goods such as social media accounts, gift cards, or data dumps containing personal identities. Generally these sellers get paid anywhere from hundreds to low tens of thousands of dollars for their commodities. Their price is dependent upon the quality, the quantity, the validity, and sensitivity of what they sell. Initial access brokers lay the groundwork for more technically advanced operators who conduct cyber crime. These middlemen validate initial access to networks or applications, and they ensure the commodities purchased from the sellers are valid. As part of their work, they operate scanning tools to identify vulnerable organizations. It is not uncommon for initial access brokers to validate VPN or RDP credentials. Currently the technology sector commands the highest prices for access, estimated in an average 13,000 for access in 2020. Egor sounds like he was pretty low in the food chain and was likely a seller or initial access broker. But then that begs the question, what position was the employee in? Was he technical? Was he not technical? Did he have privileged access? Let’s find out here from Charles.

– The employee was not a technical position, was not an IT super user or anybody like that. He was a normal employee. And that, I think, you know, I’ve been asked that before, why do you think that they selected this employee? I don’t know. Probably the physical access to the network, that there was a preexisting relationship, and there was physical access to the network. Probably first and foremost, moreover than what kind of position or specific access there was, he was just an ingestion point for the malware.

– Getting back to the story at hand, the threat all seems credible. It’s probably time to get the FBI involved in something like this.

– So at that point we obviously had some internal discussions and worked with the FBI. And so we reported that and they, of course, were very interested in it. And at that point, contact was facilitated between the bureau and our employee. And then the bureau took the lead from the investigative case from that point with us in the supporting role. So as the investigation unfolded, the sophistication and the additional layers of description unfolded, right? So first, the story was recounted. They offered to pay our employee in either dollars or Bitcoin. They provided him a burner phone, had him download a Tor browser, asked him to help basically connect reconnaissance of the network or help understand the network topology and the security programs that were in place.

– Let’s pick this apart a little bit. The Tor browser, that’s T-O-R, is like many browsers that people use instead of Google Chrome or Firefox to anonymize their location and originating IP address. People like whistleblowers and dissidents or people that are under human rights violations often use Tor for viable reasons. Instead of using regular internet infrastructure, like DNS servers and web servers, Tor is a peer-hosted network and users download either Tor browsers or Tor exit nodes. They register their computer to be used as a random detour, often called a relay, for other users to anonymize their traffic and location. Just for reference, there are over 7,000 exit nodes in use today in the Tor network.

– They discussed a little bit about the payment and a little bit more about the mechanisms. And then at one point, all these were being conducted in car meetings, which I thought was interesting from a trade craft perspective. Trade craft was tight, right? Everything was via WhatsApp communication and then face-to-face meetings. And then at one point, they got on a phone call with co-conspirators in Moscow, and it looked like there were at least two, three, maybe four other co-conspirators, at least, that were actively involved. The methodology, I thought, was kind of interesting that they used to make the call back to Moscow. Egor had one burner phone that he set up as the WiFi hotspot, took another burner phone that he tethered to that hotspot, and made a WhatsApp call to Moscow, which I thought was pretty slick trade craft.

– Think about this trade craft they employ here. Not only do they pick up an encrypted application like Signal or WhatsApp, but they use operational security by using a new phone that has not been used and it only connects to the hotspot, not directly connected to the wireless towers. Think like Verizon, T-Mobile, Boost Mobile, whatever plan that was on. I can’t speak for the FBI, but collecting any meaningful voice content on these types of calls with the masterminds in Russia would prove very challenging. I’m just guessing, but at best, the FBI might be able to call data records from the carrier that an outbound call was made to a suspicious Russian number during a data internet session. And that’s only if they are able to subpoena WhatsApp in addition to the cell phone carrier.

– I mean, a silly person picks up the phone and calls. So obviously, that wasn’t this. Maybe a slightly more careful person picks up the phone and calls via WhatsApp or via Signal, but tethering to another hotspot just provides that additional layer of clandestinity, the additional layer of broken attribution between the phone call and the ultimate recipient back home. And then a couple other pieces sort of came out, that again, they were looking for network reconnaissance. They talked about, they could attribute the initial ingress point to another employee, if our employee wanted to point to somebody else to get them in trouble. They discussed that they had, you know, a little bit of a logistics. They expected to get four to five million dollars out of our company. They disclosed that the group paid for the malware, $250,000 they paid for the malware development.

– Let’s get moderately technical for a minute. Typically, ransomware attacks start by someone clicking on a spear phish link, someone exploiting an application, or getting credentials, and they’re able to VPN or RDP into a network. Initial sellers and access brokers are usually the people that facilitate this, of which Egor is in the criminal food chain, but the criminal gang needed to understand the network and obfuscate get the tracks by pointing away from the insider who is recruited by Egor. This typically happens through a number of different technical means, but what is happening behind the scenes is that while that selling and initial access brokers are doing their job, the malware developers are performing their role and that’s exactly what Charles is talking about when he says the malware developers were being paid $250,000 for development. Ultimately, the code needs to be customized to the company’s network and be able to bypass security measures. This build process is called designing the payload. The payload is then put in an email or on a thumb drive to deliver to the target. Delivering the payload is often called content delivery portion of the phase and typically involves some type of social engineering to trick the user behavior to execute the malicious code. The access brokers usually hand off the operation to more technical operators who then deliver that payload and interact with the network to steal and encrypt data. Regardless of the content delivery mechanism, the malware always has to call home, meaning it has to connect to an attacker infrastructure to receive instruction from the operator to move laterally in the network and encrypt and exfiltrate the data. After encryption, a technical operator or someone else in the chain negotiates the ransom, which in this case was about five million dollars.

– Part of the reconnaissance part of the delivery sort of discussion, which would’ve been, “How can we get it on?” And I think part of that was they wanted to know, could our guy insert of thumb drive in the network? Or was his USB access blocked? And if it was blocked, could he circumvent it? And if he couldn’t circumvent it, would they be able to send an email with the payload?

– What Charles is saying here is that through the thumb drive inserted by the employee, a connection would call home to the technical operators who then push the malware through the Tor channels. Typically, large companies have USB access blocked or tightly controlled. Remember, all this is happening through listening to the company employee, who is now in FBI informant, rehashing these conversations with Egor. The FBI still has not talked directly with Egor as these are mostly taped conversations or interviews with the informant. How did money change hands? That’s often a key part of any crime.

– Money never changed hands, that I can tell. Now, if you’re familiar with the investigative methodology, overt acts are a big thing. And so, our guy downloaded a Bitcoin wallet. They were gonna provide money. Initially it was 500,000 and then it was raised to a million that they were gonna offer our employee and Egor at one point even said that was gonna end up coming out of his half, or his part. Our guy was asking for assurances, was asking for money in escrow, was asking for money that could have been sent ahead of time. Bitcoin that could have been provided, a $50,000 advance, but money, best of my knowledge, money didn’t ever change hands. And again, of course, that was all under the direction of our federal partners.

– Isn’t it interesting how much operational planning goes into not only the criminal gangs to execute these types of crimes, but also behind the scenes of our federal partners?

– I think for me, it’s just the natural back and forth that something like this requires. And this is interesting, I think, for security people, this isn’t a one and done, this isn’t a here’s your first meeting, here’s your thumb drive with your tailor made malware. Nope, that’s movie stuff. In the real world, it takes a lot of iteration. Tell me about the security. Tell me about your ability to drop payload. Tell me about all this. And now I need to be comfortable and confident enough that I’ve got the injection point that I’m gonna pay for the tool that I’m gonna put on the network. And then I’m gonna be targeting data back to get that tool tailored for the network. So a little bit of the back and forth I thought was understandable and predictable.

– As we’ve established, there are often many roles and responsibilities within ransomware gangs. They’re almost all full unionized operations. So what did we find out about the command structure back in Russia?

– The one thing that, it was just an interesting little note, they disclosed that at least one person involved had been a bank official in Russia. Does that mean that it was government run? Does that mean it was government affiliated? I don’t know. There’s some arguments to be made on both sides and I’ve thought a lot about that, and I tend to think that this is probably that gray area where not government sponsored, but potentially looked the other way, just in the general atmosphere of criminal work coming out of Russia. Obviously, we just saw the tip of the iceberg, but there were at least three to four other people in Moscow that were involved. Based on the statements of Egor, it appears that there were other co-conspirators and other companies that were going through the same process or the same type of attack. So I wouldn’t necessarily call them co-conspirators on the operation to target our company, but certainly co-conspirators with this Russian group. And again, according to what Egor said, was he overstating it to try to put our employee at ease that they were professionals and they could do this without getting caught? Don’t know.

– So to recap a bit, over the period of about two weeks, a manufacturing plant employee reported that his friend recruited him to install malware on a thumb drive for roughly about 500,000 to a million dollars. A Bitcoin wallet was set up and a few conversations took place with tight trade craft back to the masterminds in Russia. Understanding the company didn’t want to go through with installing the malware, the FBI decided to act.

– This unfolded over a series of meetings between Egor and our guy. Ultimately it looked like the network reconnaissance was gonna happen, Egor was going to leave, malware was gonna be pushed via Tor to our person, so the decision was made by the bureau to contact Egor. And when they contacted him, initially he tried to flee through Los Angeles and fly out and he was picked up. So they arrested him, which I thought was kind of interesting because we have a lot of instances of malware. We don’t have too many instances of live Russians in custody. So I thought that was kind of a nifty decision on their part. He pled out 10 months in, basically time served, and then was deported back to Russia. And the bear of it was, as we’re trying to show loss, the loss was so minimal. It was basically the time. It was our salaries of the people that were involved in the investigation, but there wasn’t any remediation. There wasn’t any red team. There wasn’t any of this because we didn’t have any loss, which is great from a company perspective, but from an investigative or prosecutorial standpoint, wasn’t ideal. But obviously from a corporate context, that’s great, but it did reduce the impact on the sentence for him. If I had to put my policy maker hat on for a second, I would say, this is a little bit of a loophole in the criminal justice system, where if you do a really nice job, well, now there’s not enough loss to make a significant sentencing. I mean, it’s great. Hey, I appreciate DOJ was awesome. Bureau was awesome. You know, no criticism at all. Just a little bit of, gosh, we were all too good. We got it too early. There wasn’t enough loss to justify a longer sentence or a bigger penalty on Egor.

– As always, there are a lot of lessons learned from investigations like these. What did the security team take away from this?

– Training and awareness. You know, gazillions of dollars spent on network security and that’s great, and that may or may not have discovered this attack, but what discovered it was good training and awareness. This employee had paid attention, didn’t fall asleep, heard something odd that he never thought he would’ve heard in a million years, but we’d prepped people on this, to say something like this happens, report it. And he did exactly what he should have done, and that’s report it. And his manager, who heard it, reported it to site security, he reported it to me. Everything worked just as it should. And look, everybody has training and awareness and we could talk a lot about what I think is more effective and less effective training and awareness. But if I had one tool in my toolkit and I was restarting another insider threat program, training and awareness would be my first thing. So that’s one. Two, good relationships with our federal partners. We’d worked cases before, some of us had preexisting relationships from previous lives, but the time to have good relationships isn’t when you’re in the throes of something like this. It’s to have those relationships established before, going through the corporate outreach people and having those relationships, and trust. And then the third one, and I love to put this out there for security investigators, just because you’ve never heard it doesn’t mean it’s not true. And if you took this story on the face of it, it would’ve been really easy to dismiss to say, oh yeah, half million for, yeah, right, whatever. Because this just isn’t a TTP or a tactic technique and procedure or process that we hear often. Your mind doesn’t go to someone being on the inside. So that leads to my fourth and final one, lesson learned is if you have employees that are clicking on phishing links, take a look at people that are clicking on malware links. Just take a look. And again, I’m not saying that if you fall for a malware link, you’re a recruited insider who’s facilitating an external attack, but I’m not saying that you’re not. And I think that’s a key distinction and we’ve seen that now pop up in the press in a couple of different places. We were just, you know, I’d like to pat myself on the back and saying what a great program we had, and I do like to think that a lot of the things we had in place helped facilitate this smooth detection and disruption of this plot. But at the same time we caught breaks. But I’d also like to think we put ourselves in good places to catch those breaks.

– What was the luckiest break the company got, to where they didn’t owe five million dollars in ransomware payments?

– So the fact that the employee heard it and didn’t go for the money, and that the employee turned around and reported it. That was it. Without that, this would’ve been a drastically different story. Not saying it wouldn’t have ended well, it just would’ve been drastically different. And we started off on third base instead of in the batter’s box because we had an employee that was loyal and knew how to report it and who to report it to and handled himself really well.

– While ransomware gangs act with impunity out of Russia, how prevalent are human enabled ransomware gangs to recruit employees within organizations? That’s a pretty nuanced concept here.

– I don’t think it’s isolated and I don’t think it’s growing. I think it’s here. I think, and again, I’m just, I’m using a little bit of the bias of my experience, I would be surprised if in the vast majority of these cases are not insiders that are helping. And it’s hard. Holy smokes, it’s hard to detect these kind of insiders that are facilitating external access. But at the same time, again, just with the bias of experience, your opportunity for success by having someone on the inside that’s either physically providing access, that’s enabling access, or even just conducting the reconnaissance, your chance of success goes up by a factor of 10, 50. I mean, it’s huge. So I think it’s important from a reactive perspective that when you have an incident on your network, yes, maybe it came from the outside with no help on the inside, but it’s worth working that all the way back to where it came from. And second, including this in the training and awareness programs, so that people know this is a thing, this could potentially happen. If this happens, it’s not gonna be bad for you, to the contrary, you know, you’re part of the good guys. The only other thing I would add would be while you should be looking at your IT privileged users, because they can do a significant amount of damage, it doesn’t have to be. Right, it just has to be someone that touches your network and can click on that link, that can insert that USB, that can do something like that. ‘Cause I don’t think ransomware is going away. I don’t think this tactic is unique enough that it’s not happening again. So I would love to see additional cases like this come up. It’s just hard and you’ve gotta have everything in place. You’ve gotta have done the needful on your training and awareness and you’ve gotta catch some breaks. Let’s be honest. You’ve gotta have an employee that’s hearing it and reports it. And this is the deal with human, right? The greatest trick the devil ever pulled was convincing the world he didn’t exist. Well, this exists. People are out there hunting your people. People are out there pitching to your people. People are out there trying to identify and co-op your people. It’s happening. Whether you think it is or not, I promise you it is. And so I hope people are taking the appropriate level of defense to protect their people, to help bolster the security of their people and their network. But the fifth point, if I could say, you’ve gotta have good relationships between your investigators and your cybersecurity folks, because sometimes those edge defense or detection and response, they don’t think in terms of human investigations going back, they think in terms of, ah, somebody clicked a link, send them an email that says, “Don’t do that again. This was malware.” There’s gotta be good relationships and good communication and good back and forth, so that maybe before they send that email that says, “Hey, you clicked on a malware link,” you’re running through your investigation shop first. That’s the other thing I would say on this one that to the extent that there’s any kind of friction or any kind of lack of seamless communication, sometimes that’s between that cybersecurity and the investigators that may be coming from corporate security, or maybe coming from insider threat, or wherever, but probably not coming from the technical teams that are doing detection and response. So that’s a seam that I think my recommendation would be for companies to try to fill that seam up the best they can. I think the right way to do that is you’ve got a good insider threat program manager, you’ve got a good security counsel either under your CSO, and I think it’s communication. No single team, no single department’s got the silver bullet, right? It’s gotta be a woven-in comprehensive security program that goes humans and technical and that communication between.

– A special thank you to Charles Finfrock for joining the show today. A lot of people think cybersecurity is simply protecting the information security assets of an organization. What they don’t realize is that these types of threads, particularly for large companies, occur at such great scale that often a skilled investigations team is needed to bridge the gap between cyber security and physical security investigations, which is where a lot of insider threat investigations live. Further, something inside of threat investigations are expensive tools that detect needle in the haystack anomalies when someone is printing something off hours, for example. While these can be valuable, the most critical part is to have a good training and awareness program where employees can be their own sensor network and the security team doesn’t have to come off as governments snooping on employee conversations. Training and awareness, a good intelligence and security program, close contacts with the federal law enforcement, and sometimes a bit of luck are what’s needed to combat nation state threats of Russian criminal gangs and Chinese nation state efforts. Thank you for listening. Thank you for listening to Know Your Adversary. Every other week, we will bring you a new cyber crime attribution investigation that is representative of the work of NISOS operators past, present, and future. If you have any good stories to pitch, please reach out, as no two investigations are the same and simultaneously fascinating how digital clues come together to bring context to crimes that victimize enterprise. For more information, please visit Thank you for listening.