Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an Analyst and Advisor with KuppingerCole Analysts. My guest today is Christopher Schütze. He is the CISO and the Head of Advisory here at KuppingerCole Analysts. Hi Christopher, good to have you.
Hi Matthias!
Being a CISO and having your origin in cybersecurity, you are a great partner when it comes to talking about cyber hygiene. We want to talk about cyber hygiene in a corporate context. So what can organizations do to protect themselves, their employees, their organizations, but also everything else, including their reputation and in the end, the full company from adversarial attacks. So cyber hygiene is interesting and rest assured we don't want to talk about password policies, about locking your screen when you leave the desk, all important, all important. Clean desk, no, we don't want to talk about that. Of course, you think that's important, right?
Yeah, absolutely. It's still fundamentals, but still relevant.
Exactly. Who leaves his desk in a way that people can pick up things or can access their computers? Just made a mistake. So that's quite obvious. But no, we don't want to talk about that. We want to talk about more modern, more topical types of attacks. We want to talk about this famous two-letter acronym AI. We want to talk about how AI is transforming the traditional methods of cyber fraud. And why it is so important, why it makes a significant concern for businesses today, including KuppingerCole. How do you see that just in reality in our daily business? How is AI influencing us when it comes to attacks?
Yeah, first of all, it's not the fancy darknet, whatever doing stuff with hackers and all the stuff you see in modern movies. It's still more or less the fundamentals part, like taking advantage in phishing attacks, but much more personalized. I mean, all of you, including you and me, know about the famous African or Indian guy where we just need to transfer 10,000 euros, dollar, whatever, and then we get rich. But this is really old school and everybody knows about it or should know about that. Modern technologies and especially artificial intelligence is much more focused and tailored here. AI can analyze a lot of data, they can use data mining techniques and all that stuff to really have focused and targeted attacks towards you specific as Matthias Reinwarth, as Christopher Schütze, or as you in the audience, taking knowledge from data breaches. So we are back in the darknet, getting information around you like birth date, city, previous companies you work with, colleagues, so stuff that is publicly available at LinkedIn, for instance, and use this for very targeted spare phishing attacks, for instance. Not only like your boss is sending you something like, please approve. It's more the name of your boss, maybe the specific tool you're using with the company with exact layout these emails have, and then you need to click. And they are much more successful, we see this in any kind of analytics and monitoring, than the normal phishing emails. And this taken in place combined with automation and scalability that comes with artificial intelligence. Just take ChatGPT, give him a long list with 1,000 entries and say to him, generate whatever very precise mails, standard patterns, whatever. Maybe better use API here for that. You get it. And then you can automate it. And even worse is... if something has changed, so some kind of real time adaptability, like getting day by day input into these emails, modify something or even manipulate emails. Like for instance, all the modern phishing campaigns are blocked on a certain level by email filters, security filters. And you have always the option to just slightly adjust the email, maybe something in the header, in the mail, in the body, and here we go. It's a new mail. And that is using all technology improved a lot by modern AI capabilities, which is a huge thing, really.
Right, and that makes things harder to detect. Our topic today is actually cyber hygiene and that involves the organization, but also the individual, the employee, everybody of us who are daily dealing with these attacks, just the usual office environment. So what would be your recommendations? Now switching roles over to CISO. What can everybody do or what should everybody do that is different from what we've done before? Or is it just the same but more?
Yes and no. Now we are really back in the basics talking about awareness. If people don't know that there are such specific, for instance, phishing mails, if we keep with that example, they are not aware that they need to take care. We need to train the people that there are new threats, that there are new challenges, not only regarding to a phishing mail, spare phishing and stuff like that. Maybe even if there's a phone call by your colleague, by your manager, which asks you to confirm the email, to confirm the bank transfer that he shared with you via email 10 minutes before. And he will 100 % sound like your manager If there is enough information about that person, just take Matthias and me as an example. There are a lot of audio information outside. You could easily create a new one or we could create a new Martin Kuppinger reading emails, stuff like that. And that is the real threat. And here it really gets crazy more or less. Take a huge stock company, and the CEO is mentioning something in media. Maybe he's using LinkedIn, X or whatever is used and announces something and you cannot identify it. So we really need to train the people to be much more sensitive in checking is this a relevant thing than before. In the past, we trained the people to okay, check the URL in the phishing mail. Maybe you call the colleague and ask him, is this mail by you? And then you need even more think about is this a relevant thing? What is the person, the attacker is trying to do or to ask me for? And I think this is really the most important thing. The people in the organizations are not on that level that they know about these threats. And this is something we need to fix really fast.
This is communication. And to be honest, when I first heard about deep fakes being part of these phishing attacks, I thought, yeah, OK, that's one year in the future, two years in the future. This is too expensive, this is too much work for just getting to my login accounts. But things have changed. Things have proven me not wrong, but maybe a bit too slow. So this is actually happening. So we need to make sure that people even understand that these deepfakes are out there. Voice is easier than video, but video is possible. And everything that you describe when it comes to mails and every types of communication, this is possible and it's not only possible, out there, it's in the wild. So there need again to be, yeah, methods to be trained, habits that people can apply for even dealing with these deepfake attacks. One thing that I really like is having a kind of keyword that people have agreed upon before doing actual communication so that they can ask for a specific wording. So if this is not returned by the simulated deepfaked person, then something is wrong and needs to be verified. That is a good starting point. Any other methods for dealing with deepfakes? Maybe they just look weird.
Yeah, as I mentioned, for instance, they could look weird. I mean, just take the podcast here and the video. It's realistic, but you would realize in a deep fake, at least today, we don't know what happens in one year, probably a lot. There will probably right now you can identify here some things with the eyes, the mouth is not moving or used in synchronization with the audio that is mentioned. So it looks more like something like that, for instance. You have fancy background shadows or things like that. And it just does not look 100 % natural. What they often do is then they fake some kind of bad resolution, which shadows this a bit. Also, this is a good example, because honestly, today most computers and in built-in cameras have something like at least HD resolution and if you then go back to something like 640 x 480 That's at least suspicious. And this is something you should consider for instance when we talk about deep fakes, but if you receive just a video so it's not real time it can get better. Just take the typical for instance by Adobe those Premiere suites and something like that. You can so easily manipulate now the video and if you have enough time and capacity for good rendering then it's getting very very good. And then we are back to the thing that you really have something like you mentioned, something like a password. If we go back to password instead of passwordless just in some different context.
Right. And as you've mentioned, the compute power, you've mentioned it in terms of rendering quality. But on the other hand, think one of the big threats still is, and it's still highly ranked also when you ask those who are in charge, is ransomware and the way that AI-driven manipulation and slight changes of ransomware attacks. This is really a way to make them more effective than previous forms of ransomware. Is this something that you see also in the wild? You look at our statistics.
Yeah, especially around ransomwares. So when we are not talking about the end user, maybe even it starts with a phishing campaign and some click link and some malware and things like that. Ransomware is currently or in the past without AI very random. It's brute force based. You just target specific networks within a company and try to get from one device endpoint whatever to the next one always with the intention to have more rights, privileges and things like that till you receive the end of the journey and you have something like root access and things like that and then really can install something and encrypt it and lock people out. And AI artificial intelligence really can help to do this more focused. Typical protection tools around ransomware are preventing or building something like honeypots, for instance, that have something in place like, okay, this looks awesome. And protecting software then detects and sees, okay, that's the source IP, source pattern, whatever, I'll block that. And with artificial intelligence, you are not brute forcing, you're really taking advantage of the knowledge you get automatically, AI driven to jump from one device endpoint to another. And so the likelihood of having success here is much higher combined, as I mentioned, around the phishing attempts and the level of automation. You can do this in parallel, automated and intelligent with multiple organizations or networks within an organization, which just, again, the thing is it's cheap and it's more focused. And so the expenses of the attack is cheap and the potential outcome could be high. And that's the business model behind ransomware attacks.
Exactly. So we have to look at different aspects. The one part is the technological aspect. This is the market segments that we as analysts deal with. So those vendors, those market segments that deal with protecting organizations from these types of attacks. This is the technical, the technological aspect. On the other hand, it's the human factor, it's the people, so the cyber hygiene aspect. So I think in the end, it's still required and even more required to teach vigilance, to make sure that people really understand that they should not only verify things, but really think them over. Does this make sense? Can this happen? Would they approach me this way? Does this sound like Matthias? Is it the right time for him? So these are things that I think also need to be even more trained. We all love phishing simulation trainings, not. But they are important because they make us at least verify things. I know many organizations, almost any, are doing it right now. And although they sometimes might be cheesy, sometimes they are really good. And sometimes you might catch something that was not that simulation. Maybe it was a real attack and you just caught it because you realized the patterns. I think cyber hygiene still is required there. So one final aspect before I slightly hint to our event in December, the cyber evolution, one aspect is disinformation when it comes to trying to convey messages that are just not true, which are spread for purposes for achieving things that is growing as well. And it's also very targeted, right?
Absolutely. I mean, I mentioned this as an example for a chief executive officer of a stock company, but it is also relevant for every political statement. I mean, in the worst case, this can lead to military impact or whatever if people would not realize that. So basically, awareness is..., more or less the same rules apply here, but we need to take care of all the media and just take a simple example of someone is saying something today and how this is spread over the world with social media and all that stuff. And this is something we really need to be careful because it could also be used for the right or for the wrong side. The challenge here is really how can this be handled? mean, disinformation, sometimes it could also be done for a specific reason, but how can you as an individual identify that? And this is really a challenge. Just take typical examples or just take our cyberevolution last year. The opening keynote or session was done by Joe Biden. Thanks again, by the way. Not. And this is a good example of pictures, especially with pictures, it's really difficult. There was a famous picture of the Pope wearing a fancy white winter jacket and when I saw it first, I really thought it's a real one. And I don't know which image model it was, but it was completely fake. And just combine people, politicians or responsible people in an organization talking to a competitor and just share this picture somewhere. There is so much threat and potential harm and damage to the society or to the economy here that it is really critical. And I think the only thing we can do here is really check multiple sources and really verify your information. I mean, what else can we do right now, Matthias?
First of all, we need to make sure that we get used to that this is around. So first of all, this is nothing sci-fi. This is out there. We need to deal with that. And it will be more, it will be better, and it will be more aggressive. We need to understand that. And the more this happens, the more we need to be in a situation that we double check, that we verify just as you said, a callback, terminate the call and call people back to make sure that you really reach the right person. So really adding this additional layer of human intelligence to fight the really available and really out there dangers of artificial intelligence even more consistently. There will be incidents, there will be threats, but it's up to A, technology, B, the people to be better. The adversaries, they are out there, no doubt they will attack us. We need to make sure that we, from every angle, can attack them or can protect us from them attacking us. I think that's the main thing, the first thing is to understand the genie is out of the bottle. We need to make sure that we need to deal with that properly. We will be talking about that at cyberevolution. You've mentioned that before. That will be in the first week of December in Frankfurt. This will be a topic that we will cover and it will be cyber hygiene for the company, but also for the individual. We are all endangered and not only people working in IT companies, working in tech companies, working in large industry organizations. It's our family. It's our kids. It's our grandma. It's our mother. We need to make sure that they are equipped to deal with that as well. And that will be maybe an even more difficult story to tell because, I've seen that guy on TV and he said I should buy that stock, should be good. This is something we need to teach about, we need to educate and ourselves, we need to get better as well. So sometimes we are also surprised what is already possible. So that will be one of the topics at cyberevolution. Anything else you want to highlight?
Yeah, think one important statement should be mentioned here as well. So we talked a lot about threats by artificial intelligence and things attackers can do. But for sure, we can also use artificial intelligence to prevent it, to detect it. So for instance, taking a picture, video, putting it in some kind of artificial intelligence and really analyze what is not visible by yourself, by a human. It is maybe identifiable with an AI that these eyes are not in sync, the mouse is not in sync and all that stuff. And the background is fake and something like that. And there is someone trying to act like a human, like your manager. Maybe it's the distance between words and things like that. Even if we have new challenges, new threats with artificial intelligence, we need on our side, train ourselves to use it against the attackers as well.
Exactly. The times of six fingers on the hand and weird eyes are almost over. So we need AI to support us in identifying these slight diversions that we would not realize with the eye, but maybe the systems can. And what will be next year will be covered next year. So thank you very much, Christopher, for being my guest today, for telling about cyber hygiene. We are teaching that to our colleagues as well all the time. And we're testing that with these tests, with these simulation tests. And we all don't like them and they're so important. So, cyber hygiene, very important. Thanks, Christopher. Looking forward to seeing you in Frankfurt. And to the audience, if you have any questions, if you have comments, if you want to have topics covered in this podcast, please leave your comments in the YouTube's comment sections or drop us a mail. Drop it to Christopher or to me. We will be happy to answer your questions to catch up with your topics. One slight hint for the future. The final episode for 2024 will be in the week before Christmas. And then there will be a short hiatus for some five, six weeks. We will come back in early March with new episodes, though it's just the hiatus. You won't get rid of us. I'll be back in March. Yeah, in February, sorry. And that will be the time when we also look back at cyberevolution what has happened and how to continue the topics that we've covered in Frankfurt. But first of all we need to cover them. See you there. Thanks Christopher.
Thanks.
