.gif)
Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
Can We Social Engineer the Bad Guys to Shut Them Down?
In this episode of Unspoken Security, host AJ Nash sits down with Chris Birch, an intelligence practitioner with nearly 30 years of experience, to discuss the ever-evolving landscape of social engineering. Chris's unique perspective comes from leading teams that actively engage with threat actors, turning the tables on those who typically exploit vulnerabilities.
Chris details how social engineering is simply human manipulation, a skill honed from birth. He explains how attackers leverage fear and greed, the fastest and cheapest ways to manipulate individuals. He also dives into how attacks have evolved, highlighting the dangers of increasingly sophisticated tactics like deepfakes and the blurring lines between legal and illegal applications of social engineering.
The conversation also explores the crucial role of organizational culture in cybersecurity. Chris emphasizes that awareness, not just education, is key to defense. He advocates for sharing threat intelligence widely within organizations and across industries, empowering everyone to become a sensor against social engineering attempts. Chris also shares a surprising personal fear, offering a lighthearted end to a serious discussion.
Unspoken Security Ep 32: Can We Social Engineer the Bad Guys to Shut Them Down?
Chris Birch: [00:00:00] Fear and greed have always been in the toolkits for every human intelligence officer in the world. Can I make you afraid? Can I make you greedy? common social and negative attackers in the cybersecurity world rely very heavily on those two elements because they are the fastest and the cheapest ways to get the ball rolling.
[00:01:00]
AJ Nash: Hello, and welcome to another episode of Unspoken Security. I'm your host, AJ Nash. I spent 19 years in the intelligence community, mostly at NSA. I've been building maturing intelligence programs in the private sector for, I don't know, nine years now, something like that. I'm passionate about intelligence, security, public speaking, mentoring, and teaching.
I also have a master's degree in organizational leadership from Gonzaga. Go Zags. And I continue to be deeply committed to servant leadership. This podcast brings all these elements together with some incredible guests to have authentic, unfiltered conversations on a wide range of challenging topics.
This is not gonna be the typical polished podcast. My dog makes occasional appearances. She is wandering around someplace today. people argue and debate. we even swear here. I certainly do my fair share. That's all. Okay. I want you to think of this podcast as a conversation you'd overhear at a bar after a long day at one of the larger cybersecurity conferences that we all attend every year.
These are the conversations we usually have when nobody's listening. Now, today I'm joined by a friend of mine going back nearly 30 years. Man, we're, getting pretty old. his [00:02:00] name's Chris Birch and Chris is an intelligence practitioner 'cause he refuses to let me call him an expert. he's been working in intelligence analysis, human intelligence and counterintelligence since the late nineties when we grew up together in the Air Force.
he's brought those skills and concepts to the private sector where he is built and led teams that take it to the bad guys. Now he currently leads a team focused on social engineering and active exploitation of threat actors.
Chris, anything you wanna add to that?
Chris Birch: yeah, actually, you know, the reason that I personally don't like to say expert is I think of myself as a lifelong learner. And the minute I think I'm the expert, I get blindsided and I learned something completely new. So that's just my own personal thing, but I definitely call other people experts.
I, would consider you an expert as well. So just a personal thing.
AJ Nash: Nah. And I appreciate that. I'm the same way, which is funny 'cause neither of us were particularly humble when we grew up together. it's funny that the more you learn the, more you realize how much you don't fucking know, basically. and so we end up learning less as we go, or we learn more and we think we know less.
it's a weird way of looking at it. When we were young, I don't think either of us were particularly humble. I can tell you that, [00:03:00] but,
Chris Birch: Truth. Truth,
AJ Nash: anybody who knows us will probably attest to both of those things. listen, I, wanna jump into this though. It's a really interesting conversation. like you've had a really interesting career. You've done some very cool things. Like you were downrange doing very scary stuff,and then settled.
I don't wanna settle. May sound bad. But you, worked your way into a cool gig in the private sector where you also do stuff that almost nobody else does, right? This whole idea of taking it to the bad guys. and so I really wanna jump in though, you know. One of the things you do is, and we talk a lot about the social engineering, right?
So there's a lot of people with a lot of different definitions of social engineering and how it really works. I kind of wanna hear from your standpoint, you know, what you think social engineering is, how you define it and is it legal?
Chris Birch: Yeah, so it's a great question. You know, and a lot of the times when I'm asked a question or I'm doing presentations or having any kind of you know, seminars or teaching moments, we talk about what is social engineering, where do they come from, things like that. And one of the things that I like to tell people is humans have been social as day they were born.
You come out of the womb. Social engineering starts fairly basic, a little crying, a [00:04:00] little, being cute at times, crying at times, playing your parents like fiddles. To get food and protection. So humans are well versed in social engineering, but it wasn't until late 1800s that we actually gave it a name.
AJ Nash: Hmm.
Chris Birch: And it goes beyond just like the baby stuff. You know, it could be trying to get a date, it could be trying to get a promotion to work. It could be something as simple as this goes back to the 1800s, fixing a factor that doesn't work. So that's where the concept of social engineering came from. and when I think about human intelligence and counterintelligence, the concept of manipulation come to mind.
Social engineering is just human manipulation. It all really is. and hopefully you're doing it for good, but we both know, that's not the reality of the world. every single day there are a ridiculous number of social engineering attacks. I think I saw a statistic the other day, more than 98% of whatever computer security issues have involving some form of social engineering, which makes perfect sense because humans use computers and that's the most vulnerable part of any network.
but legal versus [00:05:00] illegal, you know, is interesting 'cause we start going into what does it mean to do social engineering in 2025? And the answer is the social engineering itself I don't think is illegal. I think it's the impacts and the downstream effects of the social engineering. We, within my group, we like to call, we like to call it weaponization and monetization. I weaponize the social engineering to go from simply getting you to click a link to clicking a link and stealing your identity. Right? We're weaponizing it as opposed to selling you a new car, which is also social engineering, marketing, some of the greatest social engineers you'll ever meet happen to work in marketing. so that's kind of the moral ambiguity around it. What are you trying to accomplish? You know, I mean, shoot, you used to coach. Coaching is a form of social engineering, getting the most outta your players. The, halftime speeches. Those are forms of social engineering, and I'm sure someone's gonna listen and go, no, that's not [00:06:00] social engineering at all.
But it is. You're using words and tones and themes to create an action. You are taking somebody who may be despondent at halftime and reinvigorating 'em. Take some kind of action that you want them to take. Play harder in the second half. Don't drop the ball, don't get sick during kickoff.
AJ Nash: Right? Yes. So old stories for those who don't know, Chris and I go way back, like I said, in the Air Force, and I coached a football team one year on base, and Chris was on the team. and a good player. Not as good as he thought he was, but a good player. Probably our best or one of 'em at least.
but also, well, there you go. I would argue we had a middle linebacker that was pretty impressive. but, but Chris also had a tendency for being a little bit wild and, bringing some risk into the occasion, occasional weekend for us. But, anyway, we can tell that story later on. I suppose if people are curious about it
Chris Birch: It's
AJ Nash: and people are like, ah, what's this story?
Let's go back here. I'm not gonna give you that story, everybody. 'cause if you do, you'll probably use it to social engineer us later. but you're right. I mean, you talk about this like, I think a lot of people think of it. There's a lot of terms to this, right? So social engineering can be something as simple as, you know [00:07:00] what?
I want to get to the fourth floor of a hotel. I can't, 'cause I don't have a key, I don't belong in that hotel. it's not very hard to manipulate the front desk a lot of times to convince them. You're either somebody who belongs there, you just got locked out, show up at, you know, you look sick, you look pregnant.
There's a lot of ways to convince somebody 'cause people generally want to help other people. You convince them and they break down all of their processes for security. And suddenly it's like, oh yes, Mr. Johnson, lemme help you. And the next thing you know, you're on the fourth floor. Or something as simple as getting in the elevator and just staying there until somebody pushes the right button.
And then that's the before you get off on if you don't have a key card to actually get there. Right? So, I mean, there's lots of those little manipulations. There's social engineering, you know, you can do it with customer service, you know, organizations a lot of times, to get, you know, discounts or bonuses or whatever.
I mean, anybody who's ever, you know, walked up to the line for the airline, you know, to get on their flight. And you noticed that the person, you know, at the gate, I don't know, was wearing an Atlanta Falcons pins, since Chris is a Falcons fan, we'll talk about the Falcons. And suddenly you start up this conversation about the Falcons.
You don't give a damn. I couldn't care less about the Falcons. But you [00:08:00] start up a conversation, you get buddy, buddy, and then oh, oh, lo and behold you get an upgrade. so I mean, there's a lot of ways to do it, right? Like you said, it's just motivating people. But I think what I wanna ask more about when you talk about doing this towards the bad guys is, you know, the deeper components to it.
You know, the offensive components in terms of cybersecurity. how are you going down that path? And talk a little about the process for social engineering. The people that really are supposed to be immune to this stuff, they're supposed to be the ones doing it to us, not the other way around.
How are you able to do some of that?
Chris Birch: So it's a great challenge and I don't wanna say there's luck involved, but there's a little bit of luck involved because I think the hardest part, you know, I mean, I can go into the weaponization, I can go into the monetization, we can talk about hooks, we can talk about how the social thing is gonna work.
We can get into all that kind of stuff. We can talk about human psychology and how people are predisposition to be helpful in certain scenarios. But when you wanna think about it from a bad guy perspective, you know, we're going to knowingly go into a threat actor to the bad guy and say, all right, gimme what you got.
We want them to come at us, we want them to social engineer us, not the actual customer [00:09:00] service rep. There's a little bit of luck there, getting ourselves in harm way. So that's the first problem, meaning organization we would have to solve. But once you do that, the scenario then goes into what I call the playing dumb scenario, right?
We obviously, we know with social and we know we're lying, we know it's all fake. We know they're the bad guy. We have the advantage here, but we need to make them think that they have the advantage. So you come and you play dumb. You come in, you're overly helpful, you know, you do a lot of rapport step, thinking about human intelligence. Social engineering, the rapport step, the opening step is really big.
You know, you can't just come smashing in there. And I know that's kind of counterintuitive to how some social engineering works, right? Create urgency, create a sense of, create a sense of urgency, immediate requirements. You don't think you click and it got you. That's true. That is a very, prominent and valid social engineering capability or technique
AJ Nash: Mm-hmm.
Chris Birch: But it's all evolved from the classical human intelligence techniques of rapport step. Then I start to introduce, I start to identify motivation. I start identify what's gonna drive you, and [00:10:00] then I start just leading you along to where I want to go with this. In the cybersecurity world, these timelines are shrunk.
AJ Nash: Mm-hmm.
Chris Birch: Now, fear and greed have always been in the toolkits for every human intelligence officer in the world. Can I make you afraid? Can I make you greedy? common social and negative attackers in the cybersecurity world rely very heavily on those two elements because they are the fastest and the cheapest ways to get the ball rolling. You have kiddie porn on your computer. I'm the IRS. I'm take all your money and secure it, da da da, da, whatever, whatever. You know, like that's a very common one we've seen where they come in, they'll do a Google or shot of your house. They got your PII, they got your personal information from some random breach somewhere, and they're just shotgunning it, right?
Well, the first person replies, that's the hook,
AJ Nash: Well, it's funny you mentioned that. I'm gonna interrupt real quick because I had this not too long ago. I had a friend of mine pinged me with this exact scenario. So anybody listening, if you haven't heard of this scenario, it's worth listening to briefly. a buddy of mine pinged me and said, you know, he was worried, somebody had reached out to him an [00:11:00] email and they said, you know, we've been monitoring your computer, we've seen what you've been doing, very vague stuff.
You've been doing some, dirty things and we've seen it and we've got snapshots and we're gonna send it to your family. if you don't pay us in, whatever cryptocurrency they liked that day. And like you said, they send you a picture like of your house and your address and some personal information, which is all publicly available, garbage.
Really. and this is a guy in our industry. He's a smart guy. but he got nervous and he pinged me and asked, you know, was this real? Should I worry about it? you know, and I, you know, explained to him, you don't have anything to worry about. I said, listen, I don't know what you've been doing, but the fact of the matter is these guys are just betting.
Everybody's got something they're ashamed of. It doesn't even matter if it's criminal or not. And he's not to my knowledge of criminal law doing anything like that, but you know, he probably watches something risque on his computer, whatever. And I said, that's the thing, they're just banking on that and it's a shotgun.
They're gonna send it out to everybody and then see who responds. And the first person who responds is their victim. Now, okay, here's somebody who's got some shame, some guilt, some fear, and doesn't wanna get caught because whatever. And it doesn't have to be illegal or anything, it just, it's about how you feel.
You know, I [00:12:00] used to tell people doing polygraphs. This is pretty graphic. So if anybody wants to turn, tune out for a second, that's fine. I said, and listen, the polygrapher doesn't care if you have sex with goats. They care if you care if you have sex with goats. I mean, they might care if you have sex with goats.
I'm not recommending it. But the point is, it's about your shame and your fear. It's about what you can be leveraged. All right. This friend of mine, I have no doubt he is watching perfectly legal pornography. He's an adult, he's watching perfectly legal stuff, but there's a shame and a fear component to it.
Now. It doesn't matter. It's just as bad for him as if some people are watching things that are very illegal or doing illegal acts. And that's the key, like you said, is it's just about shotgunning it out because the stats tell you, most people have something they're ashamed of something they're afraid of.
They've done something in front of their computer and that, and you know, they get this letter, it says, ah, your camera was on and we caught you doing the whatever the hell it was that you do in your private life. And so then they exploit you. And if you take the bait, then you're probably gonna end up giving them money or whatever.
And that just gets worse, by the way, for anybody who makes that mistake. If you get blackmailed, it doesn't go away. You're just [00:13:00] gonna keep getting blackmailed. I'm sorry to say, if they really have something on you, you're just gonna have to live with that probably 'cause it just gets worse.
Chris Birch: And and that's great example of the fear component, right? You know, I'm trying to, you know, I, in the sense being the bad guy, I'm trying to generate that fear. Fear of your wife or husband finding out fear of your boss or neighbors or mother, whoever, you know, Sally, brother, cousin, whatever, whatever.
Figuring out, you know, and I think there's. And when you're talking AJ, there was a thought in my head about the duality of the internet. You know, we will get on the internet and we will scream to the world, whatever we think, you know, from the privacy and anonymity of our own home.
But when you breach that anonymity and even the thought of that anonymity being breached. We're all very much, Ooh, no, no, I'm not interested at all. You know, so Johnny likes porn, watches, porn, 24 hours a day. He may not have an issue with that in the privacy and anonymity of his own home, but when that's suddenly being talked about at church or school or work or whatever, now it's a big deal.
So that's a fear factor. [00:14:00] Conversely, you know, the alternative to the fear factor is the greed approach. We all know the poor Nigerian prince trying to give away money for years,
AJ Nash: Yes. It's amazing.
Chris Birch: I mean, that guy is still trying, I mean, he's really generous, you know, but people fall for 'cause of greed.
You know, I think I can make money quick, I can get rich quick. And what upsets me in a lot of the investigations that I've run, particularly in the last 18 months, I, would say I'd go back and further that post Covid, I would think, post the Pandemic are the work from home scams. They're actually getting on like indie.com and things like that, you know, job sites.
And they're offering work from home jobs to the, and it's mostly single parents desperation, not necessarily greed, but it's desperation, which ties very closely to greed. I need, I need, I need, I want, I want, I want. and they get sucked in these scams. And these are organized crime groups, often Eastern European that are running these scams.
And there's, I mean, they're really well done. They'll have portals you log into, they'll have, you know, HR people that'll come. I mean, it's probably like three people posing as 10 people. But you
AJ Nash: all AI now.
Chris Birch: yeah, you'll have HR folks. You gotta [00:15:00] talk to Sally on Thursday for your HR thing, and you'll talk to Bob, your manager on two, you know, Friday.
It's really well done and these people will just fall for it. And ultimately that end game for them is money laundering. They recruit you, they social engineer you, start opening accounts for them, they start money laundering through your stuff, and then you're the one left holding the bag.
AJ Nash: Yep.
Chris Birch: So it's really awful in that sense.
AJ Nash: Well, and there's another component that occurs to me. So you're talking about fear and you're talking about greed. and there's a third component that comes to mind that I think in a sense is greed. Actually, it's just in my definition. So, a lot of social engineering, you know, leverages sexuality.
So, I just literally today had something happen, you know, I don't know, an hour before we started talking, well maybe two, 'cause we spent like 40 minutes working on sound today 'cause my computer was all messed up. But, before we got on, at least. I got a message on, I happened to be on LinkedIn.
Somebody, you know, messaged me outta the blue and they really enjoyed following me and getting to know me. I've never talked to this person before and there was just something off about the profile. So I took a look. I'm like, somebody says they're like a fashion designer or whatever, you know, pretty girl.
Just didn't [00:16:00] make sense. Not part of the industry, not somebody I've ever talked to before. And I had a little time to kill. So it's like, lemme go down this rabbit hole a little bit. Didn't take long. I'm actually in the process of, I'll probably write something on this, but next thing I know, I've got five or six profiles.
Same company. They're all the same profile, different name, different picture, but you know, the exact same opener, the same background. Boy, you've worked the exact same months and years at all the same places, same titles. This is very interesting. It's very hard to believe that this company has like six women, all very pretty women, that all have come from the exact same place.
They all came, they all went to university in Kyiv for some reason. They have all worked in Paris. It's very confusing, and very unlikely, right? but that happens because the idea is that, you know, they're gonna go after somebody. I would be. I would guess there's a very good chance that every one of these profiles is targeting middle-aged men.
If I had to guess, maybe not. I mean, I don't wanna judge on sexuality or whatever, but I'm gonna guess a lot of these are targeting middle-aged men and somebody's gonna take the bait and say, oh, this person's interested in me, and they're gonna start this whole conversation and wherever it's gonna go.
And I, the reason I say [00:17:00] that's sort of a greed factor, and , this is probably bending it a little bit, but listen, I'm 50 years old and anybody's curious and the hell with you if you are, but I'm 50 years old there, the 24-year-old European model that just comes outta the blue and pings me, probably not.
So if you believe in that, there's a sense of greed though. Like, Ooh, I deserve this. Now I'm also very happily in, in a relationship and I have no interest in anyway. But there's a greed factor in my sense, in, in my mind that somebody fools themselves. Maybe there's a pride factor. Maybe there's some others you can talk about, fools themselves into thinking this is real, right?
This is the old honeypot scam. If somebody who listen, be honest with yourself. If somebody who's not in your wheelhouse is suddenly very interested in you. It's not real. It's no different than the Nigerian prince. All right? It didn't just happen. You didn't suddenly win the lottery. And this, you know, this person who's been modeling fashion for years and is half your age and doesn't know you at all, suddenly is enthralled by you.
Seems really unlikely. but it happens all the time and people fall for it constantly because we lie to ourselves or because like I said, I kind of feel like [00:18:00] it's a greed factor. Like, oh, I want this thing that I don't deserve. I'm not entitled to, I haven't earned it. It's not real.
And people get sucked into it all the time. And of course, I did respond to her and I'm really looking forward to meeting her now. No, I'm just kidding.
Chris Birch: bells. So it's funny, I'm glad you brought that up because that, that ti ties into, you know, there's a lot of things that, there's a lot of things to get into the psychology that ties into, but you know, when I put my counter intelligence hat back on. You know, I would tell people if, you know, if you're out and about at the bar after work and you've got your intelligence community badge in your top pocket, you know, prominent, displayed in your top pocket and she's a 10 and you're a two, she's not really into you.
She's out to get you, you know, and having that sense of humility. 'cause I think it's ego and it, right? It's delusions, you know,
AJ Nash: And men are great at thinking we're a lot more than a two. Like no guy thinks he's a two. I know guys who are lucky if they get to be a two. No guy, no guy thinks he's a two. Every guy seems to be two points above what they, you know, they think they're two points above whatever they are. And women tend to downgrade themselves.
It's a weird part of the world, I think, but [00:19:00] I don't know any guy who doesn't think he can pull nines and tens all day long. I don't care if they're just a slug, like they can be dumb and ugly and like, have nothing to offer. And for some reason they think they're, and by the way, I should stop this for a moment, for anybody who's getting offended that we're using numbers to rate people.
You get the point of the message, all right, this is, I'm not really trying to go down that path, but you get what we're saying. And if you haven't noticed, we're really denigrating men more than anything in this particular part of the conversation, but there's guys just think they, they're in domains that they're not a lot of times, and we're easy suckers for this.
I don't see the honey pot, the sexual ploy working as well with women generally. I think women are, brighter in this area at
Chris Birch: S Yeah. I think they're smarter and wiser when it comes to, when it comes to that men,sorry guys. We're gonna take this on the chin. Too bad. So sad. We're suckers for it.
AJ Nash: Yeah.
Chris Birch: Like you said, you know, we tend to think of ourselves as the best football player on your team when it may not be the case.
You know, we always think we're hotter than we really are. We're more attractive. We are, we, look younger. I only look 25, right? We have these re [00:20:00] really weird perceptions of ourselves and threat actors. Know this, understand this, and definitely will try to take advantage of it, whether it's a used car salesman, you know, I mean, come on.
You know, whether it's real estate, whether it's, no kidding nation state, spy games, you know, coming up to you in a bar in Paris, you know, oh, AJ, you know, what are you doing? You know, it used the right bait to catch the fish you're fishing for. And well, it speaks for itself.
And it's not just in the cool spy stuff either. It's in scams. It's in, you know, when you look at impersonations, nobody impersonates Jabba the Hutt, they impersonate Princess Leia.
AJ Nash: That's a good point. That's a fair point. Never heard it put that way, but it's, I mean, you're right. I mean there's, I mean, listen, there's psychology. We know this. People who are taller are statistically more successful. People who are considered to be better looking are statistically more successful.
Life isn't fair. Society is not fair. [00:21:00] Social engineers know this though. They're not going to go outta their way to, you know, impersonate the person who's just on stats, alone, less likely to be, engaged or interested, right? I mean, it's just, it's a thing. Like I know a lot of people who do physical, pen testing, physical security testing, and women are really, really good at this.
one because, I mean, listen, these women are smart and they're brilliant and they're talented. I'm not taking anything away when I say that. The other advantage on top of it is the gender advantage. It is not the reason they're successful. I'm not gonna take anything away from these women. I know some brilliant women.
It is an advantage on top of it. They can cry and people will, you know, men are suckers for criers. A lot of times they can fake pregnancy, which guys really can't do very well as it turns out. they can, you know, they have other advantages, right? They can do dams, little distress. they can play the sexual card.
All the things that men just generally aren't really good at in social engineering. so they have advantages on top of the fact that the women I know that do this are brilliant and very good at it. but it's just a different, it's a different thing, right? this is an area where, you know, men and women act a little bit differently.
Chris Birch: the taking advantage of psychology, you know, like men and women have [00:22:00] different psychology. Our are, we're wired differently. We see the world differently. We have different, you know, if you think about like our ma our hierarchies of needs, you think about how we operate, you know, there, there are seeing big differences and pulling strings and understand how to pull the strings.
This goes, when I said earlier, weaponization, right? Every single human being on this planet, social engineers to a degree. These incredibly intelligent, incredibly talented people can weaponize that to great effect. You know, and that's where the success comes in. And, you know, we're gonna get heat for this, but men are suckers.
AJ Nash: who are we gonna get heat from? Everybody knows it's true. Like any man who
Chris Birch: It is true.
AJ Nash: Yeah. Any man who thinks otherwise it's
diluted.
Chris Birch: anybody upset is lying to themselves.
AJ Nash: Yeah. Women are gonna love this show. They are like it's about time. Somebody said, men are stupid. We are suckers. Like, you know, there's a lot of things that we could be doing better as a gender.
But, yeah, go on.
Chris Birch: but coming, leaning back into psychology for a minute, you know, like, and I mentioned Maslow's, you know, and there's also Hoft, you know, those are two very powerful psychological [00:23:00] tools. I'm gonna call 'em tools.
AJ Nash: Sure.
Chris Birch: let's go with
AJ Nash: Yeah. They're models, whatever you wanna call 'em.
Chris Birch: Yeah. I think models is probably more accurate.
But you know, for those folks listening today, who are interested in social engineering and how the human psychology behind it works, I would encourage you to go look at those Maslow's paints. A picture of the basic needs for a human being. You know, with self, actually be at the top, you know, food, shelter, things like that.
At the very bottom, as a social engineer, as a threat actor, you know, if I'm not gonna use fear, you know, oh my God, this thing's happening. Gotta do this right now. Or greed or whatever. You know, you can look at that and spend some time in targeting reconnaissance, intelligence gathering prior to the engagement, and find out what in that pyramid is missing.
If they're disrespected at work, show them some respect. If they feel like they're smarter than a anybody in the room, play dumb. And let them teach you, you know, elevate, promote them, and they're gonna want to talk to you. They're gonna wanna show off. You know, if it's a Jabba the Hutt, go be, Hey, you're so handsome.
You're so strong, you're so nice, you're so whatever. Whatever.[00:24:00]
AJ Nash: I like big men without
Chris Birch: This is the rapport step. This is the rapport. you're buttering the toast, you're getting them ready to talk. You're get, you're loosening them up and you're skipping the, snapshot fear, greed thing with, you see in phishing emails, things like that.
You have porn on your desktop, whatever,
AJ Nash: Mm-hmm.
Chris Birch: you can have a much longer engagement. Hof setters is secondary to that. And I would say that's the graduate level work. And that's where you start looking at the cultural impact on their psychology. Are they a more team slash family oriented culture?
Are they individualist? Are they high power distance? Are they not the United States? Nope, we are not High power distance. You can call your boss Tom all you want to, right? That doesn't make us crazy. That doesn't throw us off. But if you go to a high power distance culture, east Asia, Russia, those examples come to mind.
You'll have 55-year-old men calling their 25-year-old boss, sir. Hey, let's go out. Let's go get it. Let's go get lunch. Oh, I can't do that. That's too crazy. That's that. [00:25:00] No, that doesn't work. So that's, there's differences in culture. You know, you can exploit that. So for an example, if you're gonna call in, let's say you're doing some call center fraud, and your target uses an Indian based call center or an Asian based call center, come in there hard with a high level identity.
I am the CFOI am the CEO. I am the top lawyer for the firm. My billables are $2,500 an hour. You just, you could be as rude as in crass as you want to because that's what they expect.
AJ Nash: Mm-hmm.
Chris Birch: And you are forcing them. You are impacting fear and greed and one big swope. They're gonna lose money.
They're gonna lose their job. You know, it comes in really well. But again, understanding Maslows and Hof setters can really help you put those pretext together to hit 'em more counts.
AJ Nash: and that's a really good point because, so that gets into some sensitive areas for people. Like when we talk about social engineering, I think it's important to remember. Because I'm about to dig into some more of this too. What you just said isn't about what we believe or what we think is right.
It has nothing to do with that. It doesn't matter. It's what is, and recognizing what is and [00:26:00] utilizing that. And it, and that can be really challenging 'cause it gets into discussions of what you're stereotyping people or you're, you know, that sounds racist or biased or whatever it might be.
And it's not intended to be that way at all. There are cultural differences and ignoring them doesn't make you successful. As you said, it, there are cultures, where,losing face is incredibly, important. and America doesn't, not one of 'em, right. Most Americans don't care about being embarrassed in terms of how the rest of the world would look at it necessarily.
Shame isn't a really big part of our culture necessarily. It exists. There's a level, but it's very different than say, you know, Japanese culture, for shame. Right. And it's the same thing again with dealing with, men and women sometimes dealing with different races within the us which is what makes this a really challenging place to work, I think is.
There's a reason stereotypes exist and there are times and places when you have to take advantage of those, at least if you're gonna do social engineering,especially if you're gonna go after, the bad guys, right? Because then you've gotta know their culture and their background. Are they Eastern European?
Are they Middle [00:27:00] Eastern? Are they us bad guys? what are their fears gonna be? What are their motivations gonna be? Where are you going to get inside of their psyche, right? And be able to, to turn the key to getting where you're trying to go. And that requires being brutally honest about our understandings of people.
and sometimes that, that requires going down paths where I know people have been in this or have been exposed to it who think terrible things of people who do this stuff. And it's like, listen, I'm not saying these are right or wrong things, and I'm not saying they're general to everybody necessarily, but if I've.
Done some research on somebody, and I have found out what their motivations are and their motivations happen to really line up well with just a stereotypical version of their gender, their race, their culture, whatever. I'm not gonna ignore that, just 'cause it's there. I can't be like, wow, that's, I shouldn't do this because it looks bad.
That's who they are. I've done the research on it and they line up with these stereotypes and now I'm going to lay into those stereotypes because my job is to accomplish the mission right? To get inside of them, to take advantage of them, to turn them to do whatever it's, I'm [00:28:00] gonna try to do, which I'm gonna ask you more about, but I think it can be challenging when we talk about these things objectively and openly to make sure people understand.
I'm not saying, Hey, this is right or wrong. I'm not saying this is general to everybody. I'm not saying, these horrible things. other than the fact that they fit sometimes. this is how cultures work. Hos ho study's a really good example of that. I've done business around the world and I've said if you do business in Japan.
It's going to be very, very slow. The Japanese are wonderful people. I've enjoyed working them a lot, but the Japanese culture is very much about consensus. Even if you're talking to the highest ranking person in the us, you, get a hold of the CEO, you convince the ceo, O the CEO goes, do it, and everybody else just has to fall along.
That's how it works. Not in Japan. The CEO could decide on day one. They wanna do it, it's going to take a long time. They're going to get consensus from other people. There's, it's a way the culture works. and it's important to know those things because it also affects how you're gonna compromise somebody.
Whereas in the US it's a lot more fluid and things are different, and one cowboy can kind of get a whole lot done or a whole lot broken as we're seeing some parts of the world right now, because the culture is different. Right. So, anyway, I gotta stop talking and kick it back to you, but I wanted [00:29:00] to, make sure I, wanna make sure I got that point out that this is, this can get very sensitive and it's, we're not talking about what we think of the world.
We're talking about what we know of different cultures and how it fits.
Chris Birch: Humans are messy. And when you think about Maslow's is much more to a point. But when you think about Hofs, stutterers, you know it's cultural norms. You may find the guy who doesn't fit his culture because he's the anomaly. You know, it's all bell curves, right? It's all bell curves. And that's hofsteder.
Did you know, it was lots of study, lots of research, you know. But these are bell curves,
AJ Nash: Mm-hmm.
Chris Birch: you know, the chances are solid. You're gonna hit in that middle. And these are what the cultural norms are going to be, you know? And it doesn't matter what their ethnicity is, it's the being part of that culture. You know?
So that's, I think that might be another key point there is it's not about the ethnic, it's about really being a part of a culture and lots of ethnic be parts of lots of different culture. I mean, shoot, just a few days ago, everybody was Irish, right?
AJ Nash: Right. Briefly.
Chris Birch: Except for the Scottish, they're always Scottish.
AJ Nash: They don't want to be Irish. It's true.
Chris Birch: That was actually a shirt I saw on St. Patrick. [00:30:00] Everyone's Irish except for the Scottish. They'll, they're always Scottish. Anyway, it was fun in an Irish bar, seeing that on a shirt, I was like, oh, that's, one way to go.
AJ Nash: That's a good point, but it's a good point. You mentioned the culture. It really isn't about race, right? I mean, there are countries that are very conservative, right? I think, what is it? Iceland, I think is known for being kind of stoic, right? And the fin the Fins are known for being sort of stoic. You don't see a lot of, you know, worldwide comedians coming out of Finland or Iceland.
It doesn't mean there's nobody funny in Finland or Iceland, but their culture tends to be a bit more stoic, right? And Americans tend to be loud, and, out there, right? That's kind of our known international existence, right? Canadians are notoriously polite. It doesn't mean every Canadian's polite, but I have seen Canadians get in car accidents that they didn't cause and get out and apologize.
It's, they're very nice people, generally. So it is, it does help to know these things as a place to start, right? And then you gotta focus on, I think, your actual target and see if they fit right.
Chris Birch: Yeah, that's when you start pushing buttons and pulling levers, right? You know, I mean, you're trying to get in, you're trying to get the ball moving, you're trying to get things happening. You can't, you don't walk up somebody like, look at a picture and say, all right, I know these are the buttons to push.[00:31:00]
No, you gotta start the conversation. we talked earlier about bad guy shotgunning it out. Your generic fishing, That's gonna be the most basic level stuff. And really quickly, I'm gonna interrupt myself that look, that's how awesome I am interrupting myself. We actually had a significant debate, me and some colleagues around, why is phishing so bad? Because you think about all the phishing education, train, all the educational material you see, it's always the look for typos, look for grammar, look for this, look for that. And it's like, why are they so bad and why do people fall for
AJ Nash: Mm-hmm.
Chris Birch: The best theory we came up with, we being the people who were, you know, that I was working with on this,
AJ Nash: Yeah. Yeah.
Chris Birch: was that it's about numbers.
If I have, if I spend a whole lot of time crafting a perfect message, then I get someone like AJ on my hook. I have a very long road ahead of me till I get to the monetization step. 'cause he's gonna have [00:32:00] scrutiny. I can't pass it off to another threat actor. I can't, you know, well, I'm gonna go to bed, Bob, you're turn to, you're turn to talk to this guy.
It's gonna be a lot of uphill sledding to get him from hook to, from weaponization to monetization. That's gonna take time and effort and it's gonna be hard and time is money.
AJ Nash: Mm-hmm.
Chris Birch: And I'll come back to that later in the show I'm sure. But time is money, so they don't wanna have, they don't wanna work.
Predators are inherently lazy. So if you dumb it down a little bit, if you make some mistakes, if, you're not perfect and I need to actually get one of these guys to confess, but if you're not perfect, the theory stands right today that potentially there's a little bit of intention there because if I weaponize with imperfection.
The road ization might be downhill, not uphill.
AJ Nash: Oh yeah, you're targeting dumber targets, right? It's, net fishing versus line fishing. Like, do I want to cast the perfect line with the perfect bait and fight, a, sail fish for the next eight hours? or do I don't just throw nets out there and catch all the salmon I can get my [00:33:00] hands
Chris Birch: Right?
AJ Nash: on?
The sailfish is probably worth more in and of itself, but I'll just take all the
Chris Birch: the crappy over the tuna.
AJ Nash: yeah, that's right. I'll catch the small, crappy fish and, make sense. I know you say crappy like the kite of fish, but I'll catch the small fish and it'll add up over time and it's, less effort Than trying to get the perfect one. So, you know, it's the difference between fishing and wailing, right? If, you have a specific target you need to get, you know, if you have to get the person that you know is, crafty and is experienced, then you're not gonna get them with the easy one. But for most it's just hey, just throw it out there and see what happens.
Email is basically free, right? So you can just send them to the world. You know, you mentioned that like 90 some odd percent of, all cyber attacks, you know, involve social engineering and that's because phishing and business email compromise are still the top attacks out there and it's 'cause you can still send 'em for free, you know, have to put a postage stamp on an email and so you can send out millions of these things and just wait and there's a percentage.
Yeah. And negative AI do it.
Chris Birch: Oh yeah. And ai, you know, AI is lowering the bar. we've, I've had numerous conversations around AI and what does that mean to social engineering? [00:34:00] And I always take it back to, you know, let's jump into de Loing and go back in time. I take it back to when scripts, you know, like Metas point, things like that were written when you started having script kitties, the birth of the script kitties, sorry, script kitties.
the level of entry, the bar of entry to get into hacking was lowered. It was easier to get into and be a quote unquote technical hacker. And, you know, doing exploitation with software because you had pl you had tools. People started doing software as a service. People started creating tools and passing those tools around.
And that lowered the bar. Your talent mattered less than what tools you had access to, what communities you're tied into. And the same thing applies to social engineering. You know, the, the Frank Callos or whatever, who could do all the voices, that was the OG deep fake, that's how I wanna pretend to be somebody else.
I gotta do voices or I have to hope they don't know them and do some other trade craft. but today you can literally take our image on this podcast right now, our voice on this podcast right now and come up with whatever you wanna come up with. And that's where we're headed. So the bar [00:35:00] is being lowered, and so the social threat scape is going to get worse and worse and worse.
And, unfortunately, I think that. The road we're on, and this is my opinion, and you what to say about opinions, the road we're on that road ends with 100% effectiveness in the deepfake, 0% effectiveness on the defense. And we're gonna have to rely on process and policy to protect ourselves from deepfake.
We do not have CEOs calling and making, requesting transfers to random people. There's gonna be an internal process for that. You will have policies around what's authentication look like. Recognition cannot equal authentication. But the sad truth is every industry in the world make it easier for your customers and clients.
Make it easier for people to authenticate. Let's use voice and that's gonna be fine until one day it's not.
AJ Nash: No, you're right. I mean it, and I've talked forever now ad nauseum about a post-truth world that I think we're, heading towards just, you know, very, very rapidly. And AI is a good example. We're already at a point, you know, where it's like, well, was this story true? Wasn't it true? You know, the audio may not be anymore.
The video [00:36:00] may not be. I mean, we're past the point of just regular old phishing emails. I mean, I've seen scams, and I'm sure you have too, where people get on Zoom calls and there's 80 people on the Zoom call and they're all fake. You're, the target. Everybody else in that call is fake. It's all AI generated.
But I mean, who's gonna, who's not gonna fall for that? If you get into some kind of a meeting and everybody's there, there's dozens of people and they're all interacting and they're all looking pretty realistic. You're the only one who's not, you know, who doesn't realize it, right? You're the target. Yeah.
You're done for, probably, and that's, that technology's readily available. It's inexpensive. So it is gonna, like you said, it's gonna come down to process, you know, talking about business email compromise all the time. It's a really stupid, simple scam, frankly. somebody pressures you to do something.
Hey, I, get ahold of the payroll department and I say I'm a whatever and I need you to, you know, push money right away. And you push back a little bit. Well, this isn't the process. And that guy gets more and more aggressive and, at some point, the person who's in charge of making the decision on whether money goes, has to decide what's more dangerous for my career, standing up to a C level, who's telling me they're gonna fire me if I don't do what they tell me to do immediately, or potentially creating a [00:37:00] fraudulent transfer of money, they're probably gonna move the money because they have more fear.
I tell people all the time that the solution for business email compromise is a culture. Be able to stand up to senior leadership without fear of losing your job. And b, something as simple as a rotating daily password, which any dope can create and it could, or pass phrase or whatever it is. That's gonna knock out a vast majority of these.
Not all of them, but almost all of them. Just simple as that. I don't care what rank you are or position you are, sir. Ma'am, what's the password of the day? That's it. I mean, it's gonna ve them period. And, know that you cannot be fired for asking that challenge question. The C-level or whoever it is.
Nobody has the authority to hold it against you. And as long as that's a policy, most of this business email compromise would just disappear. Now, I don't care how much the bad guy screams and yells and gets more and more angry and more and more threatening, the truth is they're not the C-level. They're not actually capable of doing these things.
They'll eventually give up and move on because they can't get past that. And it's a very simple barrier that most companies just don't have.
Chris Birch: I mean, you said the word fear. Right. You know, we, I, we talked about earlier, in the show, fear, [00:38:00] drives a lot of these, we'll call 'em
AJ Nash: Mm-hmm.
Chris Birch: and going to your point about passwords, I mean, you don't, I mean, that, that's pretty, that's a pretty sophisticated answer, you know, like it, but almost every business has teams or Skype or Messenger or some kind of internal communication tool.
Bing. Hey aj, are you trying to make me transfer a quarter million dollars out of our account? I don't think that, unspoken security should be doing that. Oh, you, it really is you. Oh, apologies, sir. I'll get rid on it. I mean, it, that shouldn't be a fearful moment. But in, in too many businesses, too many companies around the world, that is a fearful moment.
How dare I, and this goes back to high power, dis low power distance. You know, it doesn't scare me to, ping the, boss. But there are people, it terrifies,
AJ Nash: Oh, yeah. Yeah. And I think we're getting worse at that in our culture. Even like it's the, the more American culture has been like, Hey, I'll reach out to whomever. But I think we're actually seeing in, in my lifetime, I've seen a shift. I think people are less empowered, for a lot of cultural changes we've seen to do that.
Right. I think it's, more. Frightening than it used to be, to run something up the chain. And, I think it's gonna get worse as it [00:39:00] does. I think we're gonna see more of these kind of events actually work, because again, what's more scary? You know, risking standing up to the boss or just sending some money someplace.
Well, the money went away. Everybody gets compromised at some point happens. Companies don't seem to care as much anymore. Well just raise the prices on customers, whatever. so you're less likely to have a problem if you end up sending money someplace. I think we have to reverse that trend. I think people have to have, you know, a an avenue of approach where they're a hundred percent protected, because it's in the best interest of the company, to work that way.
And if they do, then this really is not a complicated thing. You know, we have all sorts of, two fa right? Any sort of, two factor authentication code that rotates could, solve that problem. And you just have to be locked in on it and say, this is it. You cannot move money without doing this, thing.
And then somebody has to compromise that. It's a lot harder process.
Chris Birch: Well, yeah. and that goes into social injury 1 0 1. Right. You know, when you think about controls, there is no, I mean, this, the best control is, a healthy dose of skin, of cynicism. But a little paranoia is like, you know, salt and pepper, salt, paranoia, [00:40:00] cynicism to salt and pepper for social engineering.
But, every control, every speed bump you add complicates the calculus for the social engineer. I have to defeat. I get, I need an identity, then I need to win the rapport, step. Then I've gotta know what I'm going after. You know, like, I mean, I've seen case studies of social engineers.
It was like dogs chasing cars. Right. You know, I'm gonna quote that scene from Batman. I, what, when the Joker said I wouldn't have, I wouldn't know what to do if I caught it
AJ Nash: right.
Chris Birch: Bad, guys who got in. They're like, okay, now what? I don't know how to play the piano. I'm in front of a piano. What do I do now?
Because they didn't, if they knew how to, they knew what to do, there would've been real damage. But as it was just, a uneventful penetration, great. Dodging a bullet.
AJ Nash: Yeah. So I, I wanna jump in, real quick because I, gotta move on to another question in a minute. But before we do, I sidetracked you a little bit when we're talking about, you know, how you Yeah. A lot, right? That's what we do, but how, you actually [00:41:00] apply this to bad guys, right? So, again, we're dealing with the bad guys.
you've talked about, the fear and the greed and, they're still humans. They're like everybody else. They have the same, you know, weaknesses, but, you know, what are you actually doing, right? You're reaching out. Are you, you're getting, you're letting them come to you and then you're turning it around.
Talk a little bit about that and, like how you're, actually targeting bad guys with this stuff.
Chris Birch: So that's why I said earlier is a little bit of luck, right? how do I get, how do I get in their way? How do I find myself connected to the bad guy? And you know, those scenarios. Or, there's a variety of ways, right. but ignoring the luck aspect of it, ignoring that, so let we, I'll go, we'll lean on business email compromise 'cause you just talked about, right?
So when a business email compromise message comes in, assuming it's a financial industry, it could be somewhat, but largely as, as largely as a financial industry. You, they, ping into the bank, you know, Hey, you know, AJ Bank, I wanna make a transaction.
Right? and and you recognize it. It's, PEC. You recognize it for what it is. Maybe it's a look like to me, maybe the language doesn't make sense. Maybe there's some, something about it threw [00:42:00] you off.
AJ Nash: Hmm.
Chris Birch: You know? So you refer that to your security team. The conventional response is what you notify the client.
You don't do anything. You shut it down, move on, forget about it.
AJ Nash: Mm-hmm.
Chris Birch: That's fine. That's a conventional response. That's how grandpa did it. That's how dad did it. You know, that's a Tony Stark thing. That's how, that's the way it's been done, you know? Well, what I would suggest as an alternative would be play along.
AJ Nash: Hmm.
Chris Birch: Let's see where it goes. Of course we'll make that happen for you. What would you like to do today? How can I help you? And they start telling you what they want. I wanna do this. Now you have to, I mean, obviously, you know the, financial industry has a lot of privacy rules. You have to protect your people.
You gotta protect your clients. You gotta protect your customers. You can't share data. Don't give them anything to quote kingly and iis. Take, everything. Give them nothing, you know? but let them play. Let them play along. And you know, well, why don't you use, why don't you just automate this? If you do it for real, you can have human contact.
You can report. [00:43:00] So I see that you're from California. How's the weather out there today? Oh, it's great. And you can collect information while you're talking. You can elicit from them while you're talking, while they think they're winning, while their greed is driving the train. You can collect against them.
What's on the television of the background? Do I hear other people? Is it a call center? Oh my goodness. The call center fraudsters, we bust them so fast. 'cause you hear 15 conversations in the background. All very similar.
AJ Nash: Mm-hmm.
Chris Birch: Or it could be a regional thing. The TV is, you know, one language, but the guy is speaking perfect English.
Okay. Okay. That's notable, right? So you just play through them. You play along with them, you elicit from them, and you have to bury your ego. That's probably one of the biggest points of this. You have to bury the ego because they have to think they win. It's like playing, it's like playing kickball with a 3-year-old.
They, of course, they're gonna win.
AJ Nash: No, I'm gonna make that three year-old pay, believe me, I'm not letting them win, but
Chris Birch: go all Adam
AJ Nash: they're gonna catch a ball right in the skull. Yeah. I'm not playing kickball with three year-olds. I'm winning those. [00:44:00] But, I hear what you're saying. Like, I do this in my private life. Like, I get calls once, you know, you get 'em right.
the border patrol, we've, you know, we've seized a package of yours and you're in a lot of trouble. Oh, no, really? I mean, I've, I, if I have time, like sometimes I just hang up on people, but if I have the time, I'm notorious for it. People will be in the car with me and I'll, play the whole game. I'll run it down and, oh no, this is really scary.
And what do I need to do? And, 'cause I want to catch out what the scam is. Right. Whether it's the, border patrol with the fake package of, you know, whatever they
Chris Birch: Go buy some iTunes card to pay your fines.
AJ Nash: Exactly. You know, the IRS scams that come up every year, you know, we're gonna send the police to your house if you don't send me, you know, whatever it is.
It's always like crypto or some, you know, like I said, prepaid cards. I don't think the IRS works on those. but I'll do it if I have time. 'cause it's fun. Or the, the old scam where it's like, oh, we've, scanned your computer and there's a virus and we need you to get on it. that's a lot of fun.
And you gotta go, okay, I can't understand. You act like some old person who doesn't understand computers. You're like, I don't, where's the start button again? And you run around in circles and then finally it's like, oh no, I have an, Apple. I think I, oh, and then they gotta go get a different person and then they get in.
You're like, oh no, I'm pretty sure I have Microsoft. I don't really know. I couldn't figure out how to turn it on. It's my nephew's computer, like, all this stuff. And you [00:45:00] just run 'em in circles. So they get mad and then they curse at you. and then, and they, then it's games up. they get farru frustrated eventually.
Chris Birch: We have a joke internally that,you've not done your job until you've been cussed out. 'cause then, then you know you've created an emotional moment. Excuse me, but that's part of the long-term play, you know? But along the way, you are gathering data points, right? So put your intelligence collection hat on.
We're gonna do some intelligence collection analysis here. You know, I'm getting data points. I'm grabbing puzzle pieces from the bad guy in real time. I'm gathering this information and I can take that information and feed it into an analytic process. And we can do a couple things. One, improve our detection response capabilities.
Two further attribution. Try to see if we can figure who it is. And I think three, create some kind of mapping of whatever infrastructure they're using as part of their fraud scheme. Now, you take number three in any company worth their salt, and you can start executing take downs, taking away email address, taking away phone numbers, shutting down, call centers, you know, whatever.
Feeding that stuff. You know, not only doing that in, on your own, but sharing that with whatever governmental body that required F-C-C-F-T-C, whoever, you know, and [00:46:00] start having an impact. So going back to what I said earlier about time is money. They have to retool, rebuild, re-engineer, do all this stuff over again.
And somebody just went, oh, come on, that's too easy. Well, time is money, you know? Yes, it's not costing them dollars, but it's time is money. They might rather play World of Warcraft. They might rather play video games. They might rather go drink vodka. They might rather be out at the dance club, or they might be under intense pressure by somebody who's old and doesn't understand technology and wants the crime to happen right now.
AJ Nash: Mm-hmm.
Chris Birch: You know, why are you taking so long to get this done? What is wrong with you? Why is this failing? And then now you're creating these emotional moments where the bad guys have to make real decisions about how are they gonna continue. They might choose not to mess with your bank anymore, or your company or whatever.
Whatever the scenario is, they might go somewhere else because it's just not, the juice isn't worth the squeeze.
AJ Nash: Yeah, you're making it difficult.
Chris Birch: the strategic output,
AJ Nash: Yeah, no, that's a good point. I had a, I, you mentioned the cursing. I had a Russian scammer curse me out. It was a couple years ago now. He asked, you know, he calls up and I don't remember what his scam was gonna be, but it was somehow about, I think it was an Amazon scammer or [00:47:00] something.
I don't remember, do you know anybody in Moscow? And I was like, yeah, I do. He's like, no you don't. I said, yeah, I do. My uncle, you know, li whatever I said my uncle Boris is. He's like, no, why you lied to me. And I had just, funny thing is I'd just been to Mosco not that long ago, prior. But, so I started talking a little bit about having been there or whatever, and the guy got very frustrated.
He is like, why you bullshit to me? You bullshit the bullshit there her. Alright, you'll know it's scam. I know it's scam. Just gimme Amazon card. I was like, what is that? How this works? What I won,
Chris Birch: a settlement.
AJ Nash: I won. And you're just like, no, give me money. That's not how it works. You lost, that's it. You got beaten, like, go away.
And he was like, ah, you know, he said some choice words and, went about his business. and it was like the most fun I had all day and it just showed up. It was a Saturday morning and the guy bothered me. I was like, all right, let's have some fun with him. so listen, I know we gotta, keep this moving along.
So we talked a bit about like how you get inside with these guys and, how you turn things around and, the reasoning obviously is so you can better understand the scams and, whether it's tracking them down. You, talked a little bit about being able to do that and understand, what country they're from or, getting their infrastructure and architecture [00:48:00] or just be able to better report to other people that this is what the scam looks like so they can prepare.
I mean, it leads to the obvious question, which is with all that experience, what do you think companies should be doing that they're not doing or should be doing better to protect against social engineering and, what is the average person gonna be able to do to avoid becoming a victim of these things?
Chris Birch: Well, you know, going back to what I said earlier, a healthy dose of, cynicism and paranoia. Right? You know, that, that's obviously good advice. if continue to critically think as you're going through the thing, going through the process. I mean, you mentioned yourself. IRS doesn't, you don't pay taxes with Apple iTunes cards.
AJ Nash: No. No.
Chris Birch: the, sheriff's department isn't going to put you in jail unless you pay them with some Lowe's gift cards. there are things that just that break, break the illusion. You know, it's, inception, right? Look for the thing to break the illusion. Ask questions. If it's the actual police, they'll send somebody to you.
A cop car will show up to validate who they are. You can call them back. I think that's, and this, and we're talking about victims, if you're unsure, say, all right, well, you know, where do you say you're from? You say, you're from the Hard Rock Cafe. Let me call you right back [00:49:00] and then call them back.
You know, and you'd be surprised how that will unravel these, social engineering attacks. But from an industry perspective, from like a business perspective, I think it comes down to education and awareness. And I break those into two different fields because everybody has education.
Yearly, yearly, yearly training modules, yearly seminars, whatever the case is. Education's great, but education lasts about two days. You took the, thing, you took the course, you took the test. Two days later, you've moved over your life and you're done with it.
Awareness is, I think awareness is as important, if not more important than education, because it's about letting your attack service know what it looks like. You know, quite literally, if you think about. You know, going back into the Wild West and the old wanted posters where they put those in banks and, post offices, because that's where robberies took place. Oh, this guy looks like the guy on the poster. He does bank robberies. Huh? I should probably,
AJ Nash: bank right now. that's a bad sign for us.
Chris Birch: that's probably an indicator, right? You know, [00:50:00] and cybersecurity, everyone look, everyone listening, cybersecurity, we love our indicators, right? And, every malware team, every, every, DDoS defender, constantly sharing indicators.
These ips are bad. this is a bad URL, you know, we're always sharing indicators. Why don't we share indicators for social engineering? Why do we have call centers? Not told, Hey, you're gonna get called by a guy named Bob. He's gonna claim to be this person from this company. that's the scams we're seeing.
Why aren't we sharing that data or these numbers or these, I shouldn't say accidents. That's, actually an error. But identify the trade craft, the pretax and the things that are happening. Look at the, analyze it. Have your security teams, analyze it, get the indicators and blast those out to your attack surface.
And for those who don't know what I mean by that, where the bad guy's gonna come, if you're a Fortune 500 company with a international call center, are the international call center. If you're a smaller company with a 800 number, probably the 800 number, look for your attack surface and make sure those people [00:51:00] know what the attacks look like.
That's, I mean, if, I were a CEO of anything, that's, that probably is where I would go with that is ed strong education and then awareness, what's going on in the world. Awareness. You know, I remember when I did terrorism work. We had a calendar, every single thing of note that ever happened in the history of ever was on that stupid calendar.
And those would often lead us to, oh, this terrorist cell's gonna do this because of this thing that happened 300 years ago.
AJ Nash: yep. The anniversary of whatever is gonna
Chris Birch: anniversary of a guy stabbing his toe. They're gonna attack today because they're gonna honor that. But it's about understanding what the threat scape actually looks like, and then maintaining awareness of what the threat scape looks like, and then giving guys actual, timely data they can use to do something with it.
I think, when we were talking earlier, much, much earlier, it's like, if, the bad guy looks like Big Bird and Big Bird shows up, know the bad guy's here. So go with that, and, take steps. It takes steps to, make sure that people know that it shouldn't be.
Like, you know, hey, aj, weirdest thing happen today. Big Bird came in [00:52:00] to the office, withdrew $17 million and left. It was crazy. And then later I found it was fraud. And you're like, oh, but I knew Big Bird was a fraud, sir. All along. I should have told you that's a failure.
AJ Nash: Well, yeah, that's an intel failure, right? We talk about that. Intel failures aren't always about the lack of knowledge, it's about the lack of dis distribution of that knowledge. You know, small group of people that have this knowledge and they hoard it either because you know, they don't understand how to get it out, or you have bad systems in place, or some people are like, well, it's not perfect intel.
We're not sure, we don't wanna be scared, or whatever. Or somebody just like to hoard, you know, knowledge. And then, yeah, as a result you find out afterwards like, oh, we could have prevented this if somebody had told somebody else, but we didn't, we, were afraid to, or we were discouraged to do it, or we didn't know who to tell 'cause we have our system's in place, or whatever it might be.
And then after the fact you go, geez, if we'd only, I. Done the thing we were supposed to, we spent all this money and this time and this energy gathering, this intelligence, but we didn't get it to the people who could actually needed it. Well, lesson learned, I guess we'll make that mistake less in the future, but meanwhile, you know, something happened that was preventable.
you know, and, it happens all the time, unfortunately. I what happens to the government space too, [00:53:00] but I think I wanna hit on one point though. You, mentioned there machine awareness and training, right? And, listen, like you said, everybody has annual training and most of it's just junk.
And it's no offense to the training companies, it's not your fault necessarily, it's the people. Right. I have four screens in front of me right now. At all times, if I do annual training, it's gonna be on a screen over there. I'm not paying any attention to, I'm gonna hear it in my ear and then when I stop hearing things, I'm gonna reach up and click the next button.
I'm never gonna pay attention to it. And then I'm gonna keep clicking buttons until I get to the end. I'm gonna take the test I'm gonna pass because I've done the same thing for years and years. And you could argue, well, it's 'cause he's an expert. He could pass. That means he has the knowledge maybe. But I'm also not paying attention or thinking about it.
Right. What it should be is that awareness component, which is a cultural thing. Stop doing annual testing, just get rid of it. It's garbage. I mean, I, it's a check the box thing that somebody had to do for some regulator somewhere, but it's, useless. It should be ongoing all the time. Don't do annual training, do constant training, you know, phishing, whether it's phishing training, whether it's, you know, lunch and learns, whatever it might be, something you can document, but it should be all year long and it shouldn't be [00:54:00] a stick.
It needs to be more of a carrot, right? Hey, if you didn't do well in the training, how do we get you more training so you can do better? How do we encourage you to improve? I've talked to people about gamifying training. Hey, let's put teams against teams and be like, Hey, you know, the sales team's gonna be up against the marketing team and let's see who, you know, can root out the most phishing attempts this month, or whatever the hell, the things you're gamifying, but make it fun.
Make it interesting, make the, make it an experience so that people have that, constant, you know, paranoia, you talked about, a little bit of skepticism and paranoia there, that they look for these things, but it's fun. And if it turns out I was wrong and I challenged somebody and it wasn't fake, okay, now I'm really on my toes.
Chris Birch: I think, having a strong sense of, 'cause I mean I wholeheartedly agree about culture shift, the culture and everything changes. 'cause everybody becomes a sensor. Everybody becomes part of your security apparatus, you know? but I think a strong sense of, so what, does it matter, right?
You know, what does it matter? If I click this link, what does it matter If I put this USB, what, does it matter? What does it matter? And getting people to understand why it matters. 'cause everyone's in their little silo. Everyone's in their little workspace, right? [00:55:00] I work at the front desk, I work in the server room, I work here, I work there, I work everywhere. They all have different perspectives of what's important. what's their world changer? Like a server room guy. If the fire, if the sprinklers go off by accident, that's bad. Right? So that might be what they worry about, right? But the threat applies to everybody. You know, the, these see threats. If I want a social engineering to plugging USB drive in for some reason, you know, it could be a Saudi Aramco scenario, 75% or whatever the report it was, I think it was like 700% of their network was destroyed.
Not, compromised, destroyed. The, literally, if I remember the data right, the cost of hard drives around the world went up a certain percentage because they had to purchase new
AJ Nash: Mm-hmm.
Chris Birch: a global market change because of the amount of devastation from a single USB drive that went into a single computer on their network.
That is a significant impact. If you took a, I don't know, pick a company, apple, Microsoft, whatever, grab, grab any company, in the us, hit 'em with 70% of their network destruction. The, [00:56:00] losses are catastrophic.
AJ Nash: yeah, the stock market would crash. I mean, you're talking about companies that are in the, fortune 500 that are in the Dow Jones, stock market would crash and, the inner operability, the, connectivity between companies, if you take one of these high tech companies, it's not just them.
You know, if, Microsoft goes down, everybody who's got Microsoft has a problem. That's most of the market, right? The computer I'm on right now runs Microsoft. Right? you know, it's not just Microsoft that goes down and we've all moved to like, you know, online versions, you know, 365 as opposed to having, you know, hardware and software on our computers necessarily.
If Google goes down, everybody's got, you know, Gmail and, G drives and all these things go down, like it's catastrophic failure, economic disaster. If something like that happens.
Chris Birch: But you know, so I, think, when you're thinking about it, 'cause when you think about like networks and network security, we tend to focus on the hardware. Well, hardware is easy, it's predictable. It patches well, it's either work or it's not. Humans are messy.
AJ Nash: Yeah.
Chris Birch: don't patch well.
They don't, even, when you do patch 'em, they forget it. Sometimes they lose their patch. You know, I've never seen, I've never seen a server. [00:57:00] Unload his own patch.
AJ Nash: Yeah.
Chris Birch: Thanks for that upgrade. I'm good, Bob.
AJ Nash: I'm gonna, I'm gonna opt out of that upgrade and just do my own thing.
Chris Birch: you know, I
AJ Nash: like, eh.
Chris Birch: I was patched. I went to Mexico for two weeks. I came back. I'm no longer patched,
AJ Nash: that's exactly,
where I was patching. I had one too many beers tonight and I'm unpatched like, it doesn't take much for somebody to lose their, human version of a patching system. Right. And, they're just, you know, their inhibitions drop and they make bad choices.
Chris Birch: I mean,
AJ Nash: so it's constant with us.
Chris Birch: humans are easy to hack, hard to patch.
AJ Nash: A true story. Yeah. The Wetware man. We just talk about hardware, software, and wetware. You know, people are the wetware and, it's incredibly complicated, which is why it has to be that culture. It has to be ongoing and not in a hostile way. You want people to see security as a teammate and a partner, not an adversary that you have to try to trick and outrun, which is the other thing people wanna do is they get tired of security.
They just wanna trick them. They slow us down, they, scare us, they're the cops, whatever. And then you've got a relationship that's really difficult as opposed to, no, I'm here to make things better for everybody and let's work together and have some fun doing it. And if you're not picking it up, then let's find you a better way.
If somebody [00:58:00] fails a security test, it's my fault not theirs. Like we gotta do a better job at training them. and if they fail all of the tests over and over again, at some point it's their fault. Like some people just can't get it and we will find 'em something else to do with their time. But. A lot of organizations turn it all on the user and make it the user's fault immediately and just hammer the user.
It's like you haven't trained them on anything. You haven't given them a chance to succeed. You've made them the problem because you're too lazy to, to solve it and make it a, constant solution and you just, find a scapegoat to move on, which is, really sad in my opinion. So listen, I know we gotta wrap up.
We're kind of short on time at this point 'cause we're friends so we talk too much. I wanna I wanna get to the closing question though. So everybody knows the name of the show's Unspoken Security, and with that in mind, everybody gets stuck with the same question at the end. You don't get an out, an out on this one.
So the question is, tell me something you've never told anyone before. Something that has gone unspoken,
Chris Birch: I will, but there's one thing I wanna get in first.
AJ Nash: oh
Chris Birch: the last thing for the last
AJ Nash: sure. Yeah, go ahead.
Chris Birch: Evolution. You must evolve. The threat scape is always changing. You have to change with it. You know, if you wrote a, if you wrote a training [00:59:00] module 10 years ago and you're like, it's good, you're going into, you're going into battle on a horse with armor and a sword.
The world has changed. You gotta change with it. So defenders, security, teacher practitioners, all those guys, build these courses, evolve, make sure your content stays up to date. That, and then I'll move on to the question. Things that I don't talk, things that I don't talk about. Well, as we've established, I am egotistical, or at least I was.
AJ Nash: you were at some point you seem to have mellowed a bit. Yeah.
Chris Birch: you know, getting old does that. and I've been all over the world. I've been the combat in bad places. I've been to all the bad places. and I'm only afraid of two things, I think. One of which is reasonable to be afraid of. I'm gonna, I'm gonna keep that one. But the other one, is I get, oh, it's so bad.
And whenever I even find out about it, I get so much heat about it.
AJ Nash: Now the whole world's gonna know, well, the nine people that watch this show are gonna know at least
Chris Birch: centipedes,
AJ Nash: Centipedes.
Chris Birch: am terrified of centipedes. And it's like, oh yeah, the giant ones in the jungles are like, Vietnam, those giant ones and like Vietnam, Thailand, [01:00:00] those, that's nightmare. That I'm, I just, I would die. I would just die. You know? that would, that, would be, oh, I'm gone just out. No, I mean, like all of them. And I don't even know why I'm so afraid of them. It's like they got too many legs that's a fail. That's, there's too many legs, not enough shoes for you. You know, they, bite.
AJ Nash: They do. Yeah.
Chris Birch: I don't know what that's, that, that's bothersome, you know?
And. know that it's a real fear because when I see one I shriek. It's not like, it's not like I'm uncomfortable, right? Like, oh, I don't really like spiders, so I don't really wanna hold your tarantula, but it's cool. I, no, it's not like that. Like uncomfortable is different. This is like, ah, okay. I've composed myself. I am manifesting through sheer willpower, the ability to stay here, but I am not happy. I want to flee, you know? And I was on deployment to Columbia
AJ Nash: Oh, I bet they have some there.
Chris Birch: shrieked. Every time we go to this certain places, I, they there be centipedes on the sidewalk. I'm like, you have to go first and clean the sidewalk.
Why? Because [01:01:00] centipedes, I can't help it. I was on vacation in Mexico doing some kind of trail hike, and there was a guy in the middle of the trail, I shrieked him, went the other way. had to wait for my ex-wife to go clear the trail. now mind you, I would attack a bear. I would fight a bear,
AJ Nash: Oh yeah. You're one of those people who actually thinks he could win a win, a fight against a bear too.
Chris Birch: black bear, not brown or white.
AJ Nash: Black bear maybe. Yeah. Yeah. Black bears are just, a little bit, they're trash pandas, basically, but yeah. Don't go after the brown ones.
Chris Birch: that's what they say. Black bear, if it's black, fight back. If it's brown, lay down. If it's white, you're already dead. So there's no reason to rhyme
AJ Nash: That's true. No, that's, a good point. Yeah. Fair point.
So I'm curious now, listen, and for those who don't know, Chris said it like Chris has been in combat, like he has done scary things. Are you also afraid of millipedes or just centipedes,
Chris Birch: milli peds to a much, much lesser degree,
AJ Nash: even though they have more legs?
Chris Birch: even though they have more legs. But they're like, they little, a giant pill bug that's been stretched out. So they're not so bad. they're not as bad. You can almost, like put, you know, googly eyes on their little forehead and now they're cute.
Right? You can't do it with centipede. They got this little [01:02:00] red antennae and it's just nothing. There's nothing good about a centipede. I mean, before the bug, people get after me. I know they do
AJ Nash: There's probably something good about centipedes. I have no idea what it would be, but
Chris Birch: they eat spiders, they eat brown. Recuses, like centipedes are actually supposed really good for the environment for, they eat pests, but ah, they just need a better PR campaign.
AJ Nash: So centipedes, you're desperately afraid of centipedes. So listen, I'm gonna, I'm gonna push this 'cause you hinted at, so you're not stuck. What was the other one? Because you had two fears. You said you were okay with the other one, but now I'm gonna make you set and tell us both of 'em actually,
Chris Birch: all right. That's fair. That's fair. That's all right. You know, I have a weird fear of aliens
AJ Nash: and that's the one you think is rational. 'cause you said you thought one was rational you were gonna stick with and
Chris Birch: Lemme tell you why. Lemme tell you why. I think it's rational. The centipede. I know what it is. I know there are very few that can actually hurt me.
AJ Nash: True. Yeah.
Chris Birch: Like the one as long as your arm.
Yeah, that's, a no go. but the average centerpiece is not gonna hurt you. I can win that fight. 10 outta 10, crush, stomp, twist
AJ Nash: Yes. I feel
Chris Birch: Easy mode, you know? and they're not actively out to get you. Right. You know, we know what their [01:03:00] motivations are. Eat, sleep,
AJ Nash: Mm-hmm. Mm-hmm. Mm-hmm. Mm-hmm.
Chris Birch: I have no basis for aliens.
AJ Nash: Hmm.
Chris Birch: None. What do they want? What do they want? What are they after?
AJ Nash: You don't have a host steady on them. we don't know their culture. We don't know their motivations. We know the Maslows for Aliens.
Chris Birch: How would it even open the rapport step?
AJ Nash: that's, true. Yeah. How do you even start, right? How do you, social engineer the aliens? I don't know what they're interested in.
Chris Birch: Right? I mean, you know,
AJ Nash: whi Which hole is the ear, where's the mouth on this one? Like,
Chris Birch: is it probing? What, are they into?
AJ Nash: I mean, it's a fair point. it's, hard to get started, right? You don't know what they care about. are they coming in peace? Do they want to eat us? there's a lot in between those things. So, I mean, I can see that. Like, I, get it. I mean, I get it to a point.
Chris Birch: that's why I think it's justified because there is so many unknowns. It's easy to, not be comfortable with that. Like, I met a, a true linguist once. like he, he was a naval officer, true linguist. And I said, what does that mean? I said, what language? He goes, I speak all the languages.
That's, baloney. That's not true. He goes, oh. He goes, I [01:04:00] literally can sit down and it says, just blew my mind. I can sit down and with exposure, I can learn the language so he could learn a language in a couple
AJ Nash: So he is an alien.
Chris Birch: He's definitely an.
AJ Nash: This guy's definitely not human.
Chris Birch: But his, final explanation to me. 'cause I was like, I don't get it.
I don't get it. Maybe I'm being stupid. I don't know, maybe dance. He goes, look, Chris, if aliens landed on the White House law tomorrow, people like me would sit there and listen to them and try to figure out their language. They're the type of people who created the D Lab,
AJ Nash: Interesting.
Chris Birch: they would be able to figure that out.
And I think we in that movie, was it contact with, Lois Lane and, Hawkeye?
AJ Nash: Well, considering you just had, the Superman and Mash mixed in with it. I don't think, I don't know what you're talking about, but,
Chris Birch: There? It was a film with, the actress who played Lois Lane and the Henry Cabell Superman and the actress who played Hawkeye. And the aliens came and they were trying to, and they were squid likes. Anyway, there was true linguists in that she, her character played a true linguist.
AJ Nash: Huh. Well, that's interesting. I had not heard of a true linguist before. And, for those who don't know, Chris and I were both linguists. that's how we [01:05:00] met in the Air Force. I was a very bad linguist, but, we were, anyway. alright, so centipedes, you're, definitely afraid of, and that's completely irrational.
I agree. aliens you're afraid of. Yeah. It could be more rational. Makes sense. At least it's, a, it's an unknown, and
Chris Birch: Centipedes have never kidnapped anybody. Just leave it at
that.
AJ Nash: Not to, my knowledge. I haven't been beaming anybody up or probing anybody or, anything of the sort. you know, aliens perhaps, we're not sure.
I mean, there's lots of evidence now that aliens seem to exist. At least we just don't know what they want. So I can see why there'd be a fear of that. Yeah, I can see that. So, alright, listen, I'm gonna wrap it up here. This has been a really fun episode. I figured it would be, you know, it's nice to catch up, man.
And so we, we got a chance to talk about social engineering and how you actually social engineer with the bad guys and, that's a really interesting thing. is there any last words, you already screwed it up 'cause you did it. You, interrupted your own exit with your last words, but do you have any other last words you want to add to this before we close it out?
Chris Birch: Like subscribe.
AJ Nash: Ah, see, I love that one. This is my guy. Welcome to marketing. So yeah, Chris is right. Listen, if you like the show, please, give [01:06:00] feedback, subscribe, tell your friends and neighbors, spread it around. I'd like to get this, the audience continuing to grow so we can have more people on this.
it's still ad free right now because I can, but eventually I may have to start putting ads on if I have to start paying for this thing. but I appreciate it. And if you don't like the show, shut up,go to something else. It's free. you know, it's, I don't care that much. No, I do care.
If you don't, if you got ideas for making it better, obviously let me know. Email me at AJ@unspokensecurity or, leave notes wherever the hell you're listen, downloading this and listening to it. but I appreciate you taking the time to come in and listen and talk to, and, hear Chris and I talk about, these things and, we're gonna have more good guests in the future.
So, until next time, this is AJ Nash and I'm just gonna shut it down here for unspoken security.
Chris Birch: Thank for having me.
AJ Nash: Thanks, man.
MiD Letterhead
Chris Birch: [00:00:00] Fear and greed have always been in the toolkits for every human intelligence officer in the world. Can I make you afraid? Can I make you greedy? common social and negative attackers in the cybersecurity world rely very heavily on those two elements because they are the fastest and the cheapest ways to get the ball rolling.
[00:01:00]
AJ Nash: Hello, and welcome to another episode of Unspoken Security. I'm your host, AJ Nash. I spent 19 years in the intelligence community, mostly at NSA. I've been building maturing intelligence programs in the private sector for, I don't know, nine years now, something like that. I'm passionate about intelligence, security, public speaking, mentoring, and teaching.
I also have a master's degree in organizational leadership from Gonzaga. Go Zags. And I continue to be deeply committed to servant leadership. This podcast brings all these elements together with some incredible guests to have authentic, unfiltered conversations on a wide range of challenging topics.
This is not gonna be the typical polished podcast. My dog makes occasional appearances. She is wandering around someplace today. people argue and debate. we even swear here. I certainly do my fair share. That's all. Okay. I want you to think of this podcast as a conversation you'd overhear at a bar after a long day at one of the larger cybersecurity conferences that we all attend every year.
These are the conversations we usually have when nobody's listening. Now, today I'm joined by a friend of mine going back nearly 30 years. Man, we're, getting pretty old. his [00:02:00] name's Chris Birch and Chris is an intelligence practitioner 'cause he refuses to let me call him an expert. he's been working in intelligence analysis, human intelligence and counterintelligence since the late nineties when we grew up together in the Air Force.
he's brought those skills and concepts to the private sector where he is built and led teams that take it to the bad guys. Now he currently leads a team focused on social engineering and active exploitation of threat actors.
Chris, anything you wanna add to that?
Chris Birch: yeah, actually, you know, the reason that I personally don't like to say expert is I think of myself as a lifelong learner. And the minute I think I'm the expert, I get blindsided and I learned something completely new. So that's just my own personal thing, but I definitely call other people experts.
I, would consider you an expert as well. So just a personal thing.
AJ Nash: Nah. And I appreciate that. I'm the same way, which is funny 'cause neither of us were particularly humble when we grew up together. it's funny that the more you learn the, more you realize how much you don't fucking know, basically. and so we end up learning less as we go, or we learn more and we think we know less.
it's a weird way of looking at it. When we were young, I don't think either of us were particularly humble. I can tell you that, [00:03:00] but,
Chris Birch: Truth. Truth,
AJ Nash: anybody who knows us will probably attest to both of those things. listen, I, wanna jump into this though. It's a really interesting conversation. like you've had a really interesting career. You've done some very cool things. Like you were downrange doing very scary stuff,and then settled.
I don't wanna settle. May sound bad. But you, worked your way into a cool gig in the private sector where you also do stuff that almost nobody else does, right? This whole idea of taking it to the bad guys. and so I really wanna jump in though, you know. One of the things you do is, and we talk a lot about the social engineering, right?
So there's a lot of people with a lot of different definitions of social engineering and how it really works. I kind of wanna hear from your standpoint, you know, what you think social engineering is, how you define it and is it legal?
Chris Birch: Yeah, so it's a great question. You know, and a lot of the times when I'm asked a question or I'm doing presentations or having any kind of you know, seminars or teaching moments, we talk about what is social engineering, where do they come from, things like that. And one of the things that I like to tell people is humans have been social as day they were born.
You come out of the womb. Social engineering starts fairly basic, a little crying, a [00:04:00] little, being cute at times, crying at times, playing your parents like fiddles. To get food and protection. So humans are well versed in social engineering, but it wasn't until late 1800s that we actually gave it a name.
AJ Nash: Hmm.
Chris Birch: And it goes beyond just like the baby stuff. You know, it could be trying to get a date, it could be trying to get a promotion to work. It could be something as simple as this goes back to the 1800s, fixing a factor that doesn't work. So that's where the concept of social engineering came from. and when I think about human intelligence and counterintelligence, the concept of manipulation come to mind.
Social engineering is just human manipulation. It all really is. and hopefully you're doing it for good, but we both know, that's not the reality of the world. every single day there are a ridiculous number of social engineering attacks. I think I saw a statistic the other day, more than 98% of whatever computer security issues have involving some form of social engineering, which makes perfect sense because humans use computers and that's the most vulnerable part of any network.
but legal versus [00:05:00] illegal, you know, is interesting 'cause we start going into what does it mean to do social engineering in 2025? And the answer is the social engineering itself I don't think is illegal. I think it's the impacts and the downstream effects of the social engineering. We, within my group, we like to call, we like to call it weaponization and monetization. I weaponize the social engineering to go from simply getting you to click a link to clicking a link and stealing your identity. Right? We're weaponizing it as opposed to selling you a new car, which is also social engineering, marketing, some of the greatest social engineers you'll ever meet happen to work in marketing. so that's kind of the moral ambiguity around it. What are you trying to accomplish? You know, I mean, shoot, you used to coach. Coaching is a form of social engineering, getting the most outta your players. The, halftime speeches. Those are forms of social engineering, and I'm sure someone's gonna listen and go, no, that's not [00:06:00] social engineering at all.
But it is. You're using words and tones and themes to create an action. You are taking somebody who may be despondent at halftime and reinvigorating 'em. Take some kind of action that you want them to take. Play harder in the second half. Don't drop the ball, don't get sick during kickoff.
AJ Nash: Right? Yes. So old stories for those who don't know, Chris and I go way back, like I said, in the Air Force, and I coached a football team one year on base, and Chris was on the team. and a good player. Not as good as he thought he was, but a good player. Probably our best or one of 'em at least.
but also, well, there you go. I would argue we had a middle linebacker that was pretty impressive. but, but Chris also had a tendency for being a little bit wild and, bringing some risk into the occasion, occasional weekend for us. But, anyway, we can tell that story later on. I suppose if people are curious about it
Chris Birch: It's
AJ Nash: and people are like, ah, what's this story?
Let's go back here. I'm not gonna give you that story, everybody. 'cause if you do, you'll probably use it to social engineer us later. but you're right. I mean, you talk about this like, I think a lot of people think of it. There's a lot of terms to this, right? So social engineering can be something as simple as, you know [00:07:00] what?
I want to get to the fourth floor of a hotel. I can't, 'cause I don't have a key, I don't belong in that hotel. it's not very hard to manipulate the front desk a lot of times to convince them. You're either somebody who belongs there, you just got locked out, show up at, you know, you look sick, you look pregnant.
There's a lot of ways to convince somebody 'cause people generally want to help other people. You convince them and they break down all of their processes for security. And suddenly it's like, oh yes, Mr. Johnson, lemme help you. And the next thing you know, you're on the fourth floor. Or something as simple as getting in the elevator and just staying there until somebody pushes the right button.
And then that's the before you get off on if you don't have a key card to actually get there. Right? So, I mean, there's lots of those little manipulations. There's social engineering, you know, you can do it with customer service, you know, organizations a lot of times, to get, you know, discounts or bonuses or whatever.
I mean, anybody who's ever, you know, walked up to the line for the airline, you know, to get on their flight. And you noticed that the person, you know, at the gate, I don't know, was wearing an Atlanta Falcons pins, since Chris is a Falcons fan, we'll talk about the Falcons. And suddenly you start up this conversation about the Falcons.
You don't give a damn. I couldn't care less about the Falcons. But you [00:08:00] start up a conversation, you get buddy, buddy, and then oh, oh, lo and behold you get an upgrade. so I mean, there's a lot of ways to do it, right? Like you said, it's just motivating people. But I think what I wanna ask more about when you talk about doing this towards the bad guys is, you know, the deeper components to it.
You know, the offensive components in terms of cybersecurity. how are you going down that path? And talk a little about the process for social engineering. The people that really are supposed to be immune to this stuff, they're supposed to be the ones doing it to us, not the other way around.
How are you able to do some of that?
Chris Birch: So it's a great challenge and I don't wanna say there's luck involved, but there's a little bit of luck involved because I think the hardest part, you know, I mean, I can go into the weaponization, I can go into the monetization, we can talk about hooks, we can talk about how the social thing is gonna work.
We can get into all that kind of stuff. We can talk about human psychology and how people are predisposition to be helpful in certain scenarios. But when you wanna think about it from a bad guy perspective, you know, we're going to knowingly go into a threat actor to the bad guy and say, all right, gimme what you got.
We want them to come at us, we want them to social engineer us, not the actual customer [00:09:00] service rep. There's a little bit of luck there, getting ourselves in harm way. So that's the first problem, meaning organization we would have to solve. But once you do that, the scenario then goes into what I call the playing dumb scenario, right?
We obviously, we know with social and we know we're lying, we know it's all fake. We know they're the bad guy. We have the advantage here, but we need to make them think that they have the advantage. So you come and you play dumb. You come in, you're overly helpful, you know, you do a lot of rapport step, thinking about human intelligence. Social engineering, the rapport step, the opening step is really big.
You know, you can't just come smashing in there. And I know that's kind of counterintuitive to how some social engineering works, right? Create urgency, create a sense of, create a sense of urgency, immediate requirements. You don't think you click and it got you. That's true. That is a very, prominent and valid social engineering capability or technique
AJ Nash: Mm-hmm.
Chris Birch: But it's all evolved from the classical human intelligence techniques of rapport step. Then I start to introduce, I start to identify motivation. I start identify what's gonna drive you, and [00:10:00] then I start just leading you along to where I want to go with this. In the cybersecurity world, these timelines are shrunk.
AJ Nash: Mm-hmm.
Chris Birch: Now, fear and greed have always been in the toolkits for every human intelligence officer in the world. Can I make you afraid? Can I make you greedy? common social and negative attackers in the cybersecurity world rely very heavily on those two elements because they are the fastest and the cheapest ways to get the ball rolling. You have kiddie porn on your computer. I'm the IRS. I'm take all your money and secure it, da da da, da, whatever, whatever. You know, like that's a very common one we've seen where they come in, they'll do a Google or shot of your house. They got your PII, they got your personal information from some random breach somewhere, and they're just shotgunning it, right?
Well, the first person replies, that's the hook,
AJ Nash: Well, it's funny you mentioned that. I'm gonna interrupt real quick because I had this not too long ago. I had a friend of mine pinged me with this exact scenario. So anybody listening, if you haven't heard of this scenario, it's worth listening to briefly. a buddy of mine pinged me and said, you know, he was worried, somebody had reached out to him an [00:11:00] email and they said, you know, we've been monitoring your computer, we've seen what you've been doing, very vague stuff.
You've been doing some, dirty things and we've seen it and we've got snapshots and we're gonna send it to your family. if you don't pay us in, whatever cryptocurrency they liked that day. And like you said, they send you a picture like of your house and your address and some personal information, which is all publicly available, garbage.
Really. and this is a guy in our industry. He's a smart guy. but he got nervous and he pinged me and asked, you know, was this real? Should I worry about it? you know, and I, you know, explained to him, you don't have anything to worry about. I said, listen, I don't know what you've been doing, but the fact of the matter is these guys are just betting.
Everybody's got something they're ashamed of. It doesn't even matter if it's criminal or not. And he's not to my knowledge of criminal law doing anything like that, but you know, he probably watches something risque on his computer, whatever. And I said, that's the thing, they're just banking on that and it's a shotgun.
They're gonna send it out to everybody and then see who responds. And the first person who responds is their victim. Now, okay, here's somebody who's got some shame, some guilt, some fear, and doesn't wanna get caught because whatever. And it doesn't have to be illegal or anything, it just, it's about how you feel.
You know, I [00:12:00] used to tell people doing polygraphs. This is pretty graphic. So if anybody wants to turn, tune out for a second, that's fine. I said, and listen, the polygrapher doesn't care if you have sex with goats. They care if you care if you have sex with goats. I mean, they might care if you have sex with goats.
I'm not recommending it. But the point is, it's about your shame and your fear. It's about what you can be leveraged. All right. This friend of mine, I have no doubt he is watching perfectly legal pornography. He's an adult, he's watching perfectly legal stuff, but there's a shame and a fear component to it.
Now. It doesn't matter. It's just as bad for him as if some people are watching things that are very illegal or doing illegal acts. And that's the key, like you said, is it's just about shotgunning it out because the stats tell you, most people have something they're ashamed of something they're afraid of.
They've done something in front of their computer and that, and you know, they get this letter, it says, ah, your camera was on and we caught you doing the whatever the hell it was that you do in your private life. And so then they exploit you. And if you take the bait, then you're probably gonna end up giving them money or whatever.
And that just gets worse, by the way, for anybody who makes that mistake. If you get blackmailed, it doesn't go away. You're just [00:13:00] gonna keep getting blackmailed. I'm sorry to say, if they really have something on you, you're just gonna have to live with that probably 'cause it just gets worse.
Chris Birch: And and that's great example of the fear component, right? You know, I'm trying to, you know, I, in the sense being the bad guy, I'm trying to generate that fear. Fear of your wife or husband finding out fear of your boss or neighbors or mother, whoever, you know, Sally, brother, cousin, whatever, whatever.
Figuring out, you know, and I think there's. And when you're talking AJ, there was a thought in my head about the duality of the internet. You know, we will get on the internet and we will scream to the world, whatever we think, you know, from the privacy and anonymity of our own home.
But when you breach that anonymity and even the thought of that anonymity being breached. We're all very much, Ooh, no, no, I'm not interested at all. You know, so Johnny likes porn, watches, porn, 24 hours a day. He may not have an issue with that in the privacy and anonymity of his own home, but when that's suddenly being talked about at church or school or work or whatever, now it's a big deal.
So that's a fear factor. [00:14:00] Conversely, you know, the alternative to the fear factor is the greed approach. We all know the poor Nigerian prince trying to give away money for years,
AJ Nash: Yes. It's amazing.
Chris Birch: I mean, that guy is still trying, I mean, he's really generous, you know, but people fall for 'cause of greed.
You know, I think I can make money quick, I can get rich quick. And what upsets me in a lot of the investigations that I've run, particularly in the last 18 months, I, would say I'd go back and further that post Covid, I would think, post the Pandemic are the work from home scams. They're actually getting on like indie.com and things like that, you know, job sites.
And they're offering work from home jobs to the, and it's mostly single parents desperation, not necessarily greed, but it's desperation, which ties very closely to greed. I need, I need, I need, I want, I want, I want. and they get sucked in these scams. And these are organized crime groups, often Eastern European that are running these scams.
And there's, I mean, they're really well done. They'll have portals you log into, they'll have, you know, HR people that'll come. I mean, it's probably like three people posing as 10 people. But you
AJ Nash: all AI now.
Chris Birch: yeah, you'll have HR folks. You gotta [00:15:00] talk to Sally on Thursday for your HR thing, and you'll talk to Bob, your manager on two, you know, Friday.
It's really well done and these people will just fall for it. And ultimately that end game for them is money laundering. They recruit you, they social engineer you, start opening accounts for them, they start money laundering through your stuff, and then you're the one left holding the bag.
AJ Nash: Yep.
Chris Birch: So it's really awful in that sense.
AJ Nash: Well, and there's another component that occurs to me. So you're talking about fear and you're talking about greed. and there's a third component that comes to mind that I think in a sense is greed. Actually, it's just in my definition. So, a lot of social engineering, you know, leverages sexuality.
So, I just literally today had something happen, you know, I don't know, an hour before we started talking, well maybe two, 'cause we spent like 40 minutes working on sound today 'cause my computer was all messed up. But, before we got on, at least. I got a message on, I happened to be on LinkedIn.
Somebody, you know, messaged me outta the blue and they really enjoyed following me and getting to know me. I've never talked to this person before and there was just something off about the profile. So I took a look. I'm like, somebody says they're like a fashion designer or whatever, you know, pretty girl.
Just didn't [00:16:00] make sense. Not part of the industry, not somebody I've ever talked to before. And I had a little time to kill. So it's like, lemme go down this rabbit hole a little bit. Didn't take long. I'm actually in the process of, I'll probably write something on this, but next thing I know, I've got five or six profiles.
Same company. They're all the same profile, different name, different picture, but you know, the exact same opener, the same background. Boy, you've worked the exact same months and years at all the same places, same titles. This is very interesting. It's very hard to believe that this company has like six women, all very pretty women, that all have come from the exact same place.
They all came, they all went to university in Kyiv for some reason. They have all worked in Paris. It's very confusing, and very unlikely, right? but that happens because the idea is that, you know, they're gonna go after somebody. I would be. I would guess there's a very good chance that every one of these profiles is targeting middle-aged men.
If I had to guess, maybe not. I mean, I don't wanna judge on sexuality or whatever, but I'm gonna guess a lot of these are targeting middle-aged men and somebody's gonna take the bait and say, oh, this person's interested in me, and they're gonna start this whole conversation and wherever it's gonna go.
And I, the reason I say [00:17:00] that's sort of a greed factor, and , this is probably bending it a little bit, but listen, I'm 50 years old and anybody's curious and the hell with you if you are, but I'm 50 years old there, the 24-year-old European model that just comes outta the blue and pings me, probably not.
So if you believe in that, there's a sense of greed though. Like, Ooh, I deserve this. Now I'm also very happily in, in a relationship and I have no interest in anyway. But there's a greed factor in my sense, in, in my mind that somebody fools themselves. Maybe there's a pride factor. Maybe there's some others you can talk about, fools themselves into thinking this is real, right?
This is the old honeypot scam. If somebody who listen, be honest with yourself. If somebody who's not in your wheelhouse is suddenly very interested in you. It's not real. It's no different than the Nigerian prince. All right? It didn't just happen. You didn't suddenly win the lottery. And this, you know, this person who's been modeling fashion for years and is half your age and doesn't know you at all, suddenly is enthralled by you.
Seems really unlikely. but it happens all the time and people fall for it constantly because we lie to ourselves or because like I said, I kind of feel like [00:18:00] it's a greed factor. Like, oh, I want this thing that I don't deserve. I'm not entitled to, I haven't earned it. It's not real.
And people get sucked into it all the time. And of course, I did respond to her and I'm really looking forward to meeting her now. No, I'm just kidding.
Chris Birch: bells. So it's funny, I'm glad you brought that up because that, that ti ties into, you know, there's a lot of things that, there's a lot of things to get into the psychology that ties into, but you know, when I put my counter intelligence hat back on. You know, I would tell people if, you know, if you're out and about at the bar after work and you've got your intelligence community badge in your top pocket, you know, prominent, displayed in your top pocket and she's a 10 and you're a two, she's not really into you.
She's out to get you, you know, and having that sense of humility. 'cause I think it's ego and it, right? It's delusions, you know,
AJ Nash: And men are great at thinking we're a lot more than a two. Like no guy thinks he's a two. I know guys who are lucky if they get to be a two. No guy, no guy thinks he's a two. Every guy seems to be two points above what they, you know, they think they're two points above whatever they are. And women tend to downgrade themselves.
It's a weird part of the world, I think, but [00:19:00] I don't know any guy who doesn't think he can pull nines and tens all day long. I don't care if they're just a slug, like they can be dumb and ugly and like, have nothing to offer. And for some reason they think they're, and by the way, I should stop this for a moment, for anybody who's getting offended that we're using numbers to rate people.
You get the point of the message, all right, this is, I'm not really trying to go down that path, but you get what we're saying. And if you haven't noticed, we're really denigrating men more than anything in this particular part of the conversation, but there's guys just think they, they're in domains that they're not a lot of times, and we're easy suckers for this.
I don't see the honey pot, the sexual ploy working as well with women generally. I think women are, brighter in this area at
Chris Birch: S Yeah. I think they're smarter and wiser when it comes to, when it comes to that men,sorry guys. We're gonna take this on the chin. Too bad. So sad. We're suckers for it.
AJ Nash: Yeah.
Chris Birch: Like you said, you know, we tend to think of ourselves as the best football player on your team when it may not be the case.
You know, we always think we're hotter than we really are. We're more attractive. We are, we, look younger. I only look 25, right? We have these re [00:20:00] really weird perceptions of ourselves and threat actors. Know this, understand this, and definitely will try to take advantage of it, whether it's a used car salesman, you know, I mean, come on.
You know, whether it's real estate, whether it's, no kidding nation state, spy games, you know, coming up to you in a bar in Paris, you know, oh, AJ, you know, what are you doing? You know, it used the right bait to catch the fish you're fishing for. And well, it speaks for itself.
And it's not just in the cool spy stuff either. It's in scams. It's in, you know, when you look at impersonations, nobody impersonates Jabba the Hutt, they impersonate Princess Leia.
AJ Nash: That's a good point. That's a fair point. Never heard it put that way, but it's, I mean, you're right. I mean there's, I mean, listen, there's psychology. We know this. People who are taller are statistically more successful. People who are considered to be better looking are statistically more successful.
Life isn't fair. Society is not fair. [00:21:00] Social engineers know this though. They're not going to go outta their way to, you know, impersonate the person who's just on stats, alone, less likely to be, engaged or interested, right? I mean, it's just, it's a thing. Like I know a lot of people who do physical, pen testing, physical security testing, and women are really, really good at this.
one because, I mean, listen, these women are smart and they're brilliant and they're talented. I'm not taking anything away when I say that. The other advantage on top of it is the gender advantage. It is not the reason they're successful. I'm not gonna take anything away from these women. I know some brilliant women.
It is an advantage on top of it. They can cry and people will, you know, men are suckers for criers. A lot of times they can fake pregnancy, which guys really can't do very well as it turns out. they can, you know, they have other advantages, right? They can do dams, little distress. they can play the sexual card.
All the things that men just generally aren't really good at in social engineering. so they have advantages on top of the fact that the women I know that do this are brilliant and very good at it. but it's just a different, it's a different thing, right? this is an area where, you know, men and women act a little bit differently.
Chris Birch: the taking advantage of psychology, you know, like men and women have [00:22:00] different psychology. Our are, we're wired differently. We see the world differently. We have different, you know, if you think about like our ma our hierarchies of needs, you think about how we operate, you know, there, there are seeing big differences and pulling strings and understand how to pull the strings.
This goes, when I said earlier, weaponization, right? Every single human being on this planet, social engineers to a degree. These incredibly intelligent, incredibly talented people can weaponize that to great effect. You know, and that's where the success comes in. And, you know, we're gonna get heat for this, but men are suckers.
AJ Nash: who are we gonna get heat from? Everybody knows it's true. Like any man who
Chris Birch: It is true.
AJ Nash: Yeah. Any man who thinks otherwise it's
diluted.
Chris Birch: anybody upset is lying to themselves.
AJ Nash: Yeah. Women are gonna love this show. They are like it's about time. Somebody said, men are stupid. We are suckers. Like, you know, there's a lot of things that we could be doing better as a gender.
But, yeah, go on.
Chris Birch: but coming, leaning back into psychology for a minute, you know, like, and I mentioned Maslow's, you know, and there's also Hoft, you know, those are two very powerful psychological [00:23:00] tools. I'm gonna call 'em tools.
AJ Nash: Sure.
Chris Birch: let's go with
AJ Nash: Yeah. They're models, whatever you wanna call 'em.
Chris Birch: Yeah. I think models is probably more accurate.
But you know, for those folks listening today, who are interested in social engineering and how the human psychology behind it works, I would encourage you to go look at those Maslow's paints. A picture of the basic needs for a human being. You know, with self, actually be at the top, you know, food, shelter, things like that.
At the very bottom, as a social engineer, as a threat actor, you know, if I'm not gonna use fear, you know, oh my God, this thing's happening. Gotta do this right now. Or greed or whatever. You know, you can look at that and spend some time in targeting reconnaissance, intelligence gathering prior to the engagement, and find out what in that pyramid is missing.
If they're disrespected at work, show them some respect. If they feel like they're smarter than a anybody in the room, play dumb. And let them teach you, you know, elevate, promote them, and they're gonna want to talk to you. They're gonna wanna show off. You know, if it's a Jabba the Hutt, go be, Hey, you're so handsome.
You're so strong, you're so nice, you're so whatever. Whatever.[00:24:00]
AJ Nash: I like big men without
Chris Birch: This is the rapport step. This is the rapport. you're buttering the toast, you're getting them ready to talk. You're get, you're loosening them up and you're skipping the, snapshot fear, greed thing with, you see in phishing emails, things like that.
You have porn on your desktop, whatever,
AJ Nash: Mm-hmm.
Chris Birch: you can have a much longer engagement. Hof setters is secondary to that. And I would say that's the graduate level work. And that's where you start looking at the cultural impact on their psychology. Are they a more team slash family oriented culture?
Are they individualist? Are they high power distance? Are they not the United States? Nope, we are not High power distance. You can call your boss Tom all you want to, right? That doesn't make us crazy. That doesn't throw us off. But if you go to a high power distance culture, east Asia, Russia, those examples come to mind.
You'll have 55-year-old men calling their 25-year-old boss, sir. Hey, let's go out. Let's go get it. Let's go get lunch. Oh, I can't do that. That's too crazy. That's that. [00:25:00] No, that doesn't work. So that's, there's differences in culture. You know, you can exploit that. So for an example, if you're gonna call in, let's say you're doing some call center fraud, and your target uses an Indian based call center or an Asian based call center, come in there hard with a high level identity.
I am the CFOI am the CEO. I am the top lawyer for the firm. My billables are $2,500 an hour. You just, you could be as rude as in crass as you want to because that's what they expect.
AJ Nash: Mm-hmm.
Chris Birch: And you are forcing them. You are impacting fear and greed and one big swope. They're gonna lose money.
They're gonna lose their job. You know, it comes in really well. But again, understanding Maslows and Hof setters can really help you put those pretext together to hit 'em more counts.
AJ Nash: and that's a really good point because, so that gets into some sensitive areas for people. Like when we talk about social engineering, I think it's important to remember. Because I'm about to dig into some more of this too. What you just said isn't about what we believe or what we think is right.
It has nothing to do with that. It doesn't matter. It's what is, and recognizing what is and [00:26:00] utilizing that. And it, and that can be really challenging 'cause it gets into discussions of what you're stereotyping people or you're, you know, that sounds racist or biased or whatever it might be.
And it's not intended to be that way at all. There are cultural differences and ignoring them doesn't make you successful. As you said, it, there are cultures, where,losing face is incredibly, important. and America doesn't, not one of 'em, right. Most Americans don't care about being embarrassed in terms of how the rest of the world would look at it necessarily.
Shame isn't a really big part of our culture necessarily. It exists. There's a level, but it's very different than say, you know, Japanese culture, for shame. Right. And it's the same thing again with dealing with, men and women sometimes dealing with different races within the us which is what makes this a really challenging place to work, I think is.
There's a reason stereotypes exist and there are times and places when you have to take advantage of those, at least if you're gonna do social engineering,especially if you're gonna go after, the bad guys, right? Because then you've gotta know their culture and their background. Are they Eastern European?
Are they Middle [00:27:00] Eastern? Are they us bad guys? what are their fears gonna be? What are their motivations gonna be? Where are you going to get inside of their psyche, right? And be able to, to turn the key to getting where you're trying to go. And that requires being brutally honest about our understandings of people.
and sometimes that, that requires going down paths where I know people have been in this or have been exposed to it who think terrible things of people who do this stuff. And it's like, listen, I'm not saying these are right or wrong things, and I'm not saying they're general to everybody necessarily, but if I've.
Done some research on somebody, and I have found out what their motivations are and their motivations happen to really line up well with just a stereotypical version of their gender, their race, their culture, whatever. I'm not gonna ignore that, just 'cause it's there. I can't be like, wow, that's, I shouldn't do this because it looks bad.
That's who they are. I've done the research on it and they line up with these stereotypes and now I'm going to lay into those stereotypes because my job is to accomplish the mission right? To get inside of them, to take advantage of them, to turn them to do whatever it's, I'm [00:28:00] gonna try to do, which I'm gonna ask you more about, but I think it can be challenging when we talk about these things objectively and openly to make sure people understand.
I'm not saying, Hey, this is right or wrong. I'm not saying this is general to everybody. I'm not saying, these horrible things. other than the fact that they fit sometimes. this is how cultures work. Hos ho study's a really good example of that. I've done business around the world and I've said if you do business in Japan.
It's going to be very, very slow. The Japanese are wonderful people. I've enjoyed working them a lot, but the Japanese culture is very much about consensus. Even if you're talking to the highest ranking person in the us, you, get a hold of the CEO, you convince the ceo, O the CEO goes, do it, and everybody else just has to fall along.
That's how it works. Not in Japan. The CEO could decide on day one. They wanna do it, it's going to take a long time. They're going to get consensus from other people. There's, it's a way the culture works. and it's important to know those things because it also affects how you're gonna compromise somebody.
Whereas in the US it's a lot more fluid and things are different, and one cowboy can kind of get a whole lot done or a whole lot broken as we're seeing some parts of the world right now, because the culture is different. Right. So, anyway, I gotta stop talking and kick it back to you, but I wanted [00:29:00] to, make sure I, wanna make sure I got that point out that this is, this can get very sensitive and it's, we're not talking about what we think of the world.
We're talking about what we know of different cultures and how it fits.
Chris Birch: Humans are messy. And when you think about Maslow's is much more to a point. But when you think about Hofs, stutterers, you know it's cultural norms. You may find the guy who doesn't fit his culture because he's the anomaly. You know, it's all bell curves, right? It's all bell curves. And that's hofsteder.
Did you know, it was lots of study, lots of research, you know. But these are bell curves,
AJ Nash: Mm-hmm.
Chris Birch: you know, the chances are solid. You're gonna hit in that middle. And these are what the cultural norms are going to be, you know? And it doesn't matter what their ethnicity is, it's the being part of that culture. You know?
So that's, I think that might be another key point there is it's not about the ethnic, it's about really being a part of a culture and lots of ethnic be parts of lots of different culture. I mean, shoot, just a few days ago, everybody was Irish, right?
AJ Nash: Right. Briefly.
Chris Birch: Except for the Scottish, they're always Scottish.
AJ Nash: They don't want to be Irish. It's true.
Chris Birch: That was actually a shirt I saw on St. Patrick. [00:30:00] Everyone's Irish except for the Scottish. They'll, they're always Scottish. Anyway, it was fun in an Irish bar, seeing that on a shirt, I was like, oh, that's, one way to go.
AJ Nash: That's a good point, but it's a good point. You mentioned the culture. It really isn't about race, right? I mean, there are countries that are very conservative, right? I think, what is it? Iceland, I think is known for being kind of stoic, right? And the fin the Fins are known for being sort of stoic. You don't see a lot of, you know, worldwide comedians coming out of Finland or Iceland.
It doesn't mean there's nobody funny in Finland or Iceland, but their culture tends to be a bit more stoic, right? And Americans tend to be loud, and, out there, right? That's kind of our known international existence, right? Canadians are notoriously polite. It doesn't mean every Canadian's polite, but I have seen Canadians get in car accidents that they didn't cause and get out and apologize.
It's, they're very nice people, generally. So it is, it does help to know these things as a place to start, right? And then you gotta focus on, I think, your actual target and see if they fit right.
Chris Birch: Yeah, that's when you start pushing buttons and pulling levers, right? You know, I mean, you're trying to get in, you're trying to get the ball moving, you're trying to get things happening. You can't, you don't walk up somebody like, look at a picture and say, all right, I know these are the buttons to push.[00:31:00]
No, you gotta start the conversation. we talked earlier about bad guy shotgunning it out. Your generic fishing, That's gonna be the most basic level stuff. And really quickly, I'm gonna interrupt myself that look, that's how awesome I am interrupting myself. We actually had a significant debate, me and some colleagues around, why is phishing so bad? Because you think about all the phishing education, train, all the educational material you see, it's always the look for typos, look for grammar, look for this, look for that. And it's like, why are they so bad and why do people fall for
AJ Nash: Mm-hmm.
Chris Birch: The best theory we came up with, we being the people who were, you know, that I was working with on this,
AJ Nash: Yeah. Yeah.
Chris Birch: was that it's about numbers.
If I have, if I spend a whole lot of time crafting a perfect message, then I get someone like AJ on my hook. I have a very long road ahead of me till I get to the monetization step. 'cause he's gonna have [00:32:00] scrutiny. I can't pass it off to another threat actor. I can't, you know, well, I'm gonna go to bed, Bob, you're turn to, you're turn to talk to this guy.
It's gonna be a lot of uphill sledding to get him from hook to, from weaponization to monetization. That's gonna take time and effort and it's gonna be hard and time is money.
AJ Nash: Mm-hmm.
Chris Birch: And I'll come back to that later in the show I'm sure. But time is money, so they don't wanna have, they don't wanna work.
Predators are inherently lazy. So if you dumb it down a little bit, if you make some mistakes, if, you're not perfect and I need to actually get one of these guys to confess, but if you're not perfect, the theory stands right today that potentially there's a little bit of intention there because if I weaponize with imperfection.
The road ization might be downhill, not uphill.
AJ Nash: Oh yeah, you're targeting dumber targets, right? It's, net fishing versus line fishing. Like, do I want to cast the perfect line with the perfect bait and fight, a, sail fish for the next eight hours? or do I don't just throw nets out there and catch all the salmon I can get my [00:33:00] hands
Chris Birch: Right?
AJ Nash: on?
The sailfish is probably worth more in and of itself, but I'll just take all the
Chris Birch: the crappy over the tuna.
AJ Nash: yeah, that's right. I'll catch the small, crappy fish and, make sense. I know you say crappy like the kite of fish, but I'll catch the small fish and it'll add up over time and it's, less effort Than trying to get the perfect one. So, you know, it's the difference between fishing and wailing, right? If, you have a specific target you need to get, you know, if you have to get the person that you know is, crafty and is experienced, then you're not gonna get them with the easy one. But for most it's just hey, just throw it out there and see what happens.
Email is basically free, right? So you can just send them to the world. You know, you mentioned that like 90 some odd percent of, all cyber attacks, you know, involve social engineering and that's because phishing and business email compromise are still the top attacks out there and it's 'cause you can still send 'em for free, you know, have to put a postage stamp on an email and so you can send out millions of these things and just wait and there's a percentage.
Yeah. And negative AI do it.
Chris Birch: Oh yeah. And ai, you know, AI is lowering the bar. we've, I've had numerous conversations around AI and what does that mean to social engineering? [00:34:00] And I always take it back to, you know, let's jump into de Loing and go back in time. I take it back to when scripts, you know, like Metas point, things like that were written when you started having script kitties, the birth of the script kitties, sorry, script kitties.
the level of entry, the bar of entry to get into hacking was lowered. It was easier to get into and be a quote unquote technical hacker. And, you know, doing exploitation with software because you had pl you had tools. People started doing software as a service. People started creating tools and passing those tools around.
And that lowered the bar. Your talent mattered less than what tools you had access to, what communities you're tied into. And the same thing applies to social engineering. You know, the, the Frank Callos or whatever, who could do all the voices, that was the OG deep fake, that's how I wanna pretend to be somebody else.
I gotta do voices or I have to hope they don't know them and do some other trade craft. but today you can literally take our image on this podcast right now, our voice on this podcast right now and come up with whatever you wanna come up with. And that's where we're headed. So the bar [00:35:00] is being lowered, and so the social threat scape is going to get worse and worse and worse.
And, unfortunately, I think that. The road we're on, and this is my opinion, and you what to say about opinions, the road we're on that road ends with 100% effectiveness in the deepfake, 0% effectiveness on the defense. And we're gonna have to rely on process and policy to protect ourselves from deepfake.
We do not have CEOs calling and making, requesting transfers to random people. There's gonna be an internal process for that. You will have policies around what's authentication look like. Recognition cannot equal authentication. But the sad truth is every industry in the world make it easier for your customers and clients.
Make it easier for people to authenticate. Let's use voice and that's gonna be fine until one day it's not.
AJ Nash: No, you're right. I mean it, and I've talked forever now ad nauseum about a post-truth world that I think we're, heading towards just, you know, very, very rapidly. And AI is a good example. We're already at a point, you know, where it's like, well, was this story true? Wasn't it true? You know, the audio may not be anymore.
The video [00:36:00] may not be. I mean, we're past the point of just regular old phishing emails. I mean, I've seen scams, and I'm sure you have too, where people get on Zoom calls and there's 80 people on the Zoom call and they're all fake. You're, the target. Everybody else in that call is fake. It's all AI generated.
But I mean, who's gonna, who's not gonna fall for that? If you get into some kind of a meeting and everybody's there, there's dozens of people and they're all interacting and they're all looking pretty realistic. You're the only one who's not, you know, who doesn't realize it, right? You're the target. Yeah.
You're done for, probably, and that's, that technology's readily available. It's inexpensive. So it is gonna, like you said, it's gonna come down to process, you know, talking about business email compromise all the time. It's a really stupid, simple scam, frankly. somebody pressures you to do something.
Hey, I, get ahold of the payroll department and I say I'm a whatever and I need you to, you know, push money right away. And you push back a little bit. Well, this isn't the process. And that guy gets more and more aggressive and, at some point, the person who's in charge of making the decision on whether money goes, has to decide what's more dangerous for my career, standing up to a C level, who's telling me they're gonna fire me if I don't do what they tell me to do immediately, or potentially creating a [00:37:00] fraudulent transfer of money, they're probably gonna move the money because they have more fear.
I tell people all the time that the solution for business email compromise is a culture. Be able to stand up to senior leadership without fear of losing your job. And b, something as simple as a rotating daily password, which any dope can create and it could, or pass phrase or whatever it is. That's gonna knock out a vast majority of these.
Not all of them, but almost all of them. Just simple as that. I don't care what rank you are or position you are, sir. Ma'am, what's the password of the day? That's it. I mean, it's gonna ve them period. And, know that you cannot be fired for asking that challenge question. The C-level or whoever it is.
Nobody has the authority to hold it against you. And as long as that's a policy, most of this business email compromise would just disappear. Now, I don't care how much the bad guy screams and yells and gets more and more angry and more and more threatening, the truth is they're not the C-level. They're not actually capable of doing these things.
They'll eventually give up and move on because they can't get past that. And it's a very simple barrier that most companies just don't have.
Chris Birch: I mean, you said the word fear. Right. You know, we, I, we talked about earlier, in the show, fear, [00:38:00] drives a lot of these, we'll call 'em
AJ Nash: Mm-hmm.
Chris Birch: and going to your point about passwords, I mean, you don't, I mean, that, that's pretty, that's a pretty sophisticated answer, you know, like it, but almost every business has teams or Skype or Messenger or some kind of internal communication tool.
Bing. Hey aj, are you trying to make me transfer a quarter million dollars out of our account? I don't think that, unspoken security should be doing that. Oh, you, it really is you. Oh, apologies, sir. I'll get rid on it. I mean, it, that shouldn't be a fearful moment. But in, in too many businesses, too many companies around the world, that is a fearful moment.
How dare I, and this goes back to high power, dis low power distance. You know, it doesn't scare me to, ping the, boss. But there are people, it terrifies,
AJ Nash: Oh, yeah. Yeah. And I think we're getting worse at that in our culture. Even like it's the, the more American culture has been like, Hey, I'll reach out to whomever. But I think we're actually seeing in, in my lifetime, I've seen a shift. I think people are less empowered, for a lot of cultural changes we've seen to do that.
Right. I think it's, more. Frightening than it used to be, to run something up the chain. And, I think it's gonna get worse as it [00:39:00] does. I think we're gonna see more of these kind of events actually work, because again, what's more scary? You know, risking standing up to the boss or just sending some money someplace.
Well, the money went away. Everybody gets compromised at some point happens. Companies don't seem to care as much anymore. Well just raise the prices on customers, whatever. so you're less likely to have a problem if you end up sending money someplace. I think we have to reverse that trend. I think people have to have, you know, a an avenue of approach where they're a hundred percent protected, because it's in the best interest of the company, to work that way.
And if they do, then this really is not a complicated thing. You know, we have all sorts of, two fa right? Any sort of, two factor authentication code that rotates could, solve that problem. And you just have to be locked in on it and say, this is it. You cannot move money without doing this, thing.
And then somebody has to compromise that. It's a lot harder process.
Chris Birch: Well, yeah. and that goes into social injury 1 0 1. Right. You know, when you think about controls, there is no, I mean, this, the best control is, a healthy dose of skin, of cynicism. But a little paranoia is like, you know, salt and pepper, salt, paranoia, [00:40:00] cynicism to salt and pepper for social engineering.
But, every control, every speed bump you add complicates the calculus for the social engineer. I have to defeat. I get, I need an identity, then I need to win the rapport, step. Then I've gotta know what I'm going after. You know, like, I mean, I've seen case studies of social engineers.
It was like dogs chasing cars. Right. You know, I'm gonna quote that scene from Batman. I, what, when the Joker said I wouldn't have, I wouldn't know what to do if I caught it
AJ Nash: right.
Chris Birch: Bad, guys who got in. They're like, okay, now what? I don't know how to play the piano. I'm in front of a piano. What do I do now?
Because they didn't, if they knew how to, they knew what to do, there would've been real damage. But as it was just, a uneventful penetration, great. Dodging a bullet.
AJ Nash: Yeah. So I, I wanna jump in, real quick because I, gotta move on to another question in a minute. But before we do, I sidetracked you a little bit when we're talking about, you know, how you Yeah. A lot, right? That's what we do, but how, you actually [00:41:00] apply this to bad guys, right? So, again, we're dealing with the bad guys.
you've talked about, the fear and the greed and, they're still humans. They're like everybody else. They have the same, you know, weaknesses, but, you know, what are you actually doing, right? You're reaching out. Are you, you're getting, you're letting them come to you and then you're turning it around.
Talk a little bit about that and, like how you're, actually targeting bad guys with this stuff.
Chris Birch: So that's why I said earlier is a little bit of luck, right? how do I get, how do I get in their way? How do I find myself connected to the bad guy? And you know, those scenarios. Or, there's a variety of ways, right. but ignoring the luck aspect of it, ignoring that, so let we, I'll go, we'll lean on business email compromise 'cause you just talked about, right?
So when a business email compromise message comes in, assuming it's a financial industry, it could be somewhat, but largely as, as largely as a financial industry. You, they, ping into the bank, you know, Hey, you know, AJ Bank, I wanna make a transaction.
Right? and and you recognize it. It's, PEC. You recognize it for what it is. Maybe it's a look like to me, maybe the language doesn't make sense. Maybe there's some, something about it threw [00:42:00] you off.
AJ Nash: Hmm.
Chris Birch: You know? So you refer that to your security team. The conventional response is what you notify the client.
You don't do anything. You shut it down, move on, forget about it.
AJ Nash: Mm-hmm.
Chris Birch: That's fine. That's a conventional response. That's how grandpa did it. That's how dad did it. You know, that's a Tony Stark thing. That's how, that's the way it's been done, you know? Well, what I would suggest as an alternative would be play along.
AJ Nash: Hmm.
Chris Birch: Let's see where it goes. Of course we'll make that happen for you. What would you like to do today? How can I help you? And they start telling you what they want. I wanna do this. Now you have to, I mean, obviously, you know the, financial industry has a lot of privacy rules. You have to protect your people.
You gotta protect your clients. You gotta protect your customers. You can't share data. Don't give them anything to quote kingly and iis. Take, everything. Give them nothing, you know? but let them play. Let them play along. And you know, well, why don't you use, why don't you just automate this? If you do it for real, you can have human contact.
You can report. [00:43:00] So I see that you're from California. How's the weather out there today? Oh, it's great. And you can collect information while you're talking. You can elicit from them while you're talking, while they think they're winning, while their greed is driving the train. You can collect against them.
What's on the television of the background? Do I hear other people? Is it a call center? Oh my goodness. The call center fraudsters, we bust them so fast. 'cause you hear 15 conversations in the background. All very similar.
AJ Nash: Mm-hmm.
Chris Birch: Or it could be a regional thing. The TV is, you know, one language, but the guy is speaking perfect English.
Okay. Okay. That's notable, right? So you just play through them. You play along with them, you elicit from them, and you have to bury your ego. That's probably one of the biggest points of this. You have to bury the ego because they have to think they win. It's like playing, it's like playing kickball with a 3-year-old.
They, of course, they're gonna win.
AJ Nash: No, I'm gonna make that three year-old pay, believe me, I'm not letting them win, but
Chris Birch: go all Adam
AJ Nash: they're gonna catch a ball right in the skull. Yeah. I'm not playing kickball with three year-olds. I'm winning those. [00:44:00] But, I hear what you're saying. Like, I do this in my private life. Like, I get calls once, you know, you get 'em right.
the border patrol, we've, you know, we've seized a package of yours and you're in a lot of trouble. Oh, no, really? I mean, I've, I, if I have time, like sometimes I just hang up on people, but if I have the time, I'm notorious for it. People will be in the car with me and I'll, play the whole game. I'll run it down and, oh no, this is really scary.
And what do I need to do? And, 'cause I want to catch out what the scam is. Right. Whether it's the, border patrol with the fake package of, you know, whatever they
Chris Birch: Go buy some iTunes card to pay your fines.
AJ Nash: Exactly. You know, the IRS scams that come up every year, you know, we're gonna send the police to your house if you don't send me, you know, whatever it is.
It's always like crypto or some, you know, like I said, prepaid cards. I don't think the IRS works on those. but I'll do it if I have time. 'cause it's fun. Or the, the old scam where it's like, oh, we've, scanned your computer and there's a virus and we need you to get on it. that's a lot of fun.
And you gotta go, okay, I can't understand. You act like some old person who doesn't understand computers. You're like, I don't, where's the start button again? And you run around in circles and then finally it's like, oh no, I have an, Apple. I think I, oh, and then they gotta go get a different person and then they get in.
You're like, oh no, I'm pretty sure I have Microsoft. I don't really know. I couldn't figure out how to turn it on. It's my nephew's computer, like, all this stuff. And you [00:45:00] just run 'em in circles. So they get mad and then they curse at you. and then, and they, then it's games up. they get farru frustrated eventually.
Chris Birch: We have a joke internally that,you've not done your job until you've been cussed out. 'cause then, then you know you've created an emotional moment. Excuse me, but that's part of the long-term play, you know? But along the way, you are gathering data points, right? So put your intelligence collection hat on.
We're gonna do some intelligence collection analysis here. You know, I'm getting data points. I'm grabbing puzzle pieces from the bad guy in real time. I'm gathering this information and I can take that information and feed it into an analytic process. And we can do a couple things. One, improve our detection response capabilities.
Two further attribution. Try to see if we can figure who it is. And I think three, create some kind of mapping of whatever infrastructure they're using as part of their fraud scheme. Now, you take number three in any company worth their salt, and you can start executing take downs, taking away email address, taking away phone numbers, shutting down, call centers, you know, whatever.
Feeding that stuff. You know, not only doing that in, on your own, but sharing that with whatever governmental body that required F-C-C-F-T-C, whoever, you know, and [00:46:00] start having an impact. So going back to what I said earlier about time is money. They have to retool, rebuild, re-engineer, do all this stuff over again.
And somebody just went, oh, come on, that's too easy. Well, time is money, you know? Yes, it's not costing them dollars, but it's time is money. They might rather play World of Warcraft. They might rather play video games. They might rather go drink vodka. They might rather be out at the dance club, or they might be under intense pressure by somebody who's old and doesn't understand technology and wants the crime to happen right now.
AJ Nash: Mm-hmm.
Chris Birch: You know, why are you taking so long to get this done? What is wrong with you? Why is this failing? And then now you're creating these emotional moments where the bad guys have to make real decisions about how are they gonna continue. They might choose not to mess with your bank anymore, or your company or whatever.
Whatever the scenario is, they might go somewhere else because it's just not, the juice isn't worth the squeeze.
AJ Nash: Yeah, you're making it difficult.
Chris Birch: the strategic output,
AJ Nash: Yeah, no, that's a good point. I had a, I, you mentioned the cursing. I had a Russian scammer curse me out. It was a couple years ago now. He asked, you know, he calls up and I don't remember what his scam was gonna be, but it was somehow about, I think it was an Amazon scammer or [00:47:00] something.
I don't remember, do you know anybody in Moscow? And I was like, yeah, I do. He's like, no you don't. I said, yeah, I do. My uncle, you know, li whatever I said my uncle Boris is. He's like, no, why you lied to me. And I had just, funny thing is I'd just been to Mosco not that long ago, prior. But, so I started talking a little bit about having been there or whatever, and the guy got very frustrated.
He is like, why you bullshit to me? You bullshit the bullshit there her. Alright, you'll know it's scam. I know it's scam. Just gimme Amazon card. I was like, what is that? How this works? What I won,
Chris Birch: a settlement.
AJ Nash: I won. And you're just like, no, give me money. That's not how it works. You lost, that's it. You got beaten, like, go away.
And he was like, ah, you know, he said some choice words and, went about his business. and it was like the most fun I had all day and it just showed up. It was a Saturday morning and the guy bothered me. I was like, all right, let's have some fun with him. so listen, I know we gotta, keep this moving along.
So we talked a bit about like how you get inside with these guys and, how you turn things around and, the reasoning obviously is so you can better understand the scams and, whether it's tracking them down. You, talked a little bit about being able to do that and understand, what country they're from or, getting their infrastructure and architecture [00:48:00] or just be able to better report to other people that this is what the scam looks like so they can prepare.
I mean, it leads to the obvious question, which is with all that experience, what do you think companies should be doing that they're not doing or should be doing better to protect against social engineering and, what is the average person gonna be able to do to avoid becoming a victim of these things?
Chris Birch: Well, you know, going back to what I said earlier, a healthy dose of, cynicism and paranoia. Right? You know, that, that's obviously good advice. if continue to critically think as you're going through the thing, going through the process. I mean, you mentioned yourself. IRS doesn't, you don't pay taxes with Apple iTunes cards.
AJ Nash: No. No.
Chris Birch: the, sheriff's department isn't going to put you in jail unless you pay them with some Lowe's gift cards. there are things that just that break, break the illusion. You know, it's, inception, right? Look for the thing to break the illusion. Ask questions. If it's the actual police, they'll send somebody to you.
A cop car will show up to validate who they are. You can call them back. I think that's, and this, and we're talking about victims, if you're unsure, say, all right, well, you know, where do you say you're from? You say, you're from the Hard Rock Cafe. Let me call you right back [00:49:00] and then call them back.
You know, and you'd be surprised how that will unravel these, social engineering attacks. But from an industry perspective, from like a business perspective, I think it comes down to education and awareness. And I break those into two different fields because everybody has education.
Yearly, yearly, yearly training modules, yearly seminars, whatever the case is. Education's great, but education lasts about two days. You took the, thing, you took the course, you took the test. Two days later, you've moved over your life and you're done with it.
Awareness is, I think awareness is as important, if not more important than education, because it's about letting your attack service know what it looks like. You know, quite literally, if you think about. You know, going back into the Wild West and the old wanted posters where they put those in banks and, post offices, because that's where robberies took place. Oh, this guy looks like the guy on the poster. He does bank robberies. Huh? I should probably,
AJ Nash: bank right now. that's a bad sign for us.
Chris Birch: that's probably an indicator, right? You know, [00:50:00] and cybersecurity, everyone look, everyone listening, cybersecurity, we love our indicators, right? And, every malware team, every, every, DDoS defender, constantly sharing indicators.
These ips are bad. this is a bad URL, you know, we're always sharing indicators. Why don't we share indicators for social engineering? Why do we have call centers? Not told, Hey, you're gonna get called by a guy named Bob. He's gonna claim to be this person from this company. that's the scams we're seeing.
Why aren't we sharing that data or these numbers or these, I shouldn't say accidents. That's, actually an error. But identify the trade craft, the pretax and the things that are happening. Look at the, analyze it. Have your security teams, analyze it, get the indicators and blast those out to your attack surface.
And for those who don't know what I mean by that, where the bad guy's gonna come, if you're a Fortune 500 company with a international call center, are the international call center. If you're a smaller company with a 800 number, probably the 800 number, look for your attack surface and make sure those people [00:51:00] know what the attacks look like.
That's, I mean, if, I were a CEO of anything, that's, that probably is where I would go with that is ed strong education and then awareness, what's going on in the world. Awareness. You know, I remember when I did terrorism work. We had a calendar, every single thing of note that ever happened in the history of ever was on that stupid calendar.
And those would often lead us to, oh, this terrorist cell's gonna do this because of this thing that happened 300 years ago.
AJ Nash: yep. The anniversary of whatever is gonna
Chris Birch: anniversary of a guy stabbing his toe. They're gonna attack today because they're gonna honor that. But it's about understanding what the threat scape actually looks like, and then maintaining awareness of what the threat scape looks like, and then giving guys actual, timely data they can use to do something with it.
I think, when we were talking earlier, much, much earlier, it's like, if, the bad guy looks like Big Bird and Big Bird shows up, know the bad guy's here. So go with that, and, take steps. It takes steps to, make sure that people know that it shouldn't be.
Like, you know, hey, aj, weirdest thing happen today. Big Bird came in [00:52:00] to the office, withdrew $17 million and left. It was crazy. And then later I found it was fraud. And you're like, oh, but I knew Big Bird was a fraud, sir. All along. I should have told you that's a failure.
AJ Nash: Well, yeah, that's an intel failure, right? We talk about that. Intel failures aren't always about the lack of knowledge, it's about the lack of dis distribution of that knowledge. You know, small group of people that have this knowledge and they hoard it either because you know, they don't understand how to get it out, or you have bad systems in place, or some people are like, well, it's not perfect intel.
We're not sure, we don't wanna be scared, or whatever. Or somebody just like to hoard, you know, knowledge. And then, yeah, as a result you find out afterwards like, oh, we could have prevented this if somebody had told somebody else, but we didn't, we, were afraid to, or we were discouraged to do it, or we didn't know who to tell 'cause we have our system's in place, or whatever it might be.
And then after the fact you go, geez, if we'd only, I. Done the thing we were supposed to, we spent all this money and this time and this energy gathering, this intelligence, but we didn't get it to the people who could actually needed it. Well, lesson learned, I guess we'll make that mistake less in the future, but meanwhile, you know, something happened that was preventable.
you know, and, it happens all the time, unfortunately. I what happens to the government space too, [00:53:00] but I think I wanna hit on one point though. You, mentioned there machine awareness and training, right? And, listen, like you said, everybody has annual training and most of it's just junk.
And it's no offense to the training companies, it's not your fault necessarily, it's the people. Right. I have four screens in front of me right now. At all times, if I do annual training, it's gonna be on a screen over there. I'm not paying any attention to, I'm gonna hear it in my ear and then when I stop hearing things, I'm gonna reach up and click the next button.
I'm never gonna pay attention to it. And then I'm gonna keep clicking buttons until I get to the end. I'm gonna take the test I'm gonna pass because I've done the same thing for years and years. And you could argue, well, it's 'cause he's an expert. He could pass. That means he has the knowledge maybe. But I'm also not paying attention or thinking about it.
Right. What it should be is that awareness component, which is a cultural thing. Stop doing annual testing, just get rid of it. It's garbage. I mean, I, it's a check the box thing that somebody had to do for some regulator somewhere, but it's, useless. It should be ongoing all the time. Don't do annual training, do constant training, you know, phishing, whether it's phishing training, whether it's, you know, lunch and learns, whatever it might be, something you can document, but it should be all year long and it shouldn't be [00:54:00] a stick.
It needs to be more of a carrot, right? Hey, if you didn't do well in the training, how do we get you more training so you can do better? How do we encourage you to improve? I've talked to people about gamifying training. Hey, let's put teams against teams and be like, Hey, you know, the sales team's gonna be up against the marketing team and let's see who, you know, can root out the most phishing attempts this month, or whatever the hell, the things you're gamifying, but make it fun.
Make it interesting, make the, make it an experience so that people have that, constant, you know, paranoia, you talked about, a little bit of skepticism and paranoia there, that they look for these things, but it's fun. And if it turns out I was wrong and I challenged somebody and it wasn't fake, okay, now I'm really on my toes.
Chris Birch: I think, having a strong sense of, 'cause I mean I wholeheartedly agree about culture shift, the culture and everything changes. 'cause everybody becomes a sensor. Everybody becomes part of your security apparatus, you know? but I think a strong sense of, so what, does it matter, right?
You know, what does it matter? If I click this link, what does it matter If I put this USB, what, does it matter? What does it matter? And getting people to understand why it matters. 'cause everyone's in their little silo. Everyone's in their little workspace, right? [00:55:00] I work at the front desk, I work in the server room, I work here, I work there, I work everywhere. They all have different perspectives of what's important. what's their world changer? Like a server room guy. If the fire, if the sprinklers go off by accident, that's bad. Right? So that might be what they worry about, right? But the threat applies to everybody. You know, the, these see threats. If I want a social engineering to plugging USB drive in for some reason, you know, it could be a Saudi Aramco scenario, 75% or whatever the report it was, I think it was like 700% of their network was destroyed.
Not, compromised, destroyed. The, literally, if I remember the data right, the cost of hard drives around the world went up a certain percentage because they had to purchase new
AJ Nash: Mm-hmm.
Chris Birch: a global market change because of the amount of devastation from a single USB drive that went into a single computer on their network.
That is a significant impact. If you took a, I don't know, pick a company, apple, Microsoft, whatever, grab, grab any company, in the us, hit 'em with 70% of their network destruction. The, [00:56:00] losses are catastrophic.
AJ Nash: yeah, the stock market would crash. I mean, you're talking about companies that are in the, fortune 500 that are in the Dow Jones, stock market would crash and, the inner operability, the, connectivity between companies, if you take one of these high tech companies, it's not just them.
You know, if, Microsoft goes down, everybody who's got Microsoft has a problem. That's most of the market, right? The computer I'm on right now runs Microsoft. Right? you know, it's not just Microsoft that goes down and we've all moved to like, you know, online versions, you know, 365 as opposed to having, you know, hardware and software on our computers necessarily.
If Google goes down, everybody's got, you know, Gmail and, G drives and all these things go down, like it's catastrophic failure, economic disaster. If something like that happens.
Chris Birch: But you know, so I, think, when you're thinking about it, 'cause when you think about like networks and network security, we tend to focus on the hardware. Well, hardware is easy, it's predictable. It patches well, it's either work or it's not. Humans are messy.
AJ Nash: Yeah.
Chris Birch: don't patch well.
They don't, even, when you do patch 'em, they forget it. Sometimes they lose their patch. You know, I've never seen, I've never seen a server. [00:57:00] Unload his own patch.
AJ Nash: Yeah.
Chris Birch: Thanks for that upgrade. I'm good, Bob.
AJ Nash: I'm gonna, I'm gonna opt out of that upgrade and just do my own thing.
Chris Birch: you know, I
AJ Nash: like, eh.
Chris Birch: I was patched. I went to Mexico for two weeks. I came back. I'm no longer patched,
AJ Nash: that's exactly,
where I was patching. I had one too many beers tonight and I'm unpatched like, it doesn't take much for somebody to lose their, human version of a patching system. Right. And, they're just, you know, their inhibitions drop and they make bad choices.
Chris Birch: I mean,
AJ Nash: so it's constant with us.
Chris Birch: humans are easy to hack, hard to patch.
AJ Nash: A true story. Yeah. The Wetware man. We just talk about hardware, software, and wetware. You know, people are the wetware and, it's incredibly complicated, which is why it has to be that culture. It has to be ongoing and not in a hostile way. You want people to see security as a teammate and a partner, not an adversary that you have to try to trick and outrun, which is the other thing people wanna do is they get tired of security.
They just wanna trick them. They slow us down, they, scare us, they're the cops, whatever. And then you've got a relationship that's really difficult as opposed to, no, I'm here to make things better for everybody and let's work together and have some fun doing it. And if you're not picking it up, then let's find you a better way.
If somebody [00:58:00] fails a security test, it's my fault not theirs. Like we gotta do a better job at training them. and if they fail all of the tests over and over again, at some point it's their fault. Like some people just can't get it and we will find 'em something else to do with their time. But. A lot of organizations turn it all on the user and make it the user's fault immediately and just hammer the user.
It's like you haven't trained them on anything. You haven't given them a chance to succeed. You've made them the problem because you're too lazy to, to solve it and make it a, constant solution and you just, find a scapegoat to move on, which is, really sad in my opinion. So listen, I know we gotta wrap up.
We're kind of short on time at this point 'cause we're friends so we talk too much. I wanna I wanna get to the closing question though. So everybody knows the name of the show's Unspoken Security, and with that in mind, everybody gets stuck with the same question at the end. You don't get an out, an out on this one.
So the question is, tell me something you've never told anyone before. Something that has gone unspoken,
Chris Birch: I will, but there's one thing I wanna get in first.
AJ Nash: oh
Chris Birch: the last thing for the last
AJ Nash: sure. Yeah, go ahead.
Chris Birch: Evolution. You must evolve. The threat scape is always changing. You have to change with it. You know, if you wrote a, if you wrote a training [00:59:00] module 10 years ago and you're like, it's good, you're going into, you're going into battle on a horse with armor and a sword.
The world has changed. You gotta change with it. So defenders, security, teacher practitioners, all those guys, build these courses, evolve, make sure your content stays up to date. That, and then I'll move on to the question. Things that I don't talk, things that I don't talk about. Well, as we've established, I am egotistical, or at least I was.
AJ Nash: you were at some point you seem to have mellowed a bit. Yeah.
Chris Birch: you know, getting old does that. and I've been all over the world. I've been the combat in bad places. I've been to all the bad places. and I'm only afraid of two things, I think. One of which is reasonable to be afraid of. I'm gonna, I'm gonna keep that one. But the other one, is I get, oh, it's so bad.
And whenever I even find out about it, I get so much heat about it.
AJ Nash: Now the whole world's gonna know, well, the nine people that watch this show are gonna know at least
Chris Birch: centipedes,
AJ Nash: Centipedes.
Chris Birch: am terrified of centipedes. And it's like, oh yeah, the giant ones in the jungles are like, Vietnam, those giant ones and like Vietnam, Thailand, [01:00:00] those, that's nightmare. That I'm, I just, I would die. I would just die. You know? that would, that, would be, oh, I'm gone just out. No, I mean, like all of them. And I don't even know why I'm so afraid of them. It's like they got too many legs that's a fail. That's, there's too many legs, not enough shoes for you. You know, they, bite.
AJ Nash: They do. Yeah.
Chris Birch: I don't know what that's, that, that's bothersome, you know?
And. know that it's a real fear because when I see one I shriek. It's not like, it's not like I'm uncomfortable, right? Like, oh, I don't really like spiders, so I don't really wanna hold your tarantula, but it's cool. I, no, it's not like that. Like uncomfortable is different. This is like, ah, okay. I've composed myself. I am manifesting through sheer willpower, the ability to stay here, but I am not happy. I want to flee, you know? And I was on deployment to Columbia
AJ Nash: Oh, I bet they have some there.
Chris Birch: shrieked. Every time we go to this certain places, I, they there be centipedes on the sidewalk. I'm like, you have to go first and clean the sidewalk.
Why? Because [01:01:00] centipedes, I can't help it. I was on vacation in Mexico doing some kind of trail hike, and there was a guy in the middle of the trail, I shrieked him, went the other way. had to wait for my ex-wife to go clear the trail. now mind you, I would attack a bear. I would fight a bear,
AJ Nash: Oh yeah. You're one of those people who actually thinks he could win a win, a fight against a bear too.
Chris Birch: black bear, not brown or white.
AJ Nash: Black bear maybe. Yeah. Yeah. Black bears are just, a little bit, they're trash pandas, basically, but yeah. Don't go after the brown ones.
Chris Birch: that's what they say. Black bear, if it's black, fight back. If it's brown, lay down. If it's white, you're already dead. So there's no reason to rhyme
AJ Nash: That's true. No, that's, a good point. Yeah. Fair point.
So I'm curious now, listen, and for those who don't know, Chris said it like Chris has been in combat, like he has done scary things. Are you also afraid of millipedes or just centipedes,
Chris Birch: milli peds to a much, much lesser degree,
AJ Nash: even though they have more legs?
Chris Birch: even though they have more legs. But they're like, they little, a giant pill bug that's been stretched out. So they're not so bad. they're not as bad. You can almost, like put, you know, googly eyes on their little forehead and now they're cute.
Right? You can't do it with centipede. They got this little [01:02:00] red antennae and it's just nothing. There's nothing good about a centipede. I mean, before the bug, people get after me. I know they do
AJ Nash: There's probably something good about centipedes. I have no idea what it would be, but
Chris Birch: they eat spiders, they eat brown. Recuses, like centipedes are actually supposed really good for the environment for, they eat pests, but ah, they just need a better PR campaign.
AJ Nash: So centipedes, you're desperately afraid of centipedes. So listen, I'm gonna, I'm gonna push this 'cause you hinted at, so you're not stuck. What was the other one? Because you had two fears. You said you were okay with the other one, but now I'm gonna make you set and tell us both of 'em actually,
Chris Birch: all right. That's fair. That's fair. That's all right. You know, I have a weird fear of aliens
AJ Nash: and that's the one you think is rational. 'cause you said you thought one was rational you were gonna stick with and
Chris Birch: Lemme tell you why. Lemme tell you why. I think it's rational. The centipede. I know what it is. I know there are very few that can actually hurt me.
AJ Nash: True. Yeah.
Chris Birch: Like the one as long as your arm.
Yeah, that's, a no go. but the average centerpiece is not gonna hurt you. I can win that fight. 10 outta 10, crush, stomp, twist
AJ Nash: Yes. I feel
Chris Birch: Easy mode, you know? and they're not actively out to get you. Right. You know, we know what their [01:03:00] motivations are. Eat, sleep,
AJ Nash: Mm-hmm. Mm-hmm. Mm-hmm. Mm-hmm.
Chris Birch: I have no basis for aliens.
AJ Nash: Hmm.
Chris Birch: None. What do they want? What do they want? What are they after?
AJ Nash: You don't have a host steady on them. we don't know their culture. We don't know their motivations. We know the Maslows for Aliens.
Chris Birch: How would it even open the rapport step?
AJ Nash: that's, true. Yeah. How do you even start, right? How do you, social engineer the aliens? I don't know what they're interested in.
Chris Birch: Right? I mean, you know,
AJ Nash: whi Which hole is the ear, where's the mouth on this one? Like,
Chris Birch: is it probing? What, are they into?
AJ Nash: I mean, it's a fair point. it's, hard to get started, right? You don't know what they care about. are they coming in peace? Do they want to eat us? there's a lot in between those things. So, I mean, I can see that. Like, I, get it. I mean, I get it to a point.
Chris Birch: that's why I think it's justified because there is so many unknowns. It's easy to, not be comfortable with that. Like, I met a, a true linguist once. like he, he was a naval officer, true linguist. And I said, what does that mean? I said, what language? He goes, I speak all the languages.
That's, baloney. That's not true. He goes, oh. He goes, I [01:04:00] literally can sit down and it says, just blew my mind. I can sit down and with exposure, I can learn the language so he could learn a language in a couple
AJ Nash: So he is an alien.
Chris Birch: He's definitely an.
AJ Nash: This guy's definitely not human.
Chris Birch: But his, final explanation to me. 'cause I was like, I don't get it.
I don't get it. Maybe I'm being stupid. I don't know, maybe dance. He goes, look, Chris, if aliens landed on the White House law tomorrow, people like me would sit there and listen to them and try to figure out their language. They're the type of people who created the D Lab,
AJ Nash: Interesting.
Chris Birch: they would be able to figure that out.
And I think we in that movie, was it contact with, Lois Lane and, Hawkeye?
AJ Nash: Well, considering you just had, the Superman and Mash mixed in with it. I don't think, I don't know what you're talking about, but,
Chris Birch: There? It was a film with, the actress who played Lois Lane and the Henry Cabell Superman and the actress who played Hawkeye. And the aliens came and they were trying to, and they were squid likes. Anyway, there was true linguists in that she, her character played a true linguist.
AJ Nash: Huh. Well, that's interesting. I had not heard of a true linguist before. And, for those who don't know, Chris and I were both linguists. that's how we [01:05:00] met in the Air Force. I was a very bad linguist, but, we were, anyway. alright, so centipedes, you're, definitely afraid of, and that's completely irrational.
I agree. aliens you're afraid of. Yeah. It could be more rational. Makes sense. At least it's, a, it's an unknown, and
Chris Birch: Centipedes have never kidnapped anybody. Just leave it at
that.
AJ Nash: Not to, my knowledge. I haven't been beaming anybody up or probing anybody or, anything of the sort. you know, aliens perhaps, we're not sure.
I mean, there's lots of evidence now that aliens seem to exist. At least we just don't know what they want. So I can see why there'd be a fear of that. Yeah, I can see that. So, alright, listen, I'm gonna wrap it up here. This has been a really fun episode. I figured it would be, you know, it's nice to catch up, man.
And so we, we got a chance to talk about social engineering and how you actually social engineer with the bad guys and, that's a really interesting thing. is there any last words, you already screwed it up 'cause you did it. You, interrupted your own exit with your last words, but do you have any other last words you want to add to this before we close it out?
Chris Birch: Like subscribe.
AJ Nash: Ah, see, I love that one. This is my guy. Welcome to marketing. So yeah, Chris is right. Listen, if you like the show, please, give [01:06:00] feedback, subscribe, tell your friends and neighbors, spread it around. I'd like to get this, the audience continuing to grow so we can have more people on this.
it's still ad free right now because I can, but eventually I may have to start putting ads on if I have to start paying for this thing. but I appreciate it. And if you don't like the show, shut up,go to something else. It's free. you know, it's, I don't care that much. No, I do care.
If you don't, if you got ideas for making it better, obviously let me know. Email me at AJ@unspokensecurity or, leave notes wherever the hell you're listen, downloading this and listening to it. but I appreciate you taking the time to come in and listen and talk to, and, hear Chris and I talk about, these things and, we're gonna have more good guests in the future.
So, until next time, this is AJ Nash and I'm just gonna shut it down here for unspoken security.
Chris Birch: Thank for having me.
AJ Nash: Thanks, man.