DISCARDED: Tales From the Threat Research Trenches
DISCARDED: Tales from the Threat Research Trenches is a podcast for security practitioners, intelligence analysts, and threat hunters looking to learn more about the threat behaviors and attack patterns. Each episode you’ll hear real world insights from our researchers about the latest trends in malware, threat actors, TTPs, and more.
Welcome to DISCARDED
DISCARDED: Tales From the Threat Research Trenches
Diving Into the DBIR: Vulnerabilities, AI, and Supply Chain
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Hello to all our Cyber Pals!
Host Selena Larson is joined by guest host Sarah Sabotka as they chat with returning guest: Alex Pinto, Associate Director of Threat Intelligence at Verizon Business, and the architect behind the Verizon Data Breach Investigations Report.
Alex joins hosts Selena Larson and Sarah Sabatka to break down the most important findings from this year's report — and there's a lot to unpack.
From vulnerabilities overtaking credential abuse as the leading initial access vector, to the sobering reality that organizations are patching more but getting worse outcomes, this year's DBIR paints a complex picture of a threat landscape under pressure. The team also digs into the rise of pretexting and voice-based social engineering, what the data actually says about GenAI and threat actors (spoiler: mostly reinventing the wheel — for now), and why third-party and supply chain compromises are quietly becoming one of the biggest stories in security.
They discuss:
- The VERIS framework and why standardization in threat intelligence matters
- Ransomware taxonomy, data extortion, and why classification is still a headache
- Pretexting vs. phishing — and why they require completely different defenses
- Vulnerability exploitation as the new number one initial access vector
- Patching capacity and why outcomes are getting worse despite more effort
- What the DBIR data actually shows about GenAI usage by threat actors
- Third-party and supply chain breaches — up 60% year over year
- Shadow AI and the emerging DLP problem no one's fully ready for
- A sneak peek at Verizon's upcoming cost-of-a-data-breach report
The DBIR drops once a year — make sure you're getting the most out of it with this breakdown straight from the source, all 121 nutritious, fiber-rich pages of it.
Resources Mentioned:
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Stay ahead of emerging threats, and subscribe! Happy hunting!
You're listening to Discarded Tales from the Threat Research Trenches, a podcast by ProofPoint with security practitioners. Each episode you'll hear from security researchers, malware analysts, threat hunters, and more as we dive into what's going on in the world of cyber attacks and how defenders safeguard us from threats. Let's get into the show. Hello to all our cyber pals, and welcome to the Proofpoint Discarded Podcast. I'm your host, Selena Larson, here with my co-host, Sarah Sabotka. And today we are joined by a very special guest, which I feel like we can officially call this our annual tradition. I agree. The very special guest, chief architect, chief magician, the man behind the curtain of the Verizon Data Breach Investigations Report, the Associate Director of Threat Intelligence for Verizon Business, which is his official title, but I still think Magician is better. Alex Pinto, welcome to the discarded podcast.
SPEAKER_02Thanks for having me, folks. I don't know, man. I I wish I could fit all these titles in my card. I mean, I don't have any, I don't even have a card anymore. Who does have a card? But uh anyway.
SPEAKER_00Well, welcome, welcome. We're so excited to talk through what has really become the industry's most important report, looking at all of the insights over the last year uh put together by the Verizon team in partnership with a lot of different uh cybersecurity organizations as well as industry partners. Yeah, the BZDBIR is is there, is it how do you we talked about this last year? Is it Debur? Is that the He said don't call it Debur.
SPEAKER_02Absolutely not Debur. Absolutely not Debur. I know that we've known each other that we've known each other for long enough that I can just straight up, you know, tell you that. And please do not do that. But it's very often that I go into podcasts like this and I have to endure the Debers, right? And I kind of don't I don't want to seem like a confrontational interview, you know what I mean?
SPEAKER_00You can tell you can say Selena, no. Yes, no. You're not allowed to say that.
SPEAKER_02You are not.
SPEAKER_00No, no, no, it's great. Well, so it is one of the industry's, if not the uh most important report. And of course, we look through it every year. Um, we do contribute some data to it as proof point. Um, but yeah, I know Sarah, for example, when you're talking to customers, when you're talking to our partners doing threat briefings, you reference this data quite a bit. So I know it's one of your favorites every year.
SPEAKER_01Yeah, I do. I I when I was on the enterprise side of things, uh, enterprise CTI, we were always looking forward to this flagship report. And then now when I'm speaking to customers from the vendor perspective, there's so many important points, which we'll get to today in this Verizon report uh to tie back to the important research that we do here at Proof Point. So it's incredibly relevant, always timely. I love reading it. I always look forward to it. So it's great work.
SPEAKER_00Before we get started, I did want to highlight that one of the cool things about this report is it does explain in the very beginning how to read it. Because it is it is chunky.
SPEAKER_01It's not chunky, it's healthy, Selena.
SPEAKER_00It is fibrous, it is nutritious.
SPEAKER_01It is, it's 121 pages, right? From first page to last page, but don't let that intimidate you because it's it's truly an enjoyable read in the last year. Selena, you called out the beautiful flourishes and the writing, and I saw like there's like a couple like you caught you tied in sneaky links this year into one sentence. I was like, oh, there's definitely a Gen Z on staff. But yeah, it's just like truly an enjoyable read.
SPEAKER_00Well, and one of the things that I thought was great was highlighting the Varus framework. So as we as CTI practitioners, cyber threat intelligence practitioners, but researchers, human beings that live and breathe cybersecurity, one of the things I think that really grinds my gears is a lack of standardization. And I think one of the great things that you guys do in this report is lay out um the sort of various frameworks. So can you talk a little bit about sort of the standardization and what goes into making sure that you're speaking the same language as your readers?
SPEAKER_02Yeah, of course. So, first of all, thank you for all the kind words about the report. We do put a lot of effort into it, and we know it's you know, it's a lengthy exercise routine, it's not chunky, right? And uh try to make it interesting to read as well. But I guess the reason why people keep coming back to it, right? And like you said, we we usually like to refer to it as look, it's the I don't know if it's the best, but it's definitely the longest running port. It's not the first one that ever was, but it's the longest running, and uh, you know, longevity in this industry, right, is really something to be respected of. It's like you know, you you see an old hunter, right? Yeah, you know, this guy's good, he wasn't killed yet, right? And so that's kind of how that's kind of how we feel about it a little bit. One of the things that we had to do to your point on the various framework, because again, when it started like a thousand, I'm sorry, 19 years ago, it was just Verizon data, and so we could come up with whatever we wanted, right? And and they sure did back then, but in in and I I want to make sure we remember 2010, I think, was the first report where we had external data was the Secret Service that joined. And then the the the folks at the helm at the time were like, hey, no, we if we're gonna get external data, we need to make sure we're all talking the same language, so we need to standardize this in some point. So they came up with the Varis framework, right, which was purposely built to be a way to describe a breach, right? There's so many things happening, there's so many components to a breach that there are several different ways we can describe those. But again, when you look at the breach holistically, right? Oh, I want to know who got in, you know, how they did it, which were the kind of things they affected, and what kind of was the fallout, what was the the result of what happened, right? So they created this framework organized around these four things, right? And it's kind of you think about it, you know, it's it's sent, we're writing sentences, right? When you think about Varus, it's like, okay, Colonel Mustard in the library with the what are the the candelabra, you know. But that's kind of it, right? And so each one of these sentences they describe steps of what uh ended up uh being on a breach. And so again, it's very it's been around for a very long time, it has served us very well. And in an industry that sometimes lacks standardization and has a lot of very opinionated people, uh, it puts us in a way we don't have to keep explaining ourselves over and over again. And so, hey, this is these are the choices we made. I mean, not all of them are winners, believe me. We there's a lot of stuff that we have over the years have tried to adjust and fix, right? Especially, let me give you a quick example, like ransomware, right, is really again, it's everybody's everybody's headache, but it's my headache for a different reason because the way ransomware attacks come to pass have changed so much over the years. Almost everything is a ransomable event at the time uh nowadays, and the way it was designed originally in the report, it was meant to also capture that ransom effect, even though it's kind of a malware-related thing. But yeah, a lot of it now doesn't use malware at all, you know, just bringing it to uh breaching it to a SAS, you're downloading the data and library. Now we have to decouple those things, right? Yeah, we have to have a way to represent there is that there is a ransom event from whatever it is, and keep the ransomware up to the oh, there was actually malware deployed. But then now there's malware deployed that doesn't encrypt. And in the taxonomy of ransomware, originally there was already was encrypted, so we had to branch it out as well. There's another place you you and again you remember, I mean, of course, you remember Windows. Of course, everybody has to suffer through Windows events, but like Windows cannot deprecate NTLM, right? Because everything stops working. So we have a lot of that going on as well. But why am I talking about the bad things about the the standard anyway? It's a great thing that we have a standard, it's hard.
SPEAKER_00Well, I love I feel like we should have I feel like we should have Alex you join us with Alan Liska talking about how annoying the classification of ransomware is because I think I've been banging the like data extortion isn't ransomware drums since like 2018 and I've lost the fight.
SPEAKER_01But before before we go further, I just want to read something. This is how ransomware is referenced in the DBIR. It says ransomware is still the yoga pants of cybersecurity, ubiquitous, stubbornly popular, and appearing in unexpected places near you. So I love it. I love that you're bringing up ransomware right now. And you know, with everything with shiny hunters and all that, yeah, we're getting a lot of questions about that. So this deconfliction is a super, super important topic.
SPEAKER_02But there's a there is a kind of a disc deconstruction, really, right, of what a ransomware event is. And again, one of the things we highlighted this year is really how, and again, we had the MGM, the the OG Shining Hunters event 2023, I think, right? But it didn't really catch up until they kind of like fragmented and now they're who knows how they're organized or if they're even organized at all. But uh, so many ransom-like, uh like a source-like events beginning with this kind of social engineering, right? Something that we highlighted this year. It was, I mean, it was very like voice-based stuff is very popular for DC like things and and financial fraud, but now, like as a as a door opener for ransomware or or extortion events has really been one of the big things we captured this year. Kind of to wrap up, I mean, the standards are necessary, otherwise, again, we we're very big on methodology, we're very big on making sure that, you know, look, we we stand by what we publish because we did the research, to use a clear methodology to how we do the research and making sure we get the names right is part of it. And uh, we've uh gone our the our ability to work uh with different data sets because we just don't do uh incidents anymore, has also greatly expanded when we worked with MADER to map the various standards to attack, right? Attack covers only a subset of what can happen in a breach, right? It doesn't concern itself with like the internal stuff or the human-based stuff. Now we can very easily like tie everything together, right? And so we're able to provide like the CIS control recommendations, right? Because they have a mapping to attack, we have a map to attack, so we can kind of surface, okay, what do this cross-referencing looks like, right? And uh, we think it's helpful. We think it's um, you know, gives people a way to uh you know, read a report, uh, read all read about all the funny jokes or unfunny jokes and uh come out with something that you know, oh yeah, yeah, I know CIS or I know how these things map to whatever program uh that I'm doing, right? For sure.
SPEAKER_01Yeah. On the ransomware note, I know you brought it up, so we gotta talk about it. Because I so I have found a lot of interest in the concept of pretexting over the last year. So the data points around pretexting, I mean, I I feel like pretexting got more of a shout-out in this year's DBIR than past DBIRs, especially with ransomware incidents. So for those who may not have read the DBIR yet or aren't familiar with pretexting, can you kind of explain a little bit the difference between pretexting and like your traditional social engineering and then how it's tied in with ransomware in the DBIR this year?
SPEAKER_02Yeah, of course. You almost said Dibber there. I could feel it.
SPEAKER_01I so for the last 24 hours, I'm like, don't say deeper, don't say deeper, don't say deeper, because I said it last year and I remember you saying no. And then now, of course, Lita said it, so now I have it in my head.
SPEAKER_00Sorry, I'm sorry. I just had to cyberbully Alex.
SPEAKER_01No, I will not say it. I will not say it.
SPEAKER_02Yeah. So um, so here's here's how we do it. Uh here's how we do it on the on the report. So social engineering, right, is a thing. We have the the the taxonomy of social inside uh Varus, right? And those kinds of actions, those kinds of attacks involving some sort of like we have great stuff there like blackmail and uh baiting somebody to come to a website. But the the two flagship ones are phishing and pretexting, right? And so what's the difference? Uh the phishing attack is uh is uh it's an asynchronous attack, it's a pointing time attack. So if someone sent you something, there's no expectation of an answer. There's a very clear call to action on the SMS or the email. Click here to go to this website and enter your password, or click here to open this spreadsheet, right? Uh and so there's no interaction, right? It's uh it's a one-shot. And could be even if it's a spear phishing or like an audience of one, it's still one shot. As whereas pre-texting, uh, we have it's it's it's supposed to be synchronous. There is an expectation of interactivity. And so, you know, you get your text on your phone, hello. Like, hello, right? And then you, you know, they they just take you on a wild ride. Uh and uh, or you know, you get a phone call. Yes, no, yeah, I can't, I need to change my password. I have to send uh a report to my boss and I can't log in. Can you please help me out? You know, and you're constantly trying to convince you, right? And um again, taxonomy is wild, right, around those things, right? I you cannot have uh, I mean, you you could have a voice-based phishing if someone just sent you a recording, right? But kind of the vast majority of voice-related medium would be something like pretexting, uh, you know, you know, in the way that we uh put those things together, right? And don't get me starting on the fishing and smishing, right? You know, yeah, I uh as long as I'm alive, those words will never be published on the DBIR. But the distinction is important. The distinct, I'll tell you why the distinction is important, is that the way we think about those things and the way we fight against them is completely different. Yeah, right. You can have all the training in the world in email, email-based phishing, and believe me, everybody in the world has had that, right? Everybody knows exactly what to look for, everybody looks for the external, you know, everybody looks for the M-dashes now, not the typos anymore, right? But for pretexting, right? No, you have to be you understand, okay, what's a high pressure tactic, right? Uh, you know, it's it's a lot, a lot of intersection with a sales trainee, interestingly enough.
SPEAKER_00Well, you know, it's funny, actually, Tim says that it's very similar to telemarketing, like scanning is very similar to telemarketing because you're you're trying to get someone to make decisions very rapid fire, trying to put them in this sort of high pressure situation, just annoy them enough to say, okay, yes, fine. And that's kind of you know, the it's a little bit like pretexting just from that type of like high pressure sales or telemarketing situation. It's a very similar like psychological impact.
SPEAKER_02Yeah, I mean, the only difference is that maybe you're getting some goods in exchange for your money in the in the telemarketing thing. Maybe I don't know. Is it good or bad? Who knows not just being like uh having your money stolen, but it's it's it's the same nature, right? And so it's one of the things I I was surprised. I've been I've been talking to some people about that, is because the kind of the the voice-based phishing slash free texting simulation space is surprisingly empty, right? Uh yeah, folks should be thinking about that as something that they should be training there. I mean, it's of course incredibly more work-intensive, right? For so it's probably would be way more expensive anyway, right? The whole interactive part uh kind of stuff, right? We can still we can hopefully still tell if it's kind of a robot or an AI uh calling us, who knows for how long, right? But it's one of those things that people should be be trained on. It's a completely different, you know, it's a different area of the brain, right? And humans are terrible, right? Humans want to help. Yeah, you want to be helpful. Most people, some people have empathy, some people want to be helpful, and so you know, it really, really, really hurts, you know, our known uh the known psychopsychopaths, uh, you know.
SPEAKER_00We should just all be evil and then we would never fall for much easier.
SPEAKER_01Oh so much easier until predators figure out how to take advantage of our selfishness, you know. Like they'll figure it out. There's a there's a lot of things.
SPEAKER_02I've got a deal for you here. Yeah, of course. Hey, I'll I'll cut you in. I'll cut you in.
SPEAKER_00Just give me the investment scams, yeah. Well, so I actually so I have a question because this idea of pretexting, I feel like is I don't know, not really new, but it's kind of hot right now. Pretexting, so hot right now. Definitely on the rise for sure. And I feel like I'm curious as to your take because we also have uh simultaneously more and more cybercrime actors are do using benign conversation starters for malware payload delivery in email. And is that like a type of pretexting? Because historically we did see a lot of, you know, with all of the bot nuts, it was just like, hey, open this document, macro enabled attachments, whatever, whatever. And then there's, you know, just sending direct links to be phishing. But as we see, you know, the improvement in phishing awareness and just better security, more and more threat actors are using these sort of like benign conversation starters where it's not just sending something, it's more like waiting for a response. And you are seeing a little bit oftentimes, not all the time, but in many cases, more tailored types of social engineering where this is a very unique link. It's just for this person when they reply, so they can track it, as well as make sure that the person is really like has actually responded and they have a higher likelihood of clicking on it. So is that also considered pretexting, or is pretexting more sort of like the mobile space and voice? Do you think?
SPEAKER_02No, it would be considered pretext. Again, if there's someone expecting an answer, it is engaging with you, right? If the lure is reply to this email and then I'll continue. I'll I you have been deemed gullible enough that then we'll continue spending energy on you. It is it 100% considered pretexting. The whole history of business email compromise, right? Yeah, email compromise, it's tied, it's tied to pretexting. So we we very clearly so again, very standard. There we go. We very clearly decouple the action from the the kind of the vector, which is the medium that's that's used, right? Oh, I'll tell you a funny one. It just reminded me of a funny one of something we had to do this year. Uh we we were looking into a lot of kind of the North Korea IT worker stuff. It took us some time to decide how to classify it because some people, oh, it's an internal, it's not internal, it's still an external threat actor. They're just doing a very, very long con on you, right? And so we claim it is the the long pre-texting theory. What if you were pretexting someone for a year, right? But then we realized we didn't have uh a kind of a video meeting uh vector, we didn't have that on Varus, right? Someone is like it's with you, right? Pretending to be someone else. Yeah, no, that's uh it's a medium now. Uh so it's really decoupled at the end of the day.
SPEAKER_00Yeah. Well, it's interesting too because APT and espionage actors have done those long cons before, right? I think we published on one a few years ago about an Iranian threat actor who was it was kind of like a romance scam fitness instructor, where you know, it was a long time talking back and forth to someone on Facebook and then it pivoted to messages. And you know, you had these sort of like personas that were established in the espionage world that you know, it's a pretext until it's convenient, or when they're you know, the operator is like, okay, now I need to use this relationship. So it's a it's not quite that because I feel like pretexting is still like time bound, like they want something to happen like soon, usually, or like within, you know, it's not like this like you know, months long con, unless you're talking about something like an IT worker. Um, but like from the crime landscape, ransomware actors, they're like, IT help me hurry up. Oh my gosh, this is happening, and then bam, yeah, your data is stolen.
SPEAKER_01The easiest way I think to remember it is just what Alex said. The phishing is you get a message, you're expected to take an action, right? Do click the thing, open the thing, execute the thing. Pre-texting is, you know, what I've been seeing with our BC clusters is it's a back and forth conversation. It's, you know, there's a a fake thread, and then, you know, your the accounts payable is targeted, and then the accounts payable is expected to respond back to get the instructions to make the payment. And then, you know, toad too. We've been tracking toad for so many years, and that's all pretexting.
SPEAKER_00Telephone-oriented attack delivery. Yeah, anyone else knows the top.
SPEAKER_02I love the toad, yeah. I saw the toad. Is that is the toad yours? Is it like yours? Your is yours. Yeah, yes.
SPEAKER_01Everybody else calls it callback fishing, but toad is much easier to do it.
SPEAKER_02We actually, so funny story. So, of course, we get your data, right? And so a few of the early drafts had toad there, and I'm like, what the fuck is toad? Why and then so Phil who who who was working with it, oh, it's this thing. Yeah, we we we'll have to add it out because it's just like a single van. He never told me who the vendor was, but now I know. Now I know who the vendor was with the toad.
SPEAKER_01Just a bunch of animal lovers over here, toads and fish.
SPEAKER_02Yeah, I wonder what's the relationship with Kermit.
SPEAKER_01Oh, yes. Well, he's a frog.
SPEAKER_02That's oh, fair enough. Fair enough.
SPEAKER_01Wow, wow. And then we have Miss Piggy with you know pig butchering. So my gosh. Oh my budget.
SPEAKER_02The Muppet theory of cybercrime. You know what? I think there's a blog post here somewhere.
SPEAKER_01Maybe.
SPEAKER_00Sweet and I will have to work on something. That's a whole separate episode. I love it. I was gonna say, Sarah, maybe for Halloween. Uh it can be our Halloween episode. Yes. No, so so so kind of pivoting completely different from what we were talking about just now. Not no more about Miss Piggy, but let's talk about vulnerabilities because I think that was a huge theme for this. Yeah. That was the headline. And I actually so I actually think that the headline is like separate. It's like a little bit lower down. It's not I mean the vulnerability thing is like, yes, it's that's what everyone was talking about, but I'm a little bit more interested in some of the supply chain stuff. But from a vulnerability perspective, um, vulnerability is the number one like data breach access now. Yes, and I think that you guys were timed perfectly. The Verizon report was timed perfectly with uh Mythos and all of the related AI vulnerability exploit hunting, et cetera, et cetera, which was kind of funny because this is all new, like oh hot new thing, but then here comes the DBIR that's like, well, actually, like last year vulnerabilities were the number one thing for initial access. So I'm kind of curious, you know, what from your perspective, like is this just there being more vulnerabilities? Is this actors taking advantage of them faster? Uh is this organizations being overwhelmed? Because another statistic which I thought was really interesting was where was it? It was only 26% of the CISA CISA critical uh vulnerabilities were patched down from 38%. And then the median time to patching is 43 days, which is almost two weeks longer than last year's 32 days. So have we gotten worse at patching or are there more vulnerabilities or like what what is going on there? Why is it okay?
SPEAKER_02So let me try to let me try to address so I think you had three different questions there, right? So are there more vulnerabilities? Are there more vulnerabilities? Yes. Are are uh digitably weaponized? Definitely, right? Are people worse at patching? Absolutely they are. So, yeah, yes to everything that you just said, and it's important really, really, really hard to to to pick those apart, right? I think there's two things, and again, like you said, we're we're not often that lucky, um, because we we were it's very it's it's fairly common that again we we we we talk about things which are very real and very important, but the the discourse, so to speak, is somewhere else.
SPEAKER_03Uh-huh.
SPEAKER_02But uh we were we were we, I mean, by accident, of course, nobody knew that it was at least we didn't. Some people did know it was coming. They work at Anthropic, but we we didn't know it was coming. And um, so it's two things that I think it's important to to understand. First of all, the vulnerability is being the the number one thing uh that is being uh like the initial access vector for a breach, overnight success that was three years in the making, right? And so if you go back to the 2024 report, we said, hey guys, this is very weird. This thing was always down here and it's starting to move up very rapidly. And that was the time of like move it, uh, so 2024 reporting your data from 2023. And so 2025 report to 2024, same story. It got very close, it got very close to credential abuse, which has historically been our number one, right? And I think we we we we talked about we I'm sure, I mean, I'm not gonna listen back to the the old episode, but yeah, I mean I think next year's gonna overtake it. It looks very good, the line is very clear here where where where where is all of this going? And so it shouldn't surprise anybody that specific finding. What I think is the the real damning one, the one that's really, really concerning is the reduced capability to patch. And so this is work, work we've done with kind of like every single major vulnerability management provider, right? I like to joke that we definitely have the biggest vulnerability management uh data set in the world because we have the two biggest competitors giving their data to us. I'm sure they're not giving it to each other. Uh, and so you see this is the first time in four years that our it's not our capacity to patch, and this is the important thing, right? We have a huge like survival chart for four years. We're patching, you know, we're we're patching four times as many vulnerabilities in the same time, but our outcomes are not getting better anymore, right? You'd see the for 2022, 2023, 2023, 2024, we got a little bit better on the capacity of like burning down, even though we had for every year almost doubles the volume, we're getting the outcomes are better. This time we put you know, double the effort again, our outcomes were not better, right? And it's the it's the whole conversation. I was reading somewhere the the bringing it back to AI, the whole story about uh oh, tokens are very expensive now. Well, how are we all gonna do the problem? Is that you know tokens are charged on effort, not on outcome, right? Yeah, and so you're never gonna know if the outcome was good, right? It's very hard to do that mapping. And it's what you're seeing here, you know, we're getting very good on meeting the demand or the effort, but the outcomes are not improving anymore. And so if there is really a wave, right? And uh from from everything that I have seen, there is going to be a wave, right? Given the fact that we cannot keep with the current volumes of patching, how how do we get to the other side of this? Please send your suggestions to DBIR at Verizon because we don't know. Um uh, but that's kind of the the interesting thing, right? We had we had two things which kind of converge into them. If Mitos hadn't been launched yet, you know, some people would come and say, huh, I wonder what this is pointing at, right? Because we're converging, the vulnerabilities being the most uh uh again, and the capacity perpetuate going down, and also the the kind of like finally some metrics on you know uh AI augmentation for attacks, right? And we had we had historically, again, I'm not the the all the all the frontier labs they have been very good at like notifying kind of onesie twosies, right? And very much again, it's very much kind of uh traditional threat intelligence mentality, which is let me tell you a story about this one thing that I saw once, right? And here's all the bad outcomes, but it's very much again anecdotal onesie chooses. I saw a couple one actor doing this, but nobody had managed to sit down and like, okay, let's look at all the data throughout a year. Everybody who tried to abuse the platform, what what the hell were they trying to do, right? And so you can kind of get an x-ray on what does the usage of AI augmentation looks like for those kinds of uh activities? And uh the good news so far is that most of it seems to be just kind of reinventing the wheel, right? And so uh what we were looking at at the time, again, this was written in January, right? Okay, two things we have to be on the lookout for. Thing number one, are they doing more with less? Are they are are they able to full the the the kind of the the guardrail so they can ask a bunch of different questions, get a bunch of different attack attack techniques-ish shape things out of the system without being caught? So the more this number grows, the more trouble we are. But the second one is how much they are not reinventing the wheel, right? Because again, do we really need another implementation of how do you encrypt a file in Windows, right? I hopefully, right, knock on wood, the EDR solutions that are available there, they kind of know all the different APIs you can call to encrypt a file in Windows, and they'll be looking for those, hopefully, even blocking them. So there's only so many ways you can do that. And kind of the I would say the both the threat modeling and kind of the defensive, kind of like the net, right? You put to catch the catch-all net, are aware of those things, and so they're not going to be caught by surprise. So it's just again more annoying, right? The problem is, oh, I'm doing something incredibly novel that people are not ready to detect. They do not have the kind of the on their on their mental, uh neither mental or implemented threat model. And so this this would actually catch uh people by surprise. And so if we get more novel stuff, we are in in trouble. And so if you have a zero-day generating machine, that definitely falls into the novel category potentially, right? And so it kind of brings you to you really have to think about your defense. So you still have to do the same things, it's not you don't necessarily, although there is a good argument for, and I'm gonna hate this, but yeah, maybe you should be looking into some of AI for like you know, all auto patching or you know, making accelerate your own internal vulnerability discovery. But the the arguments are becoming very compelling there, even for AI haters like us on the call. But uh, if you think about the fundamentals, right, it's like, oh yeah, I'll just continue doing vulnerability management. No, no, you need to start, you have to yes, you have to continue doing it, but you need to start looking at the higher leverage stuff. You know that, you know, zero trust rollout, review all the permission models of everything you've been putting out for five years. Now it's the time to do that. You know that network re-architecturing, right? Oh my god, it's gonna be so yes, it is gonna be hard, but now it's the time to do it because you need higher leverage stuff now to be able to prepare, potentially prepare against uh, you know, if the volume becomes too too hard. It's gonna be hard to keep up. Yeah, you know, if all the predictions go go the way people are predicting they're going to go.
SPEAKER_00Yeah, we we had um Sean Zadig on the call talking about uh vulnerability prioritization. And so basically, when you're when your numbers are increasing and you're seeing more things, how do you prioritize what to fix first? And that I think is gonna have to change a lot depending on what the threat actors are doing, what is the most types of exploited vulnerabilities? What are some of these AI tools? Like, is there a specific class or type of vulnerability that is being targeted and exploited more than others? And can you incorporate that into your overall security model? It's like, okay, if you can, if you only have time for this much work, where do you put your effort? And I think that, you know, you mentioned using some of these AI models for in like internal hunting to just kind of turn it on yourself, like what could a potential threat actor be doing for sure, but then also using intelligence and trying to understand the landscape beyond to your point, this sort of point in time this happened to me, or here's an example of something. Because what I'm finding is that there's a lot of that going around. It's like, oh, well, we saw this happen in this particular attack. It's like, but this isn't this isn't aggregate data of oh, all these threat actors are using this. Like, I think that they're especially recently, there's been some like reporting, it's interesting reporting on like AI enabled threats, but they're very anecdotal to your point. And so it can be really difficult for organizations to be like, is this something we actually should care about? Is this something that is happening at a uh at scale, or is this just something that a vendor found and published on, and this isn't really necessarily applicable to my own environment? And I think that that's a little bit where some of the conversation is being lost because there's a lot more things that are being put out there, in a lot of cases AI generated by the vendors too, but is being put out there, but there's not a real good mechanism for measurement of the impact. And so I do think it is really interesting to see things like the DBIR, which collect all of that data and put it in aggregate and say, this is, you know, this is what we're actually seeing.
SPEAKER_01There's a really good data point in the DBIR that kind of it's almost like a little, like a little blip. You don't, it's not like a huge data point, but that would be really helpful as like a baseline, you know, foundational, like this is how you, you know, where you should start triaging for your vulnerability patching. And let me find it. Okay, so this is the data point. It's like the longer it's been since a vulnerability was exploited, the less likely it is to be exploited again soon. And that research that Alex and T did was tracked over six years, right? So that's just like and that can be applied to vulnerabilities in the wild, and that can be applied to vulnerabilities directly that you've seen exploited in your own data. So it's I just thought I saw that as like that is such a good data point to help kind of not give, I don't think there's, I don't think peace of mind is going to exist if you're in vulnerability management uh anytime soon, but at least it just kind of helps lay a foundation for like where to to begin here.
SPEAKER_02Yeah, it's I think it's a it's it's relevant because again, the finding is that people cannot cannot patch like even the most baseline, uh, which is the the the the Cesar Cav, right? And so if you are in a program, you're trying to chase patching all the Caesar calves, right? Kind of the message that we want to give you is that it's not just recency, that recency matters because you know, if something is is being exploited right now, it's it's it's hot, right? And so you have you do have to change the trains, you do have to change to chase the latest fashion at the end of the day, uh, in there, because you know, that's really where all the attention is. So this is something that I don't know the answer for, and I've been thinking about it a lot, if there's any way we can potentially measure this. Because here's my concern about like methos and like you know, really effective augmented vulnerability, vulnerability finding, right? There's always an opportunity cost for the attackers, or there should always have been an opportunity, there's an inertia on everything. And so let's say you have a firewall which has, which I shall not name, which has been frequently been the target of zero days, right? And kind of every few months it seems like, no, not you again, right? And so at the worst case, if you are someone who has that firewall, right, you've either planned to replace it or you've become exceedingly good at uh like you know, crisis response there. So you can really roll out those bad the patches on those bad boys fairly quickly, right? So it ties into the oh, it's kind of online threat modeling right now, and so I'm ready for it when it comes forward. And so nobody knows why that far is so targeted, right? Is it maybe was was the source code stolen and nobody knows about it? That's how they're being so good at it. Nobody knows. But there's clearly a focus. People have been trained and they are doing, you know, uh uh research, 100 bit research work in that specific target or code base. Imagine if there was no favorites anymore. Imagine if you could find those kinds of P1, P0 vulnerabilities on any file that's out there, even the ones that we generally trust to be well defended, right? That's when you kind of break the, you kind of break the the the rule, right? And so you you had a specific, oh yeah, I just changed to this one, this one never gets a vulnerability, and so I should be fine. You're not gonna be paying attention when this thing comes up. So uh, okay, let's say we have uh now we have infinite vulnerabilities we could potentially be be searching for. Okay, that's that's the the hypothesis that could a potential future. Is it still gonna be costly? Can you scale the scanning as well? Can you scan for infinite vulnerabilities, right? Because that's what we're talking about there, right? They're gonna be scanning, there's always so many they scan at the same time. And again, if you go to a service which does like honeypot stuff, it's always kind of the same IPs, kind of the same regions, right? There's all sorts of different ways you can see, oh yeah, this is this threat actors infrastructure or a good proxy for it. This is the vulnerability they think they're hot right now. What's gonna happen, right? If everybody could scan for every single one, is that gonna be possible, right? Are we gonna see a slow down? How are they gonna fix it? Are they gonna like, oh yeah, this is Monday's vulnerability, this is true. No, we don't know, right? And so at least for now, that's the analysis that we did holds, right? As far as okay, if something's brand new, they're gonna capture the opportunity of the brand new because a bigger share of the pie has not patched yet. So, yes, it is a good idea to stop what you're doing and go patch that, right? But even so, you look at those numbers, they don't help that much because if you think about at the time there were there was 1200 calves, I think, when we we took that snapshot. 500 of these are being actively scanned, still half, a little bit under half. Yeah, not it's not not a comforting number in any shape.
SPEAKER_00Well, I mean, but then you see things like Log4J, which are still like constantly scanned and among the highest volume of like attempts to exploit. And it's like, okay, well, yeah, is that is that effective? Like what uh I don't know what the actors thinking.
SPEAKER_02Oh yeah, you we still got we still get slammer in the internet on configure that's true, yeah.
SPEAKER_00Configure, slammer, yep, yep, yep, yeah. That's that's fair.
SPEAKER_02Those were the days, no, they weren't, they were terrible days. I was talking to someone uh about this. I just reminded this, like just talking, talking I was at a presentation, just talking about the moment, right? And like the the concern about the the the mythos and stuff, guys. Look, if you've been in the industry for less than 10 years, you have not seen a crisis yet. We have done we have dealt with so many bad things, right? You did not want to be receiving a phone call on SQL Slam or Cold Red. You definitely did not want to be there uh when those things happened. We'll figure it out, guys. You know, we'll figure it out.
SPEAKER_01You touched a little bit on threat actors not reinventing the wheel with Gen AI. Yeah. Um, and I was so happy, especially after our conversation last year when we were all like, Gen AI, meh, you know, but I was really happy to actually see some appropriate, respectful data points around what threat actors are doing with Gen AI because right, it's been panic mode for everybody in the last year. And I just want to say the the amount, the percentage that you that's reported in the DBI of threat actors actually doing novel technique or using Gen AI for novel techniques is what 2.5%? And the the the percentage for re you know, kind of reinventing the wheel with Gen AI is was it 80%? Am I throwing in my brain?
SPEAKER_02It's something it you have all sorts of different uh measurements there, right? You have measurements on the 10%, on the 2.5%. So from from memory, kind of the median there, right? The the median case was 55 different software examples, malware, which used whatever techniques they were looking at. But then as you start going to the left, you see 10%, the 10% case were things that were in like three different pieces of software. That's pretty not comfortable, right? Yeah, but then you have to get to the 2.5%, the top on the bottom 2.5%, depending on how you look at it. That is like one single thing. And this is like eBPF firmware takeover kind of thing, which is again, you see those things, but it's like it's the purview of maybe. I mean, I'm not gonna say it's the purview of a threat actor, but uh uh sorry, uh a state actor, but it's a purview of someone who has spent a lot of money to make sure they absolutely would 100% get in into whatever objective they were targeting at. And that's kind of again, and I think this is something we I don't want to I don't want to bring the citation back, but this is something we're talking about. The doesn't make a difference if it's a state actor or not, it's hitting you, right? Because you're seeing more and more, it's the same, the same, everything is being quote unquote democratized uh in that sense. Bad democracy here, bad. We want the good democracy, not the bad democracy. Where um it doesn't matter, like you were saying, oh, pretexting, the the working uh like a potential asset or something like that for months, right? This is not beyond the the the real the the realm of the it's it's very possible, right? Even for a uh kind of a criminal, a cyber criminal related uh activity now, right? The costs are getting, you know, it's becoming less costly to do these kinds of work. And these guys are again, they're they're shoveling cash in, right? With ransomware.
SPEAKER_01I just I think that was a very compelling piece of the report because we were told to expect, you know, AI is gonna change the landscape, there's gonna be all this new stuff, and like just super panic mode again. I think that was part of AI marketing, but that's a whole nother episode to discuss. Uh so it was it was kind of nice to have that data-driven um support for something that Selena, you know, a drum that Selena's been beating for the last year, where defense remains the same, right? We're seeing threat actors use Gen AI to do the same techniques. They're just using Gen AI for it, maybe at higher volumes, maybe they these things look a little bit better, but like in general, defense remains the same. So that was a really wonderful.
SPEAKER_02There is no no evidence that, you know, there's gonna be a new quantum blockchain metaverse attack coming out of, you know, uh the AI labs or anything like that.
SPEAKER_00Well, they're not gonna get any luck on the metaverse. No one's using it.
SPEAKER_02Yeah, I know. Maybe that's why. Maybe why it's so vulnerable now.
SPEAKER_00Perfect.
SPEAKER_02You know, you're gonna get you're gonna get more of the same, but much more of the same, right? And that's kind of where the the posture, that's the posture change. That's the kind of thing that people have to be, yes, it is more of the same, but what if it's much, much more of the same? It's kind of what people have to be to really be aware of and really be uh be cognizant of. And uh the the problem that we have here is that the and this is something I would, I mean, if you'd asked me this question three years ago, right, is the oh, what is AI good for, right? Why why are you why are people even spending time with it? So there's one thing that AI is incredibly good for, which is something that's very hard to make, but very easy to check. And so, you know, I mean, I hate AI-generated images, right? I I have like, you know, I'm repulsed by them, but they're very hard to generate and very easy to check. Whoever is creating them for whatever reason they are created, they can look, oh yeah, this looks good enough. I'll just use it, right? And uh that's the very nature of offensive work, is very hard to create, very easy to check. At the end of the day, you can you just run the exploit and see if it works, right? And so they can afford to iterate. I mean, if they can afford the tokens, right? Right, they can then afford to iterate on this, right? And come up with working exploits and and all of these different things. Whereas, again, making sure it is right every time for kind of a defensive uh framework, right, is a harder challenge. I and again, I I've seen things people are trying to meet the moment, right? Even though you know it's still hard to come by with a kind of good strategy. Most of the stuff that I've seen that I think is promising is about okay, let's use the same playbook, let's find the vulnerabilities and then iterate on them to weight out the the false positives, and then use this as a as a kind of a springboard to to patch the the vulnerabilities, right? Is the things that I've been seeing have most success. But it's just because the offensive part is so good, right? And so you're just trying to get ahead of the game there a little bit.
SPEAKER_00So one thing that I wanted to touch on, because we're talking about AI, we're talking about the increased use of these things. And I think that as we as organizations further incorporate uh AI solutions, agentic things, it is leading to what I thought was a pretty interesting set. And I don't know if this is a cause and effect situation or if this is just something that we're gonna continue to see more of, but breaches with third party involvement have increased by 60% from last year's DBIR data set, reaching 48% of total breaches. So, and then look if you look at the remediation over time and third-party cloud exposure, only 23% of third-party organizations fully remediated missing or properly secured MFA on their cloud. So, one of the things that I think is super duper interesting, and I feel like honestly, it's kind of flying under the radar a little bit, like this like supply chain and third-party compromise. I mean, team TCP is just exploding. I mean, so many of these software tools being compromised. I mean, you have like VS Code extensions that are leading to compromising GitHub, like the corporation.
SPEAKER_02No, it's today, right? Today or yesterday just came out. The VS code is a good idea.
SPEAKER_00Yeah, it's like super, yeah, super recent. There, so you're seeing it more and more. It's like every day there's a new sort of supply chain breach that's leading to major, major data breaches. And you have things like, you know, like a third-party supplier was responsible for the like LLM breach, right? Like it was like a uh there was it was a it was a sort of hop, right? Where they were able to, these Fed actors are targeting individuals, targeting software supply chain to gain access to users. Once they had that access, then they say, okay, like what else is this user connected to? How else can I pivot within an organization? And can I use this person's access to a software to then compromise that software? So it's sort of this follow-on-chain reaction. And I think it's it's interesting in the terms of it in the AI world because as organizations are being like AI, AI, AI, everything, they're pushing all of this on us. And I hear from friends in across industries, like not just technology, but like healthcare, law, education, that you know, you're they're getting it forced upon you. And I feel like we're going backwards in terms of security. And we talked about this last time here on the podcast too. And I don't think it's, I think it's actually gotten worse over the years where we have these like, you know, we're just putting stuff in, and you have like the automated CI CD pipelines that they're like, yep, we're gonna use this automated tooling, we trust it, it's great. But that's now where Team PCP, some of the other side uh like third-party compromises are targeting that like important crux of this sort of AI revolution. So I'm kind of curious, you know, what are your thoughts on this trend of third-party compromises? And do you think that ever this sort of push into AIing everything is contributing to it?
SPEAKER_02It just reminded me, I I forgot the name of the project. There was a project, there is a it's it's active discussion now. They kind of added to this CI CD pipeline if you're submitting kind of pull requests to them, just pretty much telling the the if it's an agent to just like okay, just delete yourself, pretty much, right? Uh it's a huge discussion, right? And as you can, as you may imagine, people are divided on it. Yeah, as in, you know what? Yeah, maybe they're right, maybe they they have all, but anyway, so there's a couple of things there on what what you uh what you said, right? There is the um I, you know, now I have I am being uh quote unquote mandated or heavily encouraged to use uh a model as I do my work on my computer, and there's the whole agentic AI kind of like, oh, there's this potentially this swarm of things doing uh weird stuff, right? And uh again, these are two evolutions of problems we have seen. This is again nothing new under the sun, but this just exacerbate and accelerate problems we've had for a long time to the point that uh hopefully we're not gonna be able to ignore them anymore. But you know how you know how people are, we're very good at ignoring stuff.
SPEAKER_00I was gonna say we can ignore things, yeah.
SPEAKER_02We're very good. Uh so the edge the age the agentic AI problem, the machine identity problem is the identity management problem, right? Has always been simply the the you know the the astronauts with the gun uh meme there. And so you get a lot of issues and and tying back to the third party stuff, right? Our third-party data is very broad because we also consider, we consider software patches as a supply chain issue, right? In the point that, look, if you had chosen, I'm not saying there is a safe vendor out there, but you too, if you had chosen a different vendor, maybe your outcome would have been different. I'm not saying there's a better choice, but it so your vendor process, your vendor in uh onboarding process should consider things like these. But we already had talked too much about vulnerability, so we talked about the other side of it, which is again the cloud-based exposure. And so even MFA, MFA is kind of a no-brainer right now, right? Everybody, every single person, you know, and you know, and do MFA, right? Because it is such a such something that is is a concern. You still have to do quote unquote MFA right in a way, right? There are the the there's things that are more resilient than others, but even that took takes seven days to write 50% down. Now, privilege management, which is uh an even more serious problem, is kind of what brought us the kind of the Salesforce related stuff last year, right? From oh, the the plugin owner was breached, the OAuth tokens were stolen. Doesn't matter if you had MFA, man. I just got the tokens, I'm getting in. But if the permissions on the the plugins themselves had been a little bit better, they would have been able to have dumped the the database. So privilege management is is an absolutely intractable problem. Even if you know you should be doing it, it's incredibly hard to do on the your best possible day. When is the last time you folks had to do like privilege management on AWS, right? Open those like XML things like these. There's like a cryptic, every single capability has a cryptic name associated with it. It's impossible, right? It's incredibly hard to do. And so these are gonna be until we figure those things out, these are gonna be drivers of breach. Be it agentic AI or not again, the Agentix stuff will just make these things faster, right? And so hopefully to the point where okay, and this now has to become a priority. But the other side of this, kind of the personal use, is what we were talking about, the shadow AI stuff in this report. And we talked about it on the previous report as well. It's kind of what you were referring to. Oh, yeah, it looks like 70% of people are just like logging in and using their own. Oh, I don't like the one my company gave me. I like this one, it's my friend. I'm gonna talk to my friend, and uh not to make fun of AI psychosis, but making a little bit of fun of AI psychosis. And so we actually dug into this kind of data now, and uh, we could uh cross-reference it with uh DLP stuff. And the the thing that really was floored floored me was the look, DLP again, as old as time, right? People sending data they shouldn't send to the outside world, and like you know, huge crowd favorites like uploading it to uh external storage. Oh, I'm gonna put it on my Dropbox, or sending it to their own personal email. Again, cold hard classics. So Shadowy Eye is now number three on the heels of personal email, right? Just last year was three percent, was four times smaller. Again, this hockey stick thing, right? Uh, that keeps happening. And so will it overtake? I'm kind of I'm on the edge of my seat. Will it overtake personal email, right? As kind of main DLP. I I think it could very much could do something like that, right?
SPEAKER_00I thought I thought that that personal agentic AI was kind of funny. It's kind of like a BYOD. It's like bring your own, bring your own agent. Agent. Boy Boya.
unknownBoya.
SPEAKER_01Sounds like a really good restaurant.
SPEAKER_02Yeah. I was gonna make a flavor, a flavor flavor reference for the rest of the movie.
SPEAKER_00We love flavor flav. But I mean, but I think it, I I think it's interesting because we do have this push to AI all the things, but then you have this issue of tokens where it's like, oh well, you know, tokens are so expensive, et cetera, et cetera. And then you have this issue where it's like, oh, well, my personal AI tool can do this better than whatever a genetech corporate solution is provided to me. So what if I just, you know, use my own thing? And you have this sort of amalgamation of tooling happening that I feel like is is honestly in some ways kind of just accepted. Like, I feel like some organizations of kind of just like accepted that risk where it's like, okay, well, we want our team to be using AI. So if they're using their own tools, like, okay, shrug emoji, like, I don't know.
SPEAKER_02Yeah, no, I I I don't have the answer for that as uh because again, it's not on everybody's reach, uh organizational reach to oh yeah, I'll I I have my corporate-wide you know solution and I have all these things set in place. That's definitely what you would want to if you are like you know Fortune 100, Fortune 500 company, right? So it's really one of those things who are we even writing to look it. This is one of those we really have to see what's going to happen. I am curious if everybody should be using AI all the time versus okay, now the tokens are very expensive, gonna have uh uh a pullback. And so some people some people will have to use AI all the time, but then how do you how which are these people? Uh you know, what are their job functions and and things of the sort, right? It again very hard to predict what's going to happen there, but it you know, if you continue, if the trend continues, right, on it being continue continue to be ubiquitous, right? Doesn't matter the reasons, right? But making sure again that you are okay, you know, it's it's it's 11 p.m. Do you know where your data is being sent to, right? Is is kind of where where we have to one of the things we have to be concerned about.
SPEAKER_01Absolutely. I think that just one thought on this topic is I think the key here that could really help in general is having a very clear and strong, well-communicated AI policy. And because there are people who aren't, you know, they've hear they're hearing all about this AI, but and they're working in companies that are using AI and rolling out, but like could be like, am I using AI right now? Like they don't know. Like you don't know what you're using, what is even AI. Like maybe they go to the Claude website and they are using AI and it's technically shadow AI, but they think, oh, well, Claude is approved in my organization per policy because the policy is so loose in general and not very, you know, well communicated. They think they're doing something that's so that kind of goes back to some of the data points in DBIR too, maybe about accidental insider, you know, that that type of thing. So it all really boils down to having a very clear, level set AI governance strategy and policy, which I would love to see the stats around how many organizations have that.
SPEAKER_02Oh, yeah, that would that would be interesting. But it also it's one of those things where that's the that's the ground level and you need you you do need some enforcement. So for instance, you know, I'm I'm not connected to my corporate VPN now. If I try to go to even our approved solution, it's blocked. Because when I'm in the corporate VPN, it actually gets proxy to five to buy all sorts of different things. So to to to to account for those. And that's when I'm able to reach reach it like that. So there's also like, you know, just reminding people usually isn't enough. It's it's it's it's very important because you know they have to learn what they're doing. You have to tell me the reason why. But it's one of those things where again, given the scale, you have to, you also have to have some sort of like technical control as well, in my opinion.
SPEAKER_00Yeah, yeah. Well, this is great, and I think it's a good place to end. But this conversation is reminding me that this weekend I spent some time thinking, if I wasn't in this industry, like what would I be doing? Like if I just like fully takes over my job and I don't want a computer job anymore. Like, what is my backup plan? And I have to tell you, Alex, Sarah and I came up with a business plan.
SPEAKER_02Oh yeah.
SPEAKER_00We are we are going to run a bookstore and plant nursery with a landscaping side project called Mulch Ado About Nothing. Get as far away from technology as possible. So when our AI overlords have decided that Selena and Sarah are no longer relevant to the computer job market, we are going to pivot into a plant nursery slash bookstore. And I will get yoga certified teach yoga too. That's also part of my life plan now. Um, so yeah, so I think you know.
SPEAKER_02Just like ransomware.
SPEAKER_00Exactly. We pivoted.
unknownWe pivoted.
SPEAKER_00Exactly. So I think yes.
SPEAKER_02If you want my prediction, right, I think you know, people like you, people like us, you know, I think we are actually gonna be in a very high demand over the next couple of years because nobody knows how to write anymore. So if you are a person that knows how to write, I think that's gonna be that's an underrated skill, right? But you're gonna make all your money the next few years because in three years nobody's gonna know how to read anymore. And so I don't, I don't know what to do with that, right? I really the way things are going, right? You give them uh, you know, you give them half a page a document. Hey, can you summarize this for me in a sentence? I'm like, man, it's a half page, man. You can read half a page.
SPEAKER_01In three years, our DBIR podcast episode will just be us reading the DBIR together to everybody.
SPEAKER_02DBIR story time.
SPEAKER_00Yes, yeah, exactly. Oh my god. Ton this down for me. Yes, 100%. Oh my god. Well, on that really positive and uplifting note.
SPEAKER_02Yeah, I feel like this was a this was a downer year. Maybe next year is gonna be more positive. You know, it's the 20th anniversary. We're good, we're thinking of doing something fun. I think that the data points are gonna be dreadful, but we're gonna try to do something, something fun. Oh, I do have one thing I want to plug though before before we go, before I forget. We are not done. We are gonna publish another report this year. In uh in two weeks from now, we did a kind of separate research with a with uh kind of cyber insurer partner. We're doing the quote unquote cost of a data breach for for the DBIR.
SPEAKER_00Oh, fabulous! Oh, that'll be good.
SPEAKER_02We're talking about like a third of the cyber insurance volume in the US over the past six years, and the really good, like you know, cross-sections of how much breaches, you know, how much is business interruption a concern, how much is liability a concern versus because we're very good at tracking the payout amounts for the threat actors, because that is usually part of the instant response process, right? But after the respondents go out, it's everybody, anybody's guess what the rest of the cost, unless you're the insurer, because the insurer is gonna be very keen on not only not only they have to pick up the tab, quote unquote, they're very keen on making sure those numbers are very, very accurate, right? No inflating those numbers there. That's not what they're known for. And so it's very interesting. It's it's a first for us. I'm honestly incredibly nervous what the reception is going to be, but um, it should be fun. We we we I'm ex we always wanted to write about this, but we've never really had the data to to to feel comfortable talking about it. You you know how we how we are, right?
SPEAKER_01So yeah, yeah, I think that'll be great. Dollar signs are important and cybersecurity. So the DBIR presents all the ways that you could lose dollars, and then now you have this other report coming out that kind of validates that. How much you're going to lose. Yeah, that's a really good. That's a good, I can't wait for that, Alex.
SPEAKER_00Come back on. Oh, yeah, why not?
SPEAKER_02Share, share with our listeners. Yeah, we're gonna talk about that. Yeah, I just want to get, I just want that people stop talking about averages. It just pisses me off so much. Nobody cares about the averages. Nowhere, nowhere the averages are not helpful, right? They are, you're right. So we there's a whole methodology section, is and we talk about hey, we're doing medians, we're doing distributions, right? You may think the media looks small because you're used to to averages. Trust me, if we were telling you the average, it would also be a seven-figure number, the kind of seven-figure number you're used to. But we're not gonna even publish what this number is because we don't want it to get picked up by LLMs, by media, or anything like that. And then I had the final sentence that my my lawyer asked me to to cut, which is like, trust me, it's for your own good. But they told me they they said no, you cannot put there on the report. He's not good, they're not gonna listen to this, so it's fine. Nobody, I'm not gonna get in trouble for saying it. But it is for everybody's own good, you know, averages are bad, especially when you're trying to understand uh data that's as rich and and complex as this one.
SPEAKER_00For sure. Anyway, well, there's a bunch of data nerds, I'm sure, that are out there that will appreciate that. Snaps, snaps for Alex for sure. Oh, cool. Well, thank you so much for joining us. This has been a fantastic conversation. We literally didn't even get to all the questions that we had for you. There's like uh two more pages of stuff that we have that Sarah and I have been act looking at the website. Parts two, parts two, yeah. If you want to come back for part two, we would love to have you. But I you know, we know how busy you are, how how how you know great and impactful, you know, the the BZ BZDBIR is to the community. And we super duper appreciate you coming on to our annual. It's now an annual tradition to have you here on this carded and dive into it. And yeah, come on back for the insurance one as well. That should be a very, very interesting conversation. We'll make sure to include a link to where our listeners can download the BZDBR if you haven't read it already. So we'll put that link in the show notes. And Alex, thank you so much for joining us. Sarah, as always, you're the best uh co-host ever. Um, and to our listeners, thanks so much for tuning in. And until next time, happy hunting. You've been listening to Discarded Tales from the Threat Research Trenches, a podcast by Proof Point. Never miss an episode by subscribing to the show in your favorite podcast player. Happy hunting!