The Cyber Brief: lessons from an FBI veteran

Ryan: Yeah, thanks so much for having me. Really appreciate it.

Valeska: Ryan, we might start with your role? Can you just briefly explain what your role involves, what you do on a day-to-day basis?

Ryan: Sure. So, as Valeska stated, I've been with the Bureau for over 20 years, and actually started working cyber crime from day one. So, the first squad that I was placed onto was working APT . So I've been around for a long time, and have pretty much worked the entire spectrum of cyber threats out there. Over the course of my career, I've been fortunate enough to be on the FBI cyber fly team, which is like a specialised team that responds to major cyber events. Well, initially it was within the US, but we've been deploying more globally over the last couple of years, so we've got really good visibility into what's going on out there, the techniques that are being used and the groups that are using them. And then, currently, I work for the advanced projects unit, building out FBI data exploitation and analysis capabilities for our counterterrorism division, but really for the wider FBI.

Valeska: When you say data exploitation, can you talk a little bit more about about that?

Ryan: Sure. I mean, you know, one of the challenges that we have currently with our investigations, like pretty much everybody out there, is we're drowning in data. So, one of the things we're focused on is, how do we quickly get to the data that we care about? Right? How do we triage data as efficiently as possible. And, you know, what can we automate and what tools can we use, so that we're, you know, we're shortening that response time and getting to the intelligence, and really the action, as quickly as possible. So, I mean, pretty much every law enforcement agency and intelligence agency out there has a big data problem, and my team is focused in that space.

Valeska: Can you talk to us a bit about, perhaps, the top three emerging trends that you're seeing in cyber crime at the moment?

Ryan: Sure, so, you know, I've got a pretty unique perspective on this, because I've been doing it for two decades, and I've seen a pretty significant evolution. You know, over the last 20 years, I would say, you know, currently what we're seeing, some of the trends that we're seeing, is we're really hitting significant maturity in some of these criminal business models, right? And what I mean by that is that, you know, the threat groups and the actors behind it have really started to refine their process. They look at their operations like we look at a business. They're trying to figure out how to be as effective as possible. Sometimes they're, you know, they're building in redundancy with multiple lines of business, so that, you know, if something that's working today doesn't work tomorrow due to something that the industry has done, or, you know, the way companies are responding, they still have backup lines of revenue coming in.

Valeska: What are some of those? Without wanting you to provide a road map.

Ryan: Good point, right? You don't want to give anybody great ideas, but, you know, so, for example, some of the large access brokers out there, you know, they have access into networks all over the place, and they're selling, you know, they're selling access to those networks. But while they're on those networks, there's no reason they couldn't use some of those credentials and access to, say, install a bunch of crypto miners and mine cryptocurrency while they're there, right? And do it in kind of a low and slow way. The ransomware operators do the same thing, right? They've evolved over time. They used to adjust encrypt networks and deny access to your data, but they realise that, you know, let's add another line of business. Let's exfil that data out. And now, you know that's another thing, and I now have another option. I can sell that data. I can use it as more leverage to extort my victims, or then I can go ahead and just mine it to see what's in there, and maybe there's something I can monetise.

Valeska: Any other emerging trends that you're seeing at the moment as well, aside from these multiple revenue streams and evolving business models?

Ryan:  Yeah, so we see again, and sort of in that same, that first point, I would say, collaboration also continues to improve. I think that, you know, the cyber criminal underground is very robust currently, and you see groups like a scattered spider that has grown out of this, right, where they have built a pretty significant network with significant capabilities across social engineering. They're working in the SIM swapping space to defeat MFA. They're coordinating with Russian-based ransomware groups. You know, they're buying access from access brokers. You know,  they have their network established. And while they're, you know, they're a loose network of operators, they have some pretty impressive capabilities, not so much because of their individual talent, but it's their network that really provides the scale and scope of the damage that they can do.

Valeska: Does that collaboration extend to the physical world as well? I know we're seeing increasing threats of violence and harassment against key decision makers. How do you see that, the cyber realm bleed into the physical?

Ryan: Well, so, yeah, that's a perfect example, right? So, capabilities that really, you know, the traditional cyber threat actor didn't have developed a couple of years ago are now, you know, we see this sort of unholy blending of, you know, violence as a service making its way into the cyber ecosystem. And it's really concerning, right? And we've seen a number of those cases across the world, specifically around, you know, crypto where, you know, violence as a service has been employed to, you know, to either threaten or actually harm individuals so that they provide access, you know, to significant amounts of cryptocurrency networks that the threat actors care about, which is, you know, it's a concerning issue.

Chris: We've talked a lot there about collaboration among threat actors and other groups, but what about between law enforcement agencies, regulatory agencies and industry? What are you seeing in terms of trends there?

Ryan: Yeah, so we've seen a pretty significant improvement on how we're working together, right? If you look at any of the advisories that are released over the past probably four or five years, you'll see that, you know, they're based on a network of our own, right. So, we're leveraging law enforcement and intelligence across the, you know, across the globe, really to share information, to take our capabilities and our our lawful access against these groups, and really collaborate so that we can get this information out as timely as as we can, and in such a way that, like, the private sector, can benefit from it, right? So, we're providing a lot of context on how these actors operate. You know, what they're currently targeting, how they're currently targeting, what they do when they first achieve network access, the tools they use, how they escalate privileges—really, their entire attack chain is derived from the shared visibility that we have as both law enforcement and intelligence.

Valeska: They're so useful those advisories, Ryan, and I know that it feels like they've become much more frequent as well. I'm not sure whether that's deliberate or just because the threats are becoming more more frequent.

Ryan: Now, frankly, I think we're just getting better at getting that information out, and we've had a real sea change. As far as, you know, our responsibility for sharing our intelligence and visibility as aggressively as possible. And I think, you know, specifically the FBI has done a very good job of that. We've really, really made it a central component to how we operate.

Chris: Sounds like you've got a very busy day job. Could you talk us through, maybe by reference to an example of how a cyber investigation works? You know, what the key steps are, how the FBI plays a role on that. I think that'd be really interesting.

Ryan: Sure. So, cyber investigations are started in a number of ways, but usually they're generated out of a victim complaint. So, something  occurs, there's a victim that comes to us and says, Hey, listen, you know, we, I've, had an issue. And these victims can be, you know, Fortune  500 companies, or it can be your neighbour that has had a, you know, investment fraud, or somebody that's cleaned out their retirement account, right? So, it's, you know, there's a huge range of where these victim complaints come in. You know, I had a, I had a case back in  2011 that came in from, like, a cyber-enabled fraud that turned from, you know, from an individual that lost $6,000 on an online auction site, and it turned out that that case had a malware component to it, and that malware was tied to a larger botnet which had compromised about a half a million systems, and it was just based off of one $6,000 complaint, you know, so these victims are so important to, really, our case initiation. And we initiate a lot of cases off of IC3 , which is the Internet Crime Complaint Center. So, IC3 .gov, you know, folks leave complaints there. We take those complaints, we triage them and we turn them into cases, or we add them to existing cases. So, that's one of the avenues where  cases are, I guess, are born.

Valeska: I know that you've, the FBI, has made a number of arrests recently, and also there's a lot of work that you've been doing on freezing funds and actually retrieving funds as well. Can you talk a little bit about that?

Ryan: Yeah, so one of the things, when we look at the criminal business model, right, one of the ways in which we're trying to disrupt actors' operation is  to hit them where it hurts, right, which is on the financial side. So, we've taken a really hard look at how we can insert ourselves in that  financial chain where they're either extracting money or laundering money. We work directly, you know, we've really focused resources so that we can quickly freeze funds and return funds, because we know that that's, you know, why the threat actors are doing what they're doing and in from a criminal perspective. And, you know, every time that we can get in the middle of a wire transfer, or we can freeze, you know, freeze a large account on a cryptocurrency exchange and be able to return that money, we know that we're both impacting their criminal operations, and then also, really importantly, being able to return those funds to the victim, right? So that's been, you know, the reason pretty much every, every FBI agent and intelligence analyst I know joined is so that they could help people recover from crime. So, it's a great way to do that. And it's  truly rewarding when you can freeze, you know, a couple million dollars here, you know, or $10 million there, and then start returning that money to where it came from.

Valeska: And in today's geopolitical climate, national security is obviously a critical concern for governments, but I think it is also increasingly for organisations as well. And you mentioned before the advisories that the FBI has been putting out in conjunction with a range of other agencies, including Australian agencies, and a lot of the recent ones seem to be about Chinese, North Korean, Iranian state-sponsored attacks. Can you tell us a little bit about that landscape and how it impacts the way organisations should be thinking about preparing for and responding to incidents. What's the difference in the dynamics when we're seeing those sorts of attacks?

Ryan: Yeah, generally, nation-state actors are more strategic about their targets, right? And they're responding to government-directed tasking to achieve some some goal, right? So, you see a lot of targeting of intellectual property or intelligence collection related to global competition, for example. And we've seen that over the last two decades, you know, those areas are, you know, it's just a different end state from the cyber criminal actors out there. And when I started doing this, they, you know, they operated differently from criminal actors. They had different tool sets. They felt differently on the network and and you could see it obviously in the targeting. So, it was one of those, I would say, you know, for example, North Korea operates a little differently than China would. So, they each had their own own fingerprint, right? North Korea, since, I don't know, Sony in 2014, when they  hit Sony over the release of The Interview, which, you know, for most countries, we just wouldn't see nation-state activity rise to that level. They had a different perspective, right? There was  something that happened that made Sony a target, and they went and acted on that information, and then they evolved over time to targeting the financial industry. And now they're heavy into the cryptocurrency industry, right? Very, very heavy targeters of exchanges out there. So, you know, it depends a little bit on what the goals are and what the tasking is. You know, China, for example, has been very strategic, very widespread. Many of their intrusions track closely with their five-year plans. So, you know, as a company, one of the things that I would do is, I would evaluate what I'm working on against, you know, five-year plans out there, right? And that could be everything from AI, advanced manufacturing, advanced materials, bioscience, genetics, you know, it's a pretty wide range. It's not all just the defence industrial base, and we see through that process a lot of targeting of third parties. So, you know, if a law firm is supporting a company that's doing some really interesting intellectual property work, that law firm's fair game, right? Because they have access to a lot of the same intellectual properties, they have good context to understand who's who within that company that they're targeting. So, that third- party targeting is something we see a good deal as well.

Valeska: You mentioned AI. Be really interested to hear what you're seeing, both in terms of the use of AI to undertake cyber crime and also what you're seeing in the defensive space as well.

Ryan: Sure, yeah, that wasn't a trend I talked about, but for sure is an emerging trend, right? Cyber threat actors are early adopters. They are as close to technology as you're going to get. And as these, you know, as new techniques arise, as new capabilities arise, they're often some of the first folks that will test and employ them. You know, to that point, in 2015 I actually had a group that I was working with that downloaded some machine learning libraries and used those machine learning libraries to solve captions, some of the security tests. You know, before you can do something, you know, you're trying to prove yourself as a human. Well, they downloaded these FireHydrants. So, yeah, back in the day, at this time, it was only, you know, numbers, numbers and letters, but they were all, you know, they're in a strange font, and, you know, made it hard for traditional OCR to solve them. And they had hired a bunch of folks out of India to solve these captions for them. So, as all these captures were coming through their botnet, as they were registering email accounts to send spam, there was someone or a group of people in India that was solving those captures for them, and this process was entirely automated. Well, in 2015 one of the first victims of, you know, ML AI job loss was these Indian CAPTCHA solvers, and they actually implemented this library, and they fired all their folks that were actually solving these CAPTCHAs, because they implemented this machine learning to solve the captions for them. So, a good example of, you know, how they are truly early adopters. And then, you know, fast-forward to today. You've got such great tools out here from an AI standpoint, that if you really know what you're doing, AI is such a, you know, they're using them the same way we use AI, right? Like, to support their understanding of concepts to help them navigate and create alternatives. And we see that today, right? So, they're  starting to bake this into their operations with agents. They're automating, you know, so AI-driven automation is definitely happening out there. Both, you know, both Google and Anthropic have started to release threat intelligence reporting on, you know, how, like, adversarial use of their platforms. I think Anthropic just put theirs out two weeks ago. Highly recommend you go take a look at that, because it really gets into the weeds of how some of the threat actors out there are using these services. And then everything from, you know, like, generating very clean, you know, phishing emails or ransom notes, to helping them navigate, you know, language, both, you know, within the cyber underground and as they're talking to victims or prospective victims, romance fraud, you know, kind of across the entire, entire board. And you see, you know, some of the AI-generated video or deep fake-type activity in real time, happening. It's, yeah, you know, it's just when you think there wasn't anything else you had to worry about, you know, some of these AI-generated operations start to pop up. 

Valeska: Yeah. I think deep fakes have the potential to wreak enormous havoc, I think, with organisations.

Chris: I think one of the things we've seen in the cyber world, and actually more generally in relation to corporate crime, is the importance of collaboration between law enforcement and industry corporate sector. And that's the case both prior to a cyber incident, but also as it evolves as well. What have you learned over the years in terms of what has worked well, in terms of collaboration between law enforcement and corporate, and perhaps, you know, lessons to be learned where things didn't work so well.

Ryan: Sure. So I think the, you know, the primary thing that I've learned is you've got to develop those relationships. Early and often before you need them, right? Because if you don't have somebody to call, it's just going to take too long, and you can't develop a trusted relationship easily while you're in the middle of an event where everybody is just scrambling to address, you know, what already has happened. So, you know, the lesson number one is make sure that you have your Rolodex in place. And that's not just law enforcement. You know, that's everybody across the board, that's your partners, that's your service providers, that's your third-party instant response. It's your regulators and your law enforcement and your intelligence agencies, you know, your telecom providers, all of those, and one of the things that I often see is that everybody's got good relationships, but they're completely siloed. So, they don't really, during an event, they knew who to call out of all those players, but they have no understanding of how they can work together. So, I think that's really important, to start to ask each other, hey, do you know, how do you work with law enforcement? Like, if I ask you to do this, you know, is that something you can do, or, you know, can as law enforcement, if I've got really good visibility into a threat, you know, I'd like to bring everybody together to talk about that one time, so that we're all on the same page. And that may be, you know, specific departments within an organisation, right? I want to have some C-level support. I want to have legal there. I want to have help desk there, internal security, third party, instant response, other partners that may be affected, and your communications team, because that's so important as well. So, when you get the right team together, and you can have those initial meetings and the follow-on meeting, and everybody's rowing in the same direction, that's when incident response really goes as well as it can.

Valeska: Are you still getting much pushback from organisations that are reluctant to share information with law enforcement because they're concerned about the exposure—that sort of broader legal or regulatory exposure?

Ryan: Yeah, it still happens. I would say it's still happening. It's happening less than it used to, right? We've been on the front foot in a lot of ways, trying to explain to the private sector. You know, what our role is, what our capabilities are, how we can share visibility. You know, what type of capabilities do we have that we might employ, right? You know, we may be able to freeze funds, or we may be able to provide some really good context on how negotiations go, or, you know, most likely, how these threat actors got on your network, so you can jump-start an incident response. So, we've got really good, deep knowledge on, you know, the other side of the coin here, and it's, you know, I feel like it's really important for the private sector to take advantage of that. I mean, it's a, it's really, uh, a resource that, depending on how you look at it, it's either already paid for, right? You're paying for our services with your taxes. So, we're all already kind of on retainer, if you look at it that way, or, you know, we're just a free government service, a public service that you can leverage.

Valeska: We've always found interaction with with you, and the FBI more broadly, really useful, even providing decryption keys in some situations as well. I also think we've probably come a long way in Australia. We've now got a regime, which was introduced quite recently, called the limited use regime, where, in certain circumstances, if organisations voluntarily share information with certain agencies, it can only be used for a very limited purpose and further disclosed for a purpose. And there are still limitations to that regime, but I think it has gone a long way to provide some assurance to organisations, and sort of encourage them to share certain certain information as well that can then be used for broader threat intelligence sharing, but also to help those organisations as well.

Ryan: Yeah, I think that's a very smart approach, and it's important for the private sector to understand, you know, how their information can be used in what capacity. And just it's so important to establish that trust and the guardrails, so that we can all, you know, do what we can and what we need to, to recover from these events.

Valeska: We're almost at time, Ryan. But before we wrap up, keen to hear your favourite cyber film, podcast, TV series, book.

Ryan: Sure. So, there are a number out there. I mean, podcast, I'm big fan of Darknet Diaries, always. Always entertaining books. There are a number out there. A lot of the books are kind of at the intersection of, you know, state-sponsored intrusions and, you know, global competition. So, I like: The Hundred-Year Marathon is good, Destined for War by Graham Allison is good. And then, you know, I'm kind of, you know, old school—Hackers, yep, back from back in the day, one of the original hacking movies, and kind of dating myself; the classics are the best, but a classic for sure.

Valeska: Thank you so much for taking the time with us today. Really appreciate your insights, and great to catch up as always.

Ryan: Yeah, it's been a great pleasure speaking with you.

Valeska: Thanks, Ryan.

Chris: Thanks, Ryan.

Valeska: That was a really interesting chat. When Ryan was talking about the Financial Fraud Kill Chain, I was wondering how that sort of aligns with what you're seeing in this space, especially around anti money laundering.

Chris: Yeah, well, I mean, it's so stark, isn't it. That 48-hour period that after that's very difficult to recover, just underscores the need to move really quickly in this space, which we know, but it is interesting. I mean, I think they're clearly focused on following and seizing the money, and certainly in a money laundering context, AUSTRAC is very focused at the moment on cyber crime and scams, and ensuring the population, whether it's crypto payment service providers, banks, are they monitoring and stopping and seizing that criminal property where they should be? So, we're helping a number of clients in that context, which just, I think, underscores how so much of this is, you know, cross-practice interrelated, because, at least for financially motivated crime, that is the best way to disrupt the hit and where it hurts.

Valeska: Yeah, that's right. I also thought it was really interesting the discussion around national security and the different MO of some of the state-sponsored attackers as well. I mean, that the other sense I really got from that conversation was just how important—Ryan spoke about the difference between the internal focus of a lot of organisations in an incident response but, actually, we see it even in the preparedness and planning. And yet, there is so much important activity happening externally. And it's a really good reminder, I think, to make sure that thinking about that broader ecosystem, the other relationships that can be leveraged and the roles that they play, should be built into incident response planning and having checkpoints during an incident, to make sure you're sort of checking in with all of those external factors as well.

Chris: Yeah, and not working in silos. You know, you're going to have various third parties you've got to engage with quickly. You just can't afford to be talking separately to them. You need to get on the phone, right, like that's the key message,

Valeska: And practise doing it in advance. Yes, yeah. Thanks. Thank you. Thanks very much for joining us on The Cyber Brief. Today we'll have a number of references made during the podcast in our show notes. Speak soon.