009: One Phish, Two Phish, Red Phish, Blue Phish

Listen on Apple Podcasts Listen on Spotify Listen on Google Podcasts

Episode Summary

Security awareness training is an important part of user education—but no matter how aware of threats users are, they can still be caught off-guard. So can the problem of end user behavior actually be solved? Mac is joined by Connor Swalm, the CEO and founder of Phin Security, which provides phishing simulation and security awareness training for MSPs. Phin’s approach to training the end user, how the security awareness field is adapting with AI, and why Phin decided to focus on the MSP realm.

Referenced links and articles:

https://thehackernews.com/2024/01/atomic-stealer-gets-upgrade-targeting.html

Transcript

MacKenzie Brown: Welcome everyone, to Return of the Mac. Today we are going to be talking about the very sexy topic of security awareness. So security awareness training is important. We all know that. It’s a part of basic user education, but as we know, no matter how aware users are of cybersecurity and the threats that they face, especially at the companies that they’re at specifically, they’ll be caught off guard.
I’m not going to lie, I’m kind of like a pessimist on this topic, but it could be because I’ve been in the industry long enough, and I just don’t know how I feel as a cyber practitioner and my faith in the human race, but specifically the human race being the end user. So can the end user actually be trained and is this problem something that can be solved?

Today I am talking to Connor Swalm, who is the CEO and founder of Phin Security, which provides phishing simulation and security awareness training for MSPs.

Last week we had Phyllis Lee on and we discussed the 20 security critical controls, CIS, its framework adoption and the importance of that to focus on security maturity. So it only feels just that we move into, I don’t want to say the most basic, but we are going to move into something that again, from a pessimistic point of view, needs to be solved. It’s something we all do internally, but do we actually take it seriously?
So because, again, new year, new us, we’re gonna start from the bottom, and the bottom is, in fact, the end user. We’re gonna talk about how the security awareness field is adapting or evolving with the new integration of AI into everything. So if you’re a bad guy, how does AI really kind of benefit you? And then why Phin decided to focus on the MSP space or the IT service provider realm and that market in the first place. So welcome, Connor. Thank you so much for joining me.

Connor Swalm: Thanks. Anytime. Thanks for having me on.

MacKenzie Brown: I’m sorry that I couldn’t fly to the other side of the country to hang out with you guys in your, not your garage, right? It’s your living room. You’re like in true startup mode. I love it.

Connor Swalm: That’s okay. Yeah, and I’m not there anymore, but yes, the hacker house. If you’ve ever watched Silicon Valley, if you have, MacKenzie, or if you’re listening-

MacKenzie Brown: I definitely have consumed it.

Connor Swalm: That exact house, it’s almost the exact same situation we had very early on at Phin, is me, my co-founder Josh, who’s one of my best friends, and our first employee Curtis, who is an amazing individual. We all lived together and so we’d wake up and we’d just code all day long, until they stopped letting me write code because I’m the worst developer here.

MacKenzie Brown: I love that. Okay, so you, Josh, and Curtis, what characters are you from Silicon Valley?

Connor Swalm: Uh, so everyone compares—listen, listen, of course, of course people compare me to Erlich, because I’m the worst developer and I hate that. I hate that.

MacKenzie Brown: He’s my favorite though.

Connor Swalm: Erlich’s your favorite?

MacKenzie Brown: I mean, only because he’s like kind of a piece of sh*t and I love that. That’s my favorite character trait in someone.

Connor Swalm: Josh is definitely Richard. I would like to be Jin Yang. I think Jin Yang’s the glue that holds everyone together.

MacKenzie Brown: Well, I mean, he’s kind of like the most badass. What did he invent the hot dog thing? Was it like, oh, I’m not gonna talk about that on this podcast, sorry.

Connor Swalm: Hot dog, not hot dog.

MacKenzie Brown: Hot dog, not hot dog. We can be as inappropriate as we want here, but also within reason. So we won’t talk about, just look up hot dog, no hot dog, for the Silicon Valley episode. It’s probably, I forgot about that. It’s probably one of my favorite things.

Cool, so welcome. Glad to have you here. What we do before we get into the nitty gritty of who you are, what you do, what Phin does, we start with a nice hot topic because we want everyone to be well-versed in what’s going on in the world. And these come out like a week or two after filming this. So they’re still hot. We’ll still call them. They’re mild topics. They’ve been sitting under the warmer.

But this one is specifically about new information, I shouldn’t say new, came out, started in April 2023, but this is information-stealing malware, as we’ve all seen, that are becoming more and more prominent. Atomic or Amos is an information stealer that has been seen in the wild with now more recently advanced capabilities.

So this is a Mac OS infostealer called Atomic. They’ve had some updates recently where now they introduce a payload of encryption so that, it’s actually in an effort to bypass endpoint security software detection.
Okay, so this was first seen in April 2023 and this tool was focused on harvesting information of compromised hosts, of course, but because this is the angle of macOS, this also included keychain passwords, session cookies, files, system metadata, but also it included the fake authentication portal for extraction of the passwords. So hefty tool here.

Over the past several months, this malware has been observed propagated via malvertising and compromised sites under the guise of legitimate software and web browser updates. All right, nothing new there.

It’s being sold for $3,000 a month. I don’t know. I love, Connor, to introduce prices on here. I actually think it’s cool. So if you are looking to be a bad guy, this is what it’s going to cost you in your initial investment. So this stealer is being sold for about $3,000 a month rental fee. Rental. And they actually, it looks like the bad guys had a promotion coinciding with Christmas. So they had a nice discount of 2K. Everyone loves a good deal there.

So why care about this hot topic? Well, one, information stealing type of malware, that initial access foothold tactics, as well as the evasion of EDR and AV. That is something to get a point across, but most importantly, it’s like when people tell me, stop worrying about Macs comparatively to their Windows devices, I’m like, okay, cool. Here’s a good example of why to still give a sh*t about your Mac devices internally.

And another point is again, that tooling evolution. So we’ve seen this continuous evolution of a lot of malware variants to the way that they are either deployed or implanted, is to evade detection and/or even show an EDR saying, hey, we alert on this file, but it’s not actually removed, which is what we’re seeing a lot in our SOC right now.

The malware, most interesting, has been seen impersonating Slack via Google Search advertisements, where they deploy a rogue Slack disk image for installation. And essentially, when you open up that file, it prompts for a password. It’s the easiest way to get a password into the system.

And there is some versatility within this also for the malvertising campaign. Back in September, a fraud site for TradingView leveraged a NetSupport RAT. So if a Windows device visited this fraud site, they got the NetSupport RAT, or if it was a Mac device, it was able to determine that and give it this Atomic malware.
So lastly, I will add, let’s just focus if you provision a device, are you ensuring that Slack, Teams, Zoom, whatever type of applications are commonly used for operations day to day, is that something that you configure before you do any provisioning of systems to new end users?

And also application control, because I could turn that into a drinking game on this show talking about app control. If you are controlling at least the types of apps that end users can download or are considered allowed, are you doing that?

So, Connor, thoughts on Atomic. How do you feel about this? You are in the realm of probably where this is a common type of family in your field.

Connor Swalm: I would make the statement that if you ask most people, not just anyone, I mean security professionals should know this, like what the little lock in your URL actually means, the little green lock, a lot of people will say, oh, my browsing is completely safe, and that is not true.

That just means it is a valid SSL cert, which means a governing body somewhere, depending upon who you wanted to get it through, said, this looks like a good enough website. But really like 20 bucks and a business address email address gives you a valid SSL cert.

So like when I talk to people about browsing, like going to these malicious websites, how do you actually know you’re not on a malicious website? You need to know what the URL is, know what the actual domain of the website is. And then you should always have your browser scan anything you’re downloading just as another tool, like another checkpoint.

That doesn’t mean it’ll be safe 100% of the time, but it does mean, you know, if you go to slack.com and not wherever this malicious website was, based on the ad…

MacKenzie Brown: You would think. Yeah, that’s kind of like a good habit or culture to instill in your people is like, let’s not trust search engines with SEO poisoning too. Let’s kind of focus on the legitimate domains where you would download said software.

Connor Swalm: Yeah. Well, the comment you made that really, I guess didn’t shock me, but immediately I was like, that’s actually really smart by these people. They just buy keyword advertising in certain locales against certain keywords. It’s like, yeah, if I go to Google right now, and in my search bar, I type “slack”…

MacKenzie Brown: Oh good, I’m glad you weren’t gonna say Blackpoint. I’m like, oh, don’t get me in trouble.

Connor Swalm: No. First thing I get is an ad. But if you’re not looking at the little tiny language here that says, hey, this is a bought and paid for ad, it’s like, “Oh, I’m going to Slack.”

In this case, I am going to Slack, but I imagine in other cases with this malware, you’re not, and people don’t know that.

MacKenzie Brown: No. So remember, don’t trust your browser settings regardless. If they say that they’re protecting you, you’re gonna have to do a little bit more due diligence.

That’s a lot for an end user to consume, by the way. Oh, all of the tips and tricks that you have, are these things that you guys kind of include in your training modules or how you train people? Is also like, hey, this is more common, they are getting more sophisticated in the ways that they can get users to click.

And we leverage Google for everything. Sorry, Google, I’m not sponsored by you. I know last week I talked a lot of sh*t about Google, but is this something that you guys kind of train on, module-wise?

Connor Swalm: Yes, so there’s a couple of things, a couple of ways, I guess, I’ll tell, that you can actually get this information into a user in such a way that they remember it, or it puts that gut feeling in their stomach when they’re somewhere that feels a little off.

The first is just directly asking them like, hey, here’s a webpage, can you click on the URL for me? You’d be shocked how many people can’t do that. And that’s a very, very important piece of information for us, because it’s like, this person’s security journey is starting on this end of the security awareness spectrum. We need to start educating these people on incredibly, I guess, not easy to understand, but start with the simple topics and say, okay, this is a URL. This is what visiting a website means. This is what the little green lock really means. You shouldn’t always trust it, so on and so forth.

And the second piece is, I think the most effective training you could ever give anyone, the most effective talks that you could ever give in terms of people taking something out of it is, here’s three simple things. And it’s not like go buy this, go buy that, go buy this.

My advice is always the same. If you enable MFA, if you have a VPN of some sort, I’m not even going to talk about if you have the right VPN or if you’re using it properly. If you’ve made the effort and you have MFA on everything and you only do work on your company’s work device, you’re miles ahead of the average individual. It’s a very good place to start. Just start there and then we’ll talk about more.

MacKenzie Brown: I was just going to say, do you guys have a graphic of the spectrum of end user awareness maturity that you can leverage?

Connor Swalm: We don’t have a written out graphic. I definitely have it in my head. Like these topics, yeah.

MacKenzie Brown: Okay, that’s good. So if anyone wants to know where do you sit on, where do you sit on the line of maturity, Connor can probably help you out with that.

I know in relation to Atomic, so as far as what our Blackpoint Threat Operations Center has been seeing, I was looking, doing some search, we haven’t really seen any Atomic from what I can see, but we see a lot of other infostealing type of malware and some loader malware, a ton of SolarMarker more recently too, Redline, Remcos, deployed in the fashion of an executable or MSL file and then followed by some PowerShell.

And if you are someone who said, “I don’t give a sh*t about any of that,” if you’re a hunter, so you just know, typically you’re looking for three to four words separated by like a hyphen and then pretending to be something like an installation package or some sort of template.

And also to note, we have seen tools with SolarMarker specifically, I won’t name any EDRs, we try to play nice here. But we have seen this trend where EDRs are alerting on the initial file, but they’re actually not removing the file or the .lnk persistence in general. So some fun tips and tricks there to note.

So even though we haven’t seen it in our threat ops center, it doesn’t mean that they aren’t targeting some specific market vertical or field or organizations out there.

So, questions, Connor. We met in Orlando, if I can recall back in my many days of travel at one of the IT Nation conferences. I was blown away by just hearing your story, how far you guys have come. So congrats on that for Phin. I wanted to go ahead and just get started on the most basic level. Again, basic bitch here.
First, tell me a little bit about Phin as a company, how you were inspired to start this company. And then more importantly, what differentiates you from the KnowBe4s of the world, the other security awareness training platforms? Oh, and then I know this is like a four-pronged question, so apologies. You’re like, holy sh*t, do I need to write this down?

So what sets you apart? Actually, I’ll wait on the other one, which is the MSP space specifically. So how were you inspired to start this company? And what sets you apart from all the others?

Connor Swalm: Sure. So I was with a few other people just building random security tools that I thought were really cool. And for anyone trying to build a company who has ever tried to build anything, that’s not a great way to start building a company. What I think is cool is not what people are willing to pay for.

And so we started talking to every organization we could. And you alluded to it earlier. I’m from Delaware and I live in Delaware right now. Very small state, very closely connected. If I want to go talk to business owners or I want to talk to VPs at a bank—there’s tons of banks here in Delaware—I just go do that. I went to school with their kids, my family’s friends with them somehow. We know each other. It’s very close. And so I’d go talk to them.

And for whatever reason, all of them talked about “My users keep making mistakes. No matter what I buy, it doesn’t feel like the training is working. I feel like I’m wasting my money, my effort, my energy, my security team hates me.” Oh, okay.

In that process of getting all of that feedback, which largely, you know, congregated around end user training and getting people to behave a little differently, we ran across one MSP. And that MSP said the exact same thing. He gave us the whole landscape, the players in the space, why they were good, why they were bad, how long it’s been going on, what the scale of the problem was.

And the reason we started, we decided to go all in on awareness training is because that MSP ended the conversation with us by saying one thing: “Don’t even build me a better tool. Build me something sh*tier that’s easier to use and I’ll work with you tomorrow.”

MacKenzie Brown: Quote whatever MSP partner said that. “Build me something sh*tier but easier to use.” I love it. Set the bar really low there.

Connor Swalm: Yeah. And at the time I was like 22, I was living in my mom’s basement. I was like, that sounds like the opportunity I’ve been looking for.

And that started not only a relationship with that MSP, but hey, can you introduce us to your friends? I didn’t know what an MSP was at the time. Now looking back at it, it’s like, that’s the perfect way to get into the industry: “Hey, I’m trying to solve this problem for you. Do you have 10 friends that you can introduce me to?” “Yeah, let me put you in a text thread. We’re actually talking about this sh*t right now.” It’s like, that’s the level of-

MacKenzie Brown: It’s the pyramid scheme we didn’t realize existed. Actually, I don’t want to compare the channel to that, but yes.

Connor Swalm: If you ask people how they make most of their purchasing decisions, you’ll get some variation of, I go online at Reddit or I asked my friends. It’s like, Oh, yeah, that’s pretty much it. You just ask your friends what they do and who they like and what they like doing. And that’s 90% of the time you’ll just go with them.

MacKenzie Brown: Also, if anyone is new to this type of mentioning of the channel, I know I talk about it in every episode, but everyone has an IT service provider, like a general practitioner in a way. So just keep that in mind as we talk through a lot of these important topics is, who’s the friend you’re calling? And most organizations, not just SMB, but even large organizations, right? “We can’t trust Google, so…Maybe we can trust Reddit.” We probably trust Reddit more than we trust Google, weirdly enough, but yes.

Connor Swalm: Yep. It’s true.

MacKenzie Brown: All right. So what sets you apart? You know, not building something sh*ttier, obviously, but like, it’s not sh*ttier. What sets you apart from other tools out there now today?

Connor Swalm: So there’s two things that we believe. The first is specifically for the MSP space. If you take an action in a tenant, there should be an option to expand that action to every set of tenants that you would like that action to apply to. Very specific example I can give: If you make a phishing template as a MSP partner of Phin and you’re like, you know what? I wish all of my other clients had this as well.
There is a button to click that says, give this template to these tenants as well, and have it run in the phishing campaigns that are running right now. It’s like, scale all of the actions from one to many.
That was like the biggest gripe for that first MSP we listened to. It was like, I don’t want to have to repeat things. I want largely the exact same experience for all of my clients. Let me do that easily.

And the second differentiation is, I’m going to go back to an experience I had in college. I studied math in college. I consider myself a hobbyist. I still study it to this day. I bought a bunch of textbooks. I have them right here and I’m going through them. I love it. For whatever messed up reason in my head, it’s just what I enjoy.

Try talking to anyone about math. It’s what got me up in the morning. Like in college, the only reason I was there. I had a successful real estate career at the time. I was making money. I was there to study math. And anytime I try to talk to anyone about how much I enjoyed that, the conversation was over before it started. It’s like, they didn’t care. It’s like, “Hey, I study math.” It’s like, “Oh, actually my friend’s calling me. I’m gonna go, goodbye.” It’s like, oh, okay.
And the reason I bring that up-

MacKenzie Brown: Is that, that’s what you did on a Saturday night or Friday night in college? Had a math party?

Connor Swalm: I did a lot of that, yeah. Did a lot of undergraduate research. A lot of math stuff. Yeah. It’s fun. Like I said, it’s what got me up in the morning. I liked it.

MacKenzie Brown: I swear I didn’t pull out my headphones just now, my thing got muted… I swear it wasn’t because you started talking about math. I wish I would have known you in college or high school because maybe I would have had someone to help me with my math.

Connor Swalm: I’m used to it. I’m used to it at this point. Um, the reason I bring that up is because if you go talk to the employees on the front line—so not the MSP employees, but the employees in those clients that are on the front line—and you say, what are your thoughts on awareness training? What are your thoughts on security? Do you know cybersecurity?

You will get the exact same response. It’s just a, “Hey, my friends calling me. I got better stuff to get back to. Goodbye.” It’s like, there is this complete disconnection of they don’t believe they have a part in it. They feel like they’re getting talked down to, whatever. They feel inadequate in some way. There’s a lot of emotions that I can go into that I’ve heard virtually every employee I’ve ever talked to explain to me.

And so what we decided to do from the very beginning is not make the content the reason somebody should work with us. We’re going to aggregate content kind of like YouTube. And what we’ll do long-term is we’ll say, if we are this aggregation machine, we can, through our own LMS, we can see what content in which sets of people, because of their vertical, because of their business size, because of their job title that we pull in from Azure, whatever it is, this is likely to actually resonate with them a little bit more because of all of the data we have.

And if we make our differentiator the content we can generate in-house will never, will never be able to get to that point where we can actually give people what would be effective for them, because we’re limited in the scope of what we can provide.

And so that’s kind of the second thing that we’ve done, is we don’t make any of our own content. We license it from other awareness training companies, from professionals, from cybersecurity practitioners, and we just let meritocracy take over.

MacKenzie Brown: Right. I was just going to say, aggregating the things that are going to be more relevant and useful is probably the fastest way, not reinventing the wheel, necessarily.

Connor Swalm: Yeah, a really good friend of mine who is a security awareness training, I call him an expert, he’s been doing this for like 15 years. He made a statement to me early on that was, if an employee leaves their awareness training, and their only thought is, “That wasn’t the worst thing I’ve ever done,” that’s top 10%, that is the best we could hope for right now.

I was like, oh, that’s how low it is? All right, let me see if we can make this a little better.

MacKenzie Brown: I like that. And do you get, do you do those kind of Yelp reviews for your platform in general, for specific training modules or videos that those simulations are going through so that they can rate it after the fact and say, hey, this like really sucked, or like, I actually feel like I learned something and paid attention the whole time.

Connor Swalm: It’s not as “inline,” I’m air quoting for those of you who are just listening. It’s not as inline as I would like it, but we do solicit feedback, not only from the MSPs, but from the end users as well. It’s like, Hey, what were your thoughts? What’s the length? Good. Was the topic good? Was it relevant to you? Why, why not? We do all that.

MacKenzie Brown: Right. Yeah, well, I know a lot of my listeners probably won’t relate to this, but I love the Real Housewives of Anything and Bravo. If you could just do a training simulation of some sort, but you just hire those women to yell at each other at a dinner table, but yell at each other with pertinent information that you have to be quizzed on and learn, it would really resonate with me. It would stick in.
But OK, so again, I was saying, like, I’m I am an optimist at heart for the most part. But when it comes to end user training, I’m not gonna lie, I’m really like pessimistic as a practitioner. I think that I would rather rely on technical policies and configurations and again, like other tools to fix the problems we see with the end user, versus trying to fix the end user’s awareness.

And I’m not saying that that’s the good viewpoint of the world, it’s just I don’t have time to sit there and measure each person’s, out of a 200-person company, I can’t go to every single person and quiz them, or just understand like, did you cheat? Did you actually understand the content? Who are the people who are clicking the most?

Of course, we can track those metrics. But do you think we as practitioners, we’ve been left with a bad taste for end users as far as security maturity goes? Do you think the end user can be trained, that this is a problem that can be solved?

Connor Swalm: I’m betting that it can be. And until some form of generalized AI that removes the need for humans to exist in the line of productivity to create a service or a product, humans are going to be technologically enabled, not removed from the production.

So what we’ve seen over the last 20 years, and Verizon’s Data Breach Investigation Report backs this up, is humans have gotten progressively worse at recognizing social engineering. There’s a lot of factors that go into that. One is how much more technology we all interface with. The second is how much more we’re targeted.

So yes, I’m willing to bet it can be. I think it’s gonna take a lot of things that do not exist today. The primary one of which is just empathy.

MacKenzie Brown: I don’t know, bringing in EQ here. No, I love it. You can call Wes Spencer, he’ll tell you. I’m like an empathy junkie.

Connor Swalm: That’s where Wes and I agree a ton. And I call him all the time to talk about this. In general, outside of security, if you had more empathy in your life, your life would probably go way better, like way smoother.
So let’s talk about how would it exist in security? Why is it that most end users, when you talk to them—and I use end users as a stand-in for employees on the frontline, the people who are making these mistakes that we’re blaming them for. Why is it that they feel less supported, less productive, less capable and less understanding of the overall landscape than ever?

I think that’s because the security industry is failing, reaching out to these people who have no understanding of security to begin with. And it’s not their fault, because it’s not their job. I have no understanding on how to weld. If someone’s like, oh, you don’t know how to weld, you’re a loser. It’s like, I’m not a welder. What? It’s like, that’s largely their perspective.

But I will say this. The difference is everyone has a place in security. I don’t necessarily have a place in a welding shop. I never will, don’t want to.

So what I would say is it is doable. I think security needs more empathy. And oh, I just had a really good example that just flew out of my brain. That happens to me all the time.

MacKenzie Brown: I hate when that happens. So you don’t belong in a welding shop, but-

Connor Swalm: Yeah, the security thing. I had a lacrosse coach in college and he went through this exercise with me, and I think the security industry could take heart from this example. And he pulls us all together, whole team, and he says, raise your hand if you play defense. And of course, only the defenders raised their hand. And he goes, okay, all of you are wrong, go run. And then made us run until some of us puked and we’re like, ah, we hate this guy, this coach sucks, blah, blah.

He pulls us back in. He goes, raise your hand if you play defense. Everybody raises their hands. He goes, that’s the right answer. All of you play defense, just on different sides of the field. And I was just like, oh, yeah, that actually makes sense.

So how do we take that to security? Everyone has a place in security. For some, it’s in a SOC, managing responses and looking at alerts and triaging things. For some, it’s just doing the job of not clicking on the wrong email in the course of doing your daily activities. All of them are a part of security. Everyone just has a different place in it.

MacKenzie Brown: We’re all defenders. I actually like that tagline a little bit better than security is everyone’s responsibility, which just sounds like, obviously the government came up with that, but I do like the whole, like, we’re all defenders. I think that that’s far more, like you said, empathetic.

And it does kind of resonate a little bit deeper with the end user of, oh, I’m totally responsible. I can be targeted for the specific role or position I’m in. And what is the risk if I am compromised to some extent?
And then also in your personal life, I think that people realize that they are kind of the defenders of their personal life when it comes to their own data and how that can bleed into not just their job and career, but also it can destroy people’s lives once if they have been targeted specifically and wired a bunch of money or something has happened.

Connor Swalm: I think a cultural belief that a lot of people have is your work stops at 5pm. It’s like you have two versions of yourself, the nine to five and the not nine to five. It’s like, okay, I could get that and everyone should be able to disconnect from their work, especially if it’s mentally taxing or they don’t enjoy it as much as others enjoy their work.

However, with the invention of work from home, and all a lot of people, I think last time I looked it was like 20 something percent of Americans working from home, if you go home and you’re on your personal devices doing work or they’re connected in any way, shape or form, it’s like-

MacKenzie Brown: Which they always are, unfortunately, unless you carry two phones around.

Connor Swalm: Right. Look at, I think it was LastPass, where it was like a Plex server on a personal device of a DevOps engineer. It’s like, Oh, who had that on their security bingo card for 2023? Nobody.
So what I mean by that is there is now this crossover of our personal lives impact our own security and our work security impacts our personal lives. And so all of these things that you’re teaching users on—this is how you recognize real malicious websites, this is what a malicious email or text message or phone call or voicemail is going to look and sound like—all of that translates into their personal life.

I imagine a lot of MSPs that listen to this call, the second any one of my family found out that I did “phishing,” and I’m air quoting again, I do phishing. That’s what my entire family knows of my job at this point. I just get nonstop emails from my entire family. Is this phishing? Is this phishing? Is this phishing?

MacKenzie Brown: Oh no, I mean, you’ve trained them without knowing.

Connor Swalm: Correct. Some of them, they are. I’m like, yeah, delete this. It’s like, you’re not being targeted, but this is not real. Others, it’s like, no, that’s a JCPenney marketing email. Looks like you signed up for that. Would you like me to unsubscribe you from the list?

MacKenzie Brown: Oh, so you’re talking about like your grandma or your mom at that point?

Connor Swalm: A lot of family, a lot of family. I have a big family, so.

MacKenzie Brown: No, the prince is not contacting you from Nigeria to offer you something. And no, that cruise ship is not giving you free tickets to the cruise.

Connor Swalm: I wish they would.

MacKenzie Brown: Oh, well, you’re doing the good work there. Okay, so you kind of mentioned AI a little bit. And I’ve seen a lot of presentations recently at some conferences where they focus on the introduction of AI to curate better phishing exploits. Of course they’re doing other things, but we see not just that, that getting the user to click the link, but also more watering hole attacks, things that we’re talking about, like these malvertising campaigns. And then of course, introduction of malware variants or specific modern RATs that are sitting there trying to be designed to evade AV and EDR through that system compromise.

So in the field of security awareness, what is your company doing or how is your team also adapting and evolving to these more, well, I shouldn’t say more advanced, but these shifting evolutions of these tactics and tools?

Connor Swalm: Sure. So if you think about, I guess, what is AI going to do for phishing from a, let’s try to take the highest, like the 30,000-foot perspective on that. It’s going to make it more realistic by generating more accurate context around the individuals.

So if you could find a way to find a company online, look at the way people talk to each other on LinkedIn, get some other publicly available information. Maybe you get a free account on like a skip tracing tool, like Seamless or some other. And then you’re able to target those individuals based upon their role at a company, who they’re likely to be interacting with and what tools they’re likely to use as a result of—There’s some website I used to use to figure out what tools people were using.

All of that exists. And you could combine all of that and you could write phishing emails en masse using all of that context. Not all of it’s going to be accurate. But for those that are accurate, it’s like, wow, that’s scary.

MacKenzie Brown: You just gave the 101 of how to do really good phishing. And you’re like, by the way, if I was to phish, this is what I would do.

Connor Swalm: That was the motivation for starting the company initially before we did awareness training, was we wanted to phish people and not go to jail. It’s like, that was it. It’s like, that’s phishing. It’s fun. Yeah, tricking people is fun. It’s like, it’s a very sophomoric perspective at the time. And we’ve kind of grown up. But at the time, it’s like, let’s just phish people and not go to jail for it. It’s like, all right, that’s fun.

So that’s what we’ve done. We built this really powerful phishing simulator. It doesn’t do everything that I just described, but it does generate context, because we have integrations into Azure and other tools that MSPs use and their clients are using. So we have this information because of the relationship we have with our partners. And so all of this context is generated. All of this context is mostly publicly available at this point, given how much data exists for especially large companies.

And so what I would say is gone are the days of the Nigerian prince scams working. You know, I’m going to take an entire topic of like elderly scamming and put it to the side because we could talk about what that actually looks like right now, because it’s a little different than what’s happening in the working world, professional world, whatever.

All this context is generated and at some point somewhere, a person is going to have to recognize that is not valid traffic. Because all the conversations I’ve had with companies around their email gateways and attacks that they’re getting that are like showing up on there, the enemies at the gates, not to quote a movie title, but—

MacKenzie Brown: It’s okay, this is a nerd podcast. Go as deep as you want. Let’s not talk about math, but yeah.

Connor Swalm: I’ve played World of Warcraft since I was third in third grade, I still play it. So if you want to talk about the peak pinnacle of nerdum, it’s me.

MacKenzie Brown: Oh yeah, no, I had a stepbrother who was a roommate also who played World of Warcraft every day. And other illegal activities, but certainly enjoyed World of Warcraft.

Connor Swalm: Yep, it’s fun, it’s fun. Gone are the days of like, you mentioned it, like hey, there’s a Nigerian prince or you have a long lost relative that just needs a hundred bucks to give you. Yeah.

MacKenzie Brown: The helpdesk scams, the click here coupons, yeah. Those are, would you say those are gone?

Connor Swalm: I don’t think they’re gone completely, specifically because of how easy those are to conduct.

MacKenzie Brown: But they still, if you’re the bad guy, it still requires, like they probably looked at that and say, oh, this still requires a level of communication and constant engineering back and forth with the targeted user.
But now we’re seeing things where like, oh, I can do this much easier without having to just install some piece of malware or loader that’s gonna actually load malware on a system and get full access and also keystroke logging and have the password and bing, bang, boom.

Connor Swalm: Yeah, I’ve always thought about it like this. What does AI do today for most people’s jobs? It enables it in some way. It lets them do something a little faster, a little better with more information.

Okay, so let’s just view phishing people as a job because it literally is in some foreign countries. What is that gonna do? It’s probably just gonna enable it, make their job a little easier, give them a little more information, give them better targeted emails.

It’s like, that’s all it’s gonna do for now. Like I said, until some kind of generalized AI work exists and humans don’t need to be in the chain of productivity here, it’ll be more of that.

MacKenzie Brown: Right. Well, and that’s something I noted, I think, on like the end of year stuff of where we’re seeing trends in jobs in general and security people coming into the industry.

It’s like, and maybe this is someone that’s coming in to run a security awareness training program or needing to understand these more advanced inclusions like AI ML, but prompts. Having the capability as a security practitioner to understand AI, to build out prompts, to build out the tools that ingest data and understand the information in order to be better at it.

We’re going to see, I think, an increase of those types of very specific roles, probably not at small businesses, but certainly at the large organizational sizes.

Connor Swalm: Yeah, prompt engineering is a skill in and of its own.

MacKenzie Brown: Okay, so the last part of that question is, do you think this… I mean, that’s kind of a loaded question. Do you think we can solve this problem?

Connor Swalm: I think so, and I think so for the following reason. The first statement I’d like to make is in order for a human to be in a position to fall for social engineering, every piece of technology you use to prevent it has already failed. Whether that’s your email gateways, whether that’s Microsoft’s internal stuff, whether that’s any other security tool you bought.

And let’s go on the EDR side and the endpoint monitoring and the agent side. If that person is able to download malicious software, all of your detection, unless you detect it after the fact, all of your prevention, we’re now, I’m thinking of, I can’t think left versus right, we’re now in the realm of IR potentially, because of what’s happened. All of your software, all of your security software had to fail.
And yet the only thing that gets blamed in all of that is the person, is the end user, who is the most uneducated on average when it comes to security, who feels the least prepared, and who is the least knowledgeable of what threats are actually facing them today.

MacKenzie Brown: Sometimes those end users are the technical people of the industry too, or of an organization. It can be your help desk or your IT support or your network admins. Those people are heavily targeted too. So I bet they feel just terrible going home after that workday.

Connor Swalm: Yes. It’s true. And I was reading some report. I wish I had the name because now I just feel like I’m quoting nothing. It basically said, regardless of your security proficiency, you are equally as vulnerable to social engineering as people who have no security proficiency.
So yes, I’m not just talking about people who aren’t “in security,” I’m air quoting again, because everyone’s in security in my mind, trying to get that through my head.

MacKenzie Brown: We’re all defenders.

Connor Swalm: It’s like Tony Robbins, is like, if you don’t wanna be a smoker, just don’t identify as being a smoker. It’s like, oh, do you wanna cig? It’s like, don’t ask, oh, what kind are you offering me? It’s, no, I don’t smoke. It’s like, you need to get that. That needs to be your mentality. It’s, you are a person who identifies as no longer being a smoker.

It’s like, everyone should identify as being a part of security. So what I would say is why I think we can actually teach people to recognize this. So my mission and what I’ve been telling every other awareness training company I could get in front of, because I talk with the founders and people at these companies all the time, because we’re all in this together and security is such a big landscape that we’re all going to win. We can all win, right? If we do the right thing.

So I would say this. If I can look at what attacks are coming into your email gateway, I can look at all of the data you users have generated around phishing, whether it’s from simulated phishing for us or reported phishes through Microsoft or reported phishes through some other mechanism.

I can say these attacks are likely to get through at some point. It’s just a numbers game. This is the certain segment of your population that is vulnerable to this kind of appeal, these kind of tool sets, the scams that are coming in with this kind of action that it asks you to take, whether it’s log in here, download this, whatever it is. All of that contributes to the vulnerability a user actually has without them being aware.
And I can take the emails that are coming into your gateway. I can flip them into an assessment that I know is relevant to that user because of all the context I’ve been able to generate on that user and teach them. This is how our platform edited this specific phishing scenario, whether it was a text, a voicemail, an email, a DM on LinkedIn, whatever it was, we can do all that long-term.

Then I can actually teach that user how to recognize the exact attack that is likely to get them the next time it happens. And my goal is just to phish them first.

And the statement I always make, it just wraps it up really nicely is, we need more scrimmages and less batting cages. Right now, phishing assessments are batting cages. Can you put a ball on a tee and swing and hit it? Yeah, all of them, every American, everyone listening to this podcast can hit a ball off a tee. Can you hit a fastball? We need to know that if we’re gonna put you in a game.

And you’re in a game if you’re in the front line, if you’re in a company working today online, you’re in the game.

MacKenzie Brown: Right, but if they get hit in the crotch with that fastball, they’re immediately going to remember what it felt like. They’re probably going to get better at hitting that ball.

Connor Swalm: They’re gonna know what that fastball is gonna look like and avoid it the next time. That’s the way I’ll put it.

MacKenzie Brown: Or avoid it entirely, I guess, versus hitting it. Report it now! Just…I’m just glad you didn’t make a football reference, but yes.

Connor Swalm: I’m not a big football fan. I’m rooting for the Eagles because I’m near Philly and it’ll get me to a Super Bowl party where there’s free food and free drinks. So that’s why I’m voting for the Eagles right now.

But that’s what I think the industry is gonna move towards long-term is taking all this context that’s generated and actually flipping it into something that’s gonna simulate the real world as users are completely unaware of it.

And if you take a very similar approach to training, making it relevant to a user based upon the style of the content, the topic of the content, and delivering it at a poignant time where they’re not likely to be in the midst of juggling seven or eight different projects, but you give it to them when they have a little bit of downtime and it’s, hey, this will take five minutes, take a look at it, and you make it interactive, I think we’ll get a lot more uptake in terms of people training that unconscious, hey, something’s weird here. That alarm should go off. I’m just going to click this “report a phish” button instead right now.

Just doing that would be amazing. Now granted, we’ve chosen the hardest thing to—changing human behavior is the only one of the only unsolved problems that exists in the world. It’ll probably exist forever. And it’s incredibly hard. So it’s like, we’ve chosen the impossible. I get that. But I’m, I’m willing to give it, give it a good faith effort for sure.

MacKenzie Brown: I love that. All right, well to wrap up this lovely discussion too, you know, we talked a little bit about it in the beginning, but again, like your customer base, or kind of where you guys are targeting right now is the channel and those MSP players and those partners.

So looking at IT service providers and of course, you know, I’m a little bit new to the space too, as far as understanding security maturity as it relates to how they’re selling, what they’re investing in, and how they understand everything in the big, wide world of security. But why for you? Why the MSP? What do you have to offer them?

I figure this is a good one to wrap it all up on because get on your soapbox, bro. What are you going to offer them? But not offer them a discount, but why? Why are they integral to this overall human behavior change revolution?

Connor Swalm: I would say this, small businesses are targeted, whether they like to believe it or not. I think all businesses are targeted and there’s just way many more small businesses. Small businesses have neither the education nor the money to hire security expertise.

And literally what I mean by that is, the owners of small businesses are so, I wanna say, good and focused on running their small business. You cannot expect them to have reasonable understanding of the security industry in general, enough so to even hire an expert that could work with them internally.

So given that narrative and that reality, it has to be through some kind of partnership and MSP. So it’s quite literally the only way I see small businesses being able to get any modicum of security posture in place is through an MSP. Through that partnership, through that coaching, through whatever you’d want to call it. I’m not even going to say vCISO or vCIO. I’m just going to say MSPs are the people that have the security and IT expertise and you’re lending it to all of your small businesses that you work with whenever you work with them.

And so that’s why I think the MSPs are poised to win. Not only is cybersecurity growing, but with cyber insurance requiring being more onerous, with compliance requirements being more onerous, with reporting requirements being more onerous, with targeting increasing, with AI making it easier to target businesses in a host of different ways, with foreign nations funding companies that are legitimate in that foreign country to just steal money from other businesses, I think small businesses cannot exist without a security posture anymore.

And I see security as such a complex thing at this point that any tool that says just click this button and you’re secure, 100% guaranteed we secure you. They’re just blowing smoke. And it’s not. And here’s the proof, the proof is in the pudding. If they weren’t blowing smoke, they’d be a trillion dollar company by next year. It’s like, that’s it. That’s how valuable making good on that statement would be.

So that’s what I would say. That’s why MSPs are gonna win, is cause the security expertise has to exist in the small business. And I just don’t see a world where a small business can get that on their own anymore, which is why we focus on the MSPs.

Quite frankly, anyone who’s listening to this or you, if you’ve read any book on how you should think about building a startup or building good software or, I just got the book right here. I just bought this book and actually it’s on my book stack. I just bought this book right here, Cyber for Builders. Really good, so far.
Anyone who’s read any books like that will understand the riches are in the niches, right? In a world where anyone can buy anything online from largely anyone else around the entire world. Why are you the best at the exact thing in the world at what you’ve just described? And so that’s why we decided to focus on the MSPs, because when we looked at the overall market, like KnowBe4 and like Proofpoint, Cofense, SANS, there’s like tons of these billion-dollar organizations that have awareness training offerings.

It’s like, well, they’re not really focused on the MSP. The use case is there to focus exclusively on them and help them win through better automation, through more commonsense deployment opportunities and stuff like that. That’s why we decided to focus on MSPs.

MacKenzie Brown: Yeah, and in turn enabling downstream customers, like you said, the SMB space specifically.

All right, well, you guys heard it first from Connor himself, but we are not just the defenders, but the MSPs, the channel, our partners, the channel. You really do have a leg up, and this is probably a valid path for a solution to this human behavior problem. I love that.

Connor Swalm: Yeah, thanks for having me on. It was a blast.

MacKenzie Brown: All right, well, are you going to be at Nerdio? I feel like where are you going to, where am I going to see you next?

Connor Swalm: I will be at Right of Boom for sure. That’s probably the next time I’ll see a lot of people listening to this podcast and you as well. So I’ll be at Right of Boom.

MacKenzie Brown: All right, come bother Connor in Vegas.

Connor Swalm: Not if I’m at the craps table, don’t bother me then. If I’m winning, come bother me, cause then we can celebrate together.

MacKenzie Brown: Okay, perfect, perfect. Well, thank you so much, Connor, for being on the show and diving into this topic. I hope everyone was able to take away some good key points. Again, I always say, no matter if you’re like a regular end user in this case, a newb or an expert, all of this is extremely relevant.
And yeah, we will see Connor at Right of Boom. If you’re not going, you should. Registration’s still open. I think we still only have 10 spots left on our CTF. So if you’re bored, Connor, come to our CTF too. I’m sure we can hook you up with that. But thank you again on another successful return of the Mac, and I will see you next time.