0:00:01.4 Max Havey: Hello, and welcome to another edition of Security Visionaries, a podcast all about the world of cyber, data and tech infrastructure, bringing together experts from around the world and across domains. I'm your host, Max Havey, and today we're taking a look back at some of the big threat trends of 2024, and looking ahead at what may be on the horizon in 2025 with our guest, Ray Canzanese, director of Netskope Threat Labs. Ray, thanks for joining us.
0:00:25.1 Ray Canzanese: Oh, thanks for having me, Max.
0:00:26.8 Max Havey: All right. So Ray, I'm gonna ask you some questions here about what you've seen over the past 12 months, and I'm hoping that you can use a mixture of some direct insights from your own research at Netskope, and also share some knowledge from your wider engagement and collaboration with the broader threat community. So, to start off, there's been a lot of talk about how AI is changing security. So let's start by asking, have you seen threat methodology that's been changed by AI this year?
0:00:54.2 Ray Canzanese: I guess AI has been changing cybersecurity since its inception. Cybersecurity is newer than AI. We've seen it since the beginning. It started with heuristics, then machine learning, which continued to become more and more advanced. Now GenAI. So, of course, it's changing the industry as it always has. In the past year we saw GenAI tools being way more heavily used by attackers. They've become really useful tool for social engineering and scams. We've seen lots of fun, deep fake celebrity endorsements. You've got some celebrity selling something. All you have to do is give it your social security number, all your bank account information, all your credit cards, and that of all your friends. And then you'll get, I don't know, whatever weird new invention they're selling. We've seen fake CEOs requesting help from employees. For business email compromise and other types of attacks. We also have found that some enterprising attackers decided they could sell their own LLMs. And so we have LLMs being sold that are specifically used for things like business email compromise, and inherently nefarious things.
0:02:09.7 Ray Canzanese: On the other end of the spectrum, we see all of the new technology being used by defenders as well, especially with LLMs, which are really good at taking massive amounts of data and making it easier to understand. That's the perfect tool for cybersecurity. All of us cybersecurity professionals are drowning in data, more data than we will ever be able to look at. And so having tools that can examine that data, summarize that data, and give us something we can quickly understand, that's a fantastic tool for a security professional. And so the other thing I guess, that AI has changed, is there's now a new class of tools that we all have to worry about as cybersecurity professionals. So not just worried about all of the good and bad that come with the GenAI tools, but also what about the tools themselves? Are they being used safely and securely? What types of data is being sent to them? Was the data that they were trained with poisoned? Is it accurate? How are people using the outputs? All of these fun new challenges coming with GenAI as well.
0:03:17.1 Max Havey: Absolutely. And were there any specific threats or campaigns that stuck out to you in reviewing research from this year specifically around people abusing generative AI tools or finding some of those weak points in tools?
0:03:30.0 Ray Canzanese: Well, as far as using the tools go, I think all of the social engineering where there was some deep fake. Either somebody's voice, a video of them, somebody joining a Zoom call, all of those to me really tie as the most convincing use of AI to build a social engineering bait that people honestly just weren't really well equipped to deal with. You're trained to hover your mouse over a link and see where it truly goes. What do you do when you get a phone call from Sanjay Barry, my CEO, and he's like, "Ray, quick, give me the bank account numbers, we need to transfer some money." There was no training that prepared me for that. And so all of those types of social engineering attacks are just really, really novel and make us rethink what we need to do in response.
0:04:23.0 Max Havey: So it's a new frontier in all of that, and it takes learning how to identify those sorts of things that seem fishy in the general sense, not just the pH sense, but like what should people be looking out for when it comes to identifying those sorts of generative AI-e