Combating phishing, malware and hackers | Cyber Work Podcast

Combating phishing, malware and hackers | Cyber Work Podcast


– As you probably know, October is National
Cybersecurity Awareness Month. And, to celebrate, Infosec is giving away a free month of its
Infosec Skills platform. It is a subscription-based
skills-training platform for cybersecurity experts. If you’d like to learn more, please go to infosecinstitute.com/podcast, and don’t forget to claim your free offer before October 31st. (bright music) Hello and welcome to another episode of the Cyber Work with Infosec Podcast. Each week, I sit down with a different industry thought leader to discuss the latest
cybersecurity trends, as well as how those trends
are affecting the work of infosec professionals, as well as tips for
those trying to break in or move up the ladder in
the cybersecurity industry. I’d just like to break out
to note for a moment that, because of, in honor of
Cybersecurity Awareness Month, Infosec is giving away a month free of its Infosec Skills
subscription-based training platform. If you go to infosecinstitute.com/podcast you can find out more about this. Today’s guest, Atif Mushtaq,
is the CEO of SlashNext, and has been fighting cyber
crime for more than 15 years. His story is a series of dream jobs for people in the cybersecurity industry. He was previously a security scientist and system architect at FireEye, where he was one of the main architects in the company’s core
malware detection technology. Atif has worked with
law enforcement agencies to take down some of the
world’s largest malware networks such as Rustock, Srizbi,
Pushdo and Grum botnets. In his research, he found
infinite threats originating in the web layer and discovered that cyber-criminals were launching browser-based phishing
attacks to numerous sources. This led Atif to launch SlashNext, which combats those
advanced, fast-paced threats. He’s worked just about
every job you could name, from entry-leveL bug-zapper, to the founding of his own company. So today we are going to ask him about some of the highlights
and lowlights along the way, and how to make the big jumps in both the knowledge and the job level. Atif, thank you for joining us today. – [Atif] Thanks, thanks for having me. – So since your interest
in computers and security likely goes back a long way,
let’s start at the beginning. When was the first time you
remember being interested in computers and, from there, when did you decide to focus specifically on issues around security? – [Atif] Well, my
interest around computers goes back to the ’90s. I mean, my first love was mathematics. And as a matter of fact,
one of the main reasons I became interested in computers was the practical application
of mathematical concepts. So I got my degree in
mathematics in the year 1998 and at that time it was
more of a theoretical math and I was looking for a platform that can provide me an
opportunity to kind of work some of these mathematical models that I was working on
into pure applications. And it was simply not possible
without the computers. Even those computers were slow but it was nowhere possible
to convert those theories into any type of application. So this is where I thought,
okay, you know what? This is the way where I really have to work on anything cutting edge. I need some practical tool and the computer was the thing to go with. – Right, so has the
cybersecurity landscape changed procedurally or directionally since you first got
involved way back when? – [Atif] Of course. I think we are into the
fourth generational landscape. When I started, became
involved in security, it was the era where people
were developing malware, or the viruses for fun purposes. So it was kind of a 1997 to
2004, it was the fun part. People were developing stuff. They did not have any
financial motives or any big, I would say, you know what, intellectual property theft and all that. All they wanted to have
was some fun, right. So for five years it was for fun, right. And around, and then we came
into the second generation and that was about for-profit malware. So we started to see
quite a bit of botnets where people thought okay, you know what? There’s no money in
developing viruses for fun. Why don’t we embed some kind
of data-stealing payload into our malware, and we can
make some money out of that. So I would say, second era was
from 2004 to 2007 timeframe. And then we enter into
the third generation where it became targeted
attack, APT attacks, where nation states started to say, well you know what, they can
use it as a weapon, right. And the internet is broad, accessible, so why not take advantage of that? An interesting thing is that
in the first three phases from the fun, for-profit, to
the intellectual property, the most common method used
by hackers were malware. All of them were using malware for different purposes, right. And now I believe we are entering into the fourth generation tech landscape and that is centered around for-profit and the intellectual property but the main difference is
that instead of using malware the bad guys have started
to use phishing instead. – Hmm, okay, so you think there’s a switch from phishing to malware, is there a particular reason for that? – [Atif] It’s a switch
from malware to phishing, and I think it’s very difficult
to have a malware undetected with the current technologies. So anti-malware
technologies really struggle from 1995 to 2010 or so, and then they finally became
reasonably good enough that they made their life quite difficult. So this is the thought to me anyway, it took around 15 years to
develop certain technology that can combat malware. So now if we switch to phishing then there is an opportunity
for us for the next 15 years. – Right, you have this whole sort of social engineering aspect that anti-malware technology
can’t help you with. – [Atif] That’s right. – Letting them through. So let’s start a little bit, the point of the podcast at Cyber Work is we talk about, sort of, career journeys and how to jump from
one career to the next. So based on some of what you told me in the highlights of your bio, you’ve been taking on huge
projects for a long time. Whether it was with
FireEye, law enforcement, or your own company. But everyone has to
start at the beginning, so I’m wondering what your beginning was. What kind of job titles
did you have along the way? Where did you, sort of, get the tools that were in your tool-belt
to get you where you are now? – [Atif] Well, when I started getting into the security stuff, I don’t
think there were event titles around ’99, ’98 timeframe, right. So it was just based on what problem you’re trying to solve, right. I started my career as an R and D engineer and it was a very generic title. I mean, there was nothing like all these fancy titles
back in 2000, right. It was, these were the early days, and people were still trying to make sense out of what’s really happening around. So my first two or three
title was pretty boring, just like a software engineer, right. But of course I was focused on security. The more formal titles started to appear around 2006, 2007 timeframe. The last job I had was at FireEye and my title there was
Senior Staff Scientist. And right there I jumped
into Founder and CEO. – Right, now, so for someone
who wants a career like yours, what are some, sort of, career
or experiential milestones that they absolutely need to have on their resume to be considered? – [Atif] So you’re talking
specifically about security? – Yeah, and just general
skills or background or certifications, like what
do you need to see in a person to, sort of, continue promoting them. What experiences should they have? They should be good at
this or that, or, you know, have a background or have, you know, worked at certain types of
organizations, things like that. – [Atif] Well, it really,
I think they should start with focus, I mean cybersecurity is huge and there’s nothing like a generic cybersecurity professional. You need to focus on one area. So I think the very first step for you is to pick the area that
you want to focus on. And there are dozens
and dozens of different, there’s penetration
testing, there’s malware, there’s phishing, there’s
compliance, right. So first step is to find
what you really like doing. And after that, I think the second area where there’s a lot of
knowledge bays that exist, for example on the penetration
testing compliance, where definitely courses can help. Unfortunately, when it comes to malware and the cutting edge threats that bad guys are launching
and rethinking every day, you need to have some hands-on experience. I’ll give you an example, right. I mean, we are seeing phishing attacks that nobody will speak about or talk about in the next one year,
and certainly in 2020, someone will write an article, okay, this is the new type of
phishing attack that is coming. Well, we observed that
about a year ago, right. So if you really want to go
into this hand-to-hand combat for phishing, malware and the
active combat with hackers, you can’t learn it from any certification. You need to have hands-on experience. Go to dark web, try to learn from hackers themselves,
instead of learning from books. – Oh, so you recommend
jumping in to the dark web and actually see what’s
swimming around down there? – [Atif] That’s the only
way, learn from the bad guys. Because no professor or
scientist is gonna tell you how features are gonna behave
in the next six months. You have to go there,
get your hands dirty, and find it for yourself. – Okay, yeah any other
tips in that regard? You know, we get a lot of
people who listen to the show who feel kind of stuck
in where they’re at now. Like, is there, you know,
something that they can do today that will, sort of, you know,
help them to start moving their skills or their
experiences in this direction? – [Atif] I think, and there’s
so much information available. I would say it all starts with hard work. I can’t think of a reason that
if I’m interested in one area of security and I can’t find enough people who can help me out, or enough material on the internet that I
can learn from, right. So in my opinion, just find
one thing that you really like and then stick to it, and
there’s plenty of help on the internet, in my opinion. – Yeah, okay, yeah absolutely. Get on Google and get started. So now that we’ve talked a little bit about career strategies,
let’s have a little fun and get to some of your personal history. Can you tell us about your time
taking down malware networks like Rustock and others? Were you fighting these networks when law enforcement contacted you, or were you kind of going to war yourself, and what types of strategies and tactics did you use to take ’em out? – [Atif] Sure, my first encounter, direct encounter with bad guys started around 2008,
and the first encounter was without law enforcement help, right. So I can touch base on that. So in 2008 the spam botnets
were really, really very popular and they were pumping billions of spam messages in your inbox, right. And every day there
would be a new headline. Look there’s a sinister botnet, it’s pumping 2.2 billion messages. There’s another one that
is pumping 1.7 billion. And everybody had an understanding that okay, all of these
are different gangs and different botnets that were trying to compete with each other, right. So I really became interested in that to look at why there are
five or six different botnets and what exactly they’re trying to do. And I started to write a series
of blogs on these botnets in early 2008, and during my research I found that most of these guys, who look like apparent rival gangs, are using the same infrastructure
to host their spam. And I started to wonder
if these are rivals then why are they using
the same data centers? And it’s amazing is that the
data center they were using was located in San Jose, Silicon Valley. And eventually I found that was 90% spam is being controlled from San Jose. There is one tower in San Jose where there’s a data center called McColo that is being leased
by a Russian national, and if you take down that data center you’re gonna kill worldwide
spam by 90% in one day. And this is exactly
what we did at FireEye. I, with the help of my
colleague Alex Lanstein, we went after these guys and we just took down one data center and worldwide spam was
down 90% in a single day. And in that process there was no law enforcement involved at all. – Yeah, they were probably
not even aware of the fact that they could get involved
in something like that. – [Atif] Yeah, I mean you need
to have enough understanding of these botnets, or
maybe there was no focus from the law enforcement side, right. So we took it down with
the help of some friends, different orgs, Spamhaus and all that. And then the law enforcement got involved when we tried to take down
a botnet called Ozdock, it was another big spam botnet. We took it down, and apparently it was
just another take-down, we took it down, all the
spam was killed, right. Interesting things
happened when an FBI report came next year, and they actually told us a very interesting story. And that story was that in
2011, the guys from FireEye, naming me, Atif Mushtaq,
was trying to take down the Ozdock botnet, and the
FBI was aware of this guy who’s running this botnet, and he was visiting Las
Vegas for a car show. And they were about to catch this guy, and on the exact same moment
I took down his botnet. And he had to flee the U.S. in a rush, and so FBI had an opportunity
to arrest this guy, but they missed due to me. I mean, I didn’t really
plan for that, right. And then of course that
guy made a mistake again, and he came, visited
Las Vegas again in 2012 and at that time the FBI arrested there and they completed their report, right. And then that guy got in
prison for five years. So at that time we provided them all the threat intelligence, all the proof, just to show that, okay,
this is indeed the guy who owns all the assets
in that U.S. data center that was controlling pretty
much the worldwide spam. So he got convicted. He served his prison, five years, I think he’s out of jail
now and back to Russia. – So what, I mean, spam went
down for a time, by 90%, I imagine but did other
botnets and other organizations kind of fill in the gap fairly quickly? You know, I don’t, I’m
trying to think of a time when suddenly there wasn’t
a lot of spam in my inbox, but, you know, probably there was. – [Atif] It came back,
but it never came back to the historical 2008 level. As a matter of fact,
2008 was the peak time. It never recovered from
there, it never, ever. So it went down 90%, then came back, then we kept on taking it down. Then Microsoft actually jumped in and they took a couple
of botnets down as well. So historically, the
worldwide spam is very low if you compare with 2008. – Where it was.
– Yeah. – Okay, got you. So I guess you mentioned
this a little bit before, but have these types of
malware networks persisted, but it sounds like basically,
rather than malware now, we’re talking about, sort
of, phishing attacks. So how did that, you
mentioned that the tech finally sort of squashed
malware in certain ways, but when did the switch to phishing as a primary attack vector come? – [Atif] That’s a very good question. So I started to see this
switch while I was at FireEye and around 2011 and 2012 timeframe. Around 2014 when I left
FireEye it was almost 50/50. But the amazing thing is
that nobody was talking about that switch at that time. 2014 was the time where you see a lot of next-gen anti-malware
companies started to emerge. So there was something
very interesting happening. Obviously being at FireEye, which is a cutting edge
anti-malware company, I am seeing that, okay, a lot of attacks are moving to phishing, and
at the same time I’m seeing a lot of new anti-malware
technology companies who are kind of impressed
by FireEye’s success and want to replace it. And I was thinking that, okay, this trend is really changing. This is the fourth, we are entering into the fourth generation
tech landscape, right. And so when I left FireEye
I thought, you know what? I mean, right now it’s 50/50 and even now people are
not talking about that. So what if this problem
is going to be this big, almost as big as malware,
then there needs to be a purpose-built anti-phishing company. There’s 60-plus dedicated
anti-malware companies in the world, right. There must be a purpose-built
anti-phishing company. At least 10 of them. And there was none. All were narrowly focused
on email-based phishing, just a small subset of
the overall phishing. So this is how SlashNext was born, on an assumption that, okay,
this problem is gonna go big so everything that we
ever did for malware, we have to repeat it for phishing as well. And that’s–
– Firstly– – Yeah?
– Sorry, go ahead, go ahead. – [Atif] And if you see in 2019, this is exactly what happened right now, based on third-party stats and our stats. 95% of the threats that an
online user is facing today is phishing, and the
malware is just 5% of it. The trend has completely changed. – So what, I guess this
is a good opportunity to talk about SlashNext, but also, what does an
anti-phishing company look like in the way, like, we know
how anti-malware works. We know what you’re getting when you’re getting an
anti-malware package. But what are the components
of an anti-phishing tactic or campaign, or tool or whatever? – [Atif] Well phishing is the
psychological manipulation of an online user, right, and typically hackers exploit
three human emotions, right. I mean, fear, trust and reward. Fear is that there might
be a page that will say, “Okay, you over there, a
virus is on your computer. “You need to call this 1800-number.” Someone is using scare tactics to get you to something stupid, right. Sometimes people use trust, for example someone can send you an email
pretending to be your CEO, and because you trust your
CEO you’re gonna do something on that guy’s behalf, right. Or you send a phishing
link that is a fake replica of Microsoft, and now you trust Microsoft and so you’re gonna do
whatever they’re gonna say. And the third emotion is the reward. We’re seeing a lot of phishing attacks that are just exploiting
the human greed element, where someone is promising
you a free iPhone and asking you for your information. So if you really want to
design a good anti-phishing and anti-social-engineering solution, you need to have a completed software that can understand these
three human emotions. Unless you have a system
that can understand these human emotions, you
won’t be able to develop an anti-phishing solution. So again, understanding
how hackers are exploiting those fears, how they approach that thing, how they set the bait, and
then try to understand that, just like a human would do. For example, if someone asks you to transfer $50,000 to my bank account, there’s no malware in it. There’s no JavaScript in it, right. So now as a human, I’m a
pretty smart online user, so I’ll say, okay, I’m not gonna
transfer, give you $50,000. But a non-technical user would, right. So now if you want to develop a software then that software must understand what does the script,
“Transfer me $50,000” mean? So you need to give
that software an ability to read different languages, and understand the context out of that. At the same–
– So we’re not talking specifically about a
security awareness platform. You’re specifically talking
about a, sort of, online tool that can sort of read the
language of a phishing email and, kind of like the
way that on Facebook now if they show you an article they’ll show you a fact-checked
version of the article. Like is this something that
is basically showing you, this could be spam because
of this specific language, or this specific link,
something like that? – [Atif] Exactly that. So yeah, if you want to
develop an automated system it needs to think like a human. Otherwise it won’t be
able to catch phishing. – Okay, oh, very interesting. So, wow, that’s really cool. I don’t think I was aware of that particular angle
on social engineering. We do security awareness training here, and get people to stop
instinctively clicking on the free pizza coupon and stuff, but it’s good to know
that there’s also this sort of electronic component that’s also sort of reading incoming messages and looking at incoming
fake invoices and what-not, and keeping you abreast of that. So speaking again about career work, what you do now, what
are some of the downsides to the types of work you do. Since your job looks
like kind of a dream job to many security folks,
what are some of the, you know, it’s 2:00 a.m.
and I’m still dealing with these nonsense aspects of the work that they should know about
as well before they jump in? – [Atif] So security as a
professional and as a business is a tricky one, right. Because it’s driven by
what bad guys are doing. For example, I have a great
anti-phishing system, right, and suddenly one day I find that the bad guys are
changing their tactics. Market is exactly the same thing, demand is there, everything is there. The bad guys, that’s the hidden element, is changing their tactics. Now I must act upon that, right. So as a security professional you need to be switching pretty quickly, because unlike many other fields,
that is driven by markets, how consumers are reacting to it, security is driven by bad guys. One day they’re gonna say, okay, we’re gonna attack users like this, and you should be ready for that. I think that’s one of
the biggest challenges for a security professional, right. You’re dealing with
very fast-moving hackers who are making millions of dollars, and who can do everything possible in order to makes those
millions of dollars. So you have one assumption today, in one month I have to
change maybe everything in order to catch those bad guys. So the element of of surprise, just like a a normal work
but it’s really theater, and that I think is the biggest challenge to run a security company,
and at the same time becoming a security professional,
or a software developer who’s coding software solutions that requirements can change any time. You’re not taking
requirements from customers. You’re taking requirements from bad guys, and they don’t care about you, right. – Yeah, I mean, we’re seeing
similar things like that just in general with, training
and what they’re calling the half-life of cybersecurity knowledge, that after something like two years 50% of the knowledge you had
is already becoming obsolete, just ’cause of the fast pace of technology and what-have-you. So were there any particularly
surprising attack types that you saw out in the
wild, in your years as either a malware-zapper or as a phishing person. Is there any particular attack
vector or malware strategy that made you kind of
shake your head and say, “Wow, that’s pretty impressive.” – [Atif] A lot of them, right, I think. People speak about changing tech landscape and people think that
it’s the process of years. We are seeing that landscape
changing every month. I’ve seen some phishing attacks that I never even thought are possible, and I’ve started seeing them
a couple of months ago, right. I’ll give you an example, right. I started to see phishing attacks, when you click on a phishing email they ask for a CAPTCHA, right. So what happens that,
what they’re trying to do, is to fool the automated system, right. So they know that a normal
user would solve that CAPTCHA and you’ll eventually land
onto the phishing page, right. But how about an
email-scanning engine, right? How are they gonna break the CAPTCHA to see the phishing page, right? So it was a very clever attempt to fool the automated
engines, by scanning the URLs, because you have to break the CAPTCHA before you can even visit that website. And they were using Google
CAPTCHA, the picture-based stuff, which is almost impossible
to break, right. So that was a pretty
surprising attack for us, and it was pretty clear that the bad guys are watching security
companies very, very closely, and they exactly know how
they’re trying to catch them and they’re coming up with
a range of techniques. So that was kind of a bad moment. I also recently saw a multi-stage attack where you get a phishing
email, you click on a link, and they ask you a series
of benign-looking questions, so you have to move your mouse, you have to enter something
through your keyboard, and then eventually you
see the phishing page. So now they’re assuming that a normal user would be able to answer all
these benign-looking questions and the gestures, but an automated system will never be able to solve the roadblocks in order to reach this thing. So it was completely shock
for me to at least see that kind of stuff is happening, where you need to be exactly like a human to reach to that phishing page,
so that you can detect it. – So, I mean, that almost sounds like, they’re sort of playing
up our inherent desire for gamified things, where
you get two or three steps where you say, “Oh, that’s fun.” You know, “I can answer
these easy questions.” And the next thing you know, you’re just kind of in that
mode of, “Okay, what’s next?” And then next thing it gives
you is a phishing page. – Exactly, exactly.
– Wow. So in your bio you noted that
in your research you found quote, “Infinite threats
originating in the web layer “and that cyber-criminals were launching “browser-based phishing attacks,” which sounds a lot like we
were talking about here, “through numerous sources noting “that growing problems
of HTML attacks presented “by web-based phishing and
malicious browser extensions.” So does that connect to this,
or is that a parallel track? – [Atif] Actually, that’s
a very interesting trend, and I think, I hate to say it, but I think that Google
is responsible for that. So what happened that
about six, seven years ago Google thought that if they can turn their browser into a platform, so instead of people downloading applications on Microsoft Windows, they can download these extensions, and these are the web
apps on the browser then, so that they don’t have to
go to the operating system. And they wanted to make, Chrome
OS is the proper platform instead of the Microsoft
Windows or OS X, right. So they put a huge R and D app for it and the marketing app for
it on convincing developers, instead of writing the
desktop applications start writing the browser extensions. And these are the unconventional
applications that run, but then browsing only, and they offer quite a bit
of functionality, right. And now you see there
are more than 200,000 browser extensions on
the Chrome store, right. So this is where the bad
guys saw an opportunity. They knew that there are a
lot of antivirus technologies running at the operating system level, looking for EXEs, binaries,
and they say you know what? All the confidential stuff is happening within browser anyway, right. So what if we start releasing malware in the form of browser extensions? And one thing is that, first of all, we have a great vantage point. We can see exactly what the
user is doing with browser by developing an extension. And at the same time,
the antivirus are looking for bad binaries on the operating system. They are not looking for web apps that are running within the browser. So this is what we found, that people have started
using phishing attacks to spread these browser extensions. People simply download and
install an online radio, right, and that online radio
is actually offering you streaming services, but at the same time, they are scraping your screen. So again, there’s legitimate functionality in those extensions, but
there’s a hidden business going in the background. And so far it looks the
anti-malware technology that we developed over the years to combat conventional malware running on the operating system, they are completely ineffective
against these attacks. And this all started happening
about a couple of years ago. So it’s gonna take a while for
the anti-malware technologies to even develop a
technology that can even, ability to see the
behavior of these web apps so that they can stop it. – Okay, so that sort of
answered my next question. So it’s still down the road. There’s not really a
step-by-step process right now of identifying and shutting down these types of browser-based attacks. – [Atif] We actually,
SlashNext offers a solution. The way we offer it, we started
at the very, very beginning, at the time, well, they
are setting the bait to install these exchange. And so we track all these
malicious advertisements, and by the time they set the bait to download this browser
extension we stopped that attack. So again, we are stopping it before it gets installed on your browser. And it’s a completely preemptive approach, as compared to the antivirus guys who let that thing install in the system before they can stop it. We are stopping it at
the stage number one. I think that is, in my opinion, is the best way to stop these attacks. – Okay, so I mean we’ve
been talking a lot about sort of technical solutions
to phishing attacks and browser extensions and so forth. You know, but there’s,
as we’ve also mentioned, that by its nature that social engineering plays a part in phishing attacks. So if you could put your social
security awareness hat on for a moment, are there any
up-to-the-minute strategies? I mean, we all know don’t
put your password where, if something looks wrong,
if the text looks garbled or the URL looks weird. But are there any new, you know these things are happening
faster and changing constantly. Are there any new
security awareness things that people should be
involved with or think about, or be watching out for? – [Atif] Well to be
really frank, it’s tough. Over the years people have developed enough training modules
for email-based phishing, but nowadays you are seeing phishing coming from your LinkedIn, from your WhatsApp, from Facebook. So I don’t even think that, when it comes to security awareness, people are aware of phishing hitting them from other communication mediums as much as they know about email. So in my opinion, even if
you have a fully-trained email phishing trained
user, he’s gonna struggle to find a phishing ad
out of thousands of ads that person sees in a single day, right. So there’s a limit to
the security awareness, and how much you can give. I mean, okay, so now you
have a training module for email-based phishing that
everyone is offering, right. Okay, now you need to have social media. And there’s so much information
on the web right now to be really (obscured by
microphone distortion) fake news, legitimate information. So our attention span
is so, I would say less, that it’s very hard to
make a very, I would say, informed decision every
time you click on a thing. – Yeah, you get worn down after a while. – [Atif] You won’t know,
so I think it’s tough and especially with the fact that the way the bad guys are
coming, I think it’s tough. I mean, I won’t say that I’m
against security awareness, but I think it has clear limitations. And on top of that, we humans
are not rational all the time. I mean, look, I’m
talking to you right now. I’m pretty fresh this morning, right. How about you send me a phishing link, it’s two the morning when
I’m almost half-dead. And I have all the training in the world, but I’m not even thinking
straight like now, right. So humans, we are not in
a stable mind condition all the time, right. So this is how the bad guys get in, right. – Yeah, so I guess adding to
that, as we wrap up today, since you’re on the front lines of phishing attacks and tactics, what are some other malicious
tactics that you see on the horizon, beyond what’s here now? What are some of the things you think you’re gonna be fighting in
2020 and beyond in this regard? – [Atif] In terms of end-user security and the online threats, I think this phishing is gonna
grow more, in my opinion, and the malware trend
is gonna be downwards. I believe that I’m gonna see more rise in the non-email-based phishing, especially on the advertisements
and the social media side. People are spending quite a lot of time on these social media sites, and I think the unconventional
infection vectors like advertisements, search
engines, WhatsApp, Skype, on the mobile devices,
I think that’s gonna be an upward trend, and at the same time I think the phishing attacks
will be much, much harder to detect in coming years. Bad guys have actually, they
know that they’re focused on phishing, for a couple of years nobody was talking about that. Now everybody is talking about phishing. Hence all these security
companies are jumping to develop some kind of technology, and this is where the race
condition has begun now. So it’ll be much harder to catch phish and it’ll be much harder for
an end user to spot phish. – And so what are some of
the tactics and so forth that SlashNext is working
on in this regard? But not revealing any
trade secrets, of course. – [Atif] Yes, I think again,
the focus of the company has been, since the very
beginning, that okay, if you have to stop phish
we have to think like a well-trained end user. A well-trained end user has
been historically successful in catching phishing attacks,
just like you are, right. So all we keep on thinking that, okay, how a well-educated human
user would detect it, and a lot of it has to do with by seeing things and
reading things, right. So this is where we’re gonna focus on. We’re adding new new natural
language processing modules. We are making our algorithm ability to see things much better, right. So that they can start
analyzing or they see the email and the webpage exactly
like a human user would do. And they can do it in a faster fashion, and that in my opinion is the way to go. Just try to catch phish
just like a human do, right. – Right, okay, so if
people want to know more about Atif Mushtaq or SlashNext,
where can they go online? – [Atif] Well the obvious
thing is slashnext.com, you can go visit our website and you can learn about the system and at the same time quite a
bit about the tech landscape. Our blog is pretty good. I mean, we keep on talking
about some latest trends, and you should be a regular
visitor of our blogs if you really want to learn
about new phishing trends. And at any given stage you have [email protected],
just send us an email or just give us a call. – Sounds great, Atif, thank
you for joining us today. – [Atif] Thank you so much. – And thank you all for
listening and watching. If you enjoyed today’s video you can find many more
on our YouTube page. Just go to YouTube.com and
type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and past webinars. If you’d rather have us in
your ears during your work day, all of our videos are also
available as audio podcasts. Just search Cyber Work with Infosec in our favorite podcast catcher of choice. And to receive a free month of our Infosec Skills
subscription-based platform in honor of National
Cybersecurity Awareness Month, go to infosecinstitute.com/podcast or click the link in the description. Thank you once again to
Atif Mushtaq and SlashNext, and thank you all for
watching and listening. Speak to you next week. (bright music)

Leave a Reply

Your email address will not be published. Required fields are marked *