Welcome to Unsupervised Learning, a security, AI and meaning focused podcast that looks at how best to thrive as humans in a post AI world. It combines original ideas, analysis, and mental models to bring not just the news, but why it matters and how to respond. All right, Jason, welcome to Unsupervised Learning.

Welcome to Unsupervised Learning, a security, AI and meaning focused podcast that looks at how best to thrive as humans in a post AI world. It combines original ideas, analysis, and mental models to bring not just the news, but why it matters and how to respond. All right, Jason, welcome to Unsupervised Learning.

Thanks for having me. First time on unsupervised learning. Super excited.

Thanks for having me. First time on unsupervised learning. Super excited.

Yeah, absolutely. So as most people know, we know each other very well. And you've also started your own business recently. You've got Arcanum Security up and running. So congrats on that. Thank you.

Yeah, absolutely. So as most people know, we know each other very well. And you've also started your own business recently. You've got Arcanum Security up and running. So congrats on that. Thank you.

I mean, you were you were the one who pushed me to do it. So I got to thank you on that one.

I mean, you were you were the one who pushed me to do it. So I got to thank you on that one.

Yeah. Yeah. Really exciting to see that. And, uh, you're also field CSO for, uh, for flare, which is super exciting. So I'm sure you've got a million companies, like beating down the door to try to, like, be associated with you and like, get you on the team and everything. So what was, uh, the thing that stood out and made you want to do it with flair.

Yeah. Yeah. Really exciting to see that. And, uh, you're also field CSO for, uh, for flare, which is super exciting. So I'm sure you've got a million companies, like beating down the door to try to, like, be associated with you and like, get you on the team and everything. So what was, uh, the thing that stood out and made you want to do it with flair.

Yeah. So that's actually a really great question, I think. Um, so but between leaving Ubisoft, which, you know, actually wearing the merch right now, um, between leaving Ubisoft, the video game company, and being CSO there and then coming back into Red team, there was a year where I worked with a buddy of mine at another consultancy before I started my own thing. And so over the past couple of years, I've been on the red teaming side, um, a lot of red teaming, a lot of pen testing. And what I noticed was that kind of adversary methodologies had changed a little bit from what the very known penetration testing methodologies and red teaming methodologies, um, had, uh, you know, had consistently shown, at least from, you know, me talking to peers and, you know, reviewing reports. And I did a bunch of research in the last two years. And so that shift was basically, um, adversaries are not using hacking methods, at least in the traditional sense as their first stop shop right there, looking on the dark web for pre-owned accounts and credentials for organizations. And so I had to figure out a way to add that to my methodology when we did red team tests. And so I baked off, you know, all of the companies that did this because I wanted to, you know, provide the best, uh, you know, adversary emulation that I could. And so when I looked at all these companies, I stumbled upon flair, um, at a conference, met one of their reps and started using their trial and, uh, used it. And it was it was an order of magnitude better than any other vendor as far as finding creds for an organization. Um, and they do it in a, you know, a CRM, you know, kind of way, a credential exposure management threat, Intel management way. I mean, they sell that, but they also let pen testers and red teamers use the data as well for their customers. So if I have a customer for Arcanum, you know, I can use the I can use my relationship with them to look up creds on that company in the red team test. And so, um, like five out of the last six red team engagements that I had done in 2023, uh, flare credentials, which are pulled off of the dark web, telegram channels and stuff like that. Um, they came from the success came from the credentials that came out of flare. Um, and so I started talking to them and I was like, hey, um, you know, like, really like what you guys are doing. I ended up doing like a, I think one podcast with them. Um, and then that transitioned to them being like, hey, would you like to come work part time as our field CISO? And I was like, yeah, absolutely. So that's how that relationship started. And and now, you know, I do content for them. Um, I advise them on product. I do all kinds of stuff like randomly, you know, it's a startup. Everybody wears every hat. So yeah, that's that's how that started.

Yeah. So that's actually a really great question, I think. Um, so but between leaving Ubisoft, which, you know, actually wearing the merch right now, um, between leaving Ubisoft, the video game company, and being CSO there and then coming back into Red team, there was a year where I worked with a buddy of mine at another consultancy before I started my own thing. And so over the past couple of years, I've been on the red teaming side, um, a lot of red teaming, a lot of pen testing. And what I noticed was that kind of adversary methodologies had changed a little bit from what the very known penetration testing methodologies and red teaming methodologies, um, had, uh, you know, had consistently shown, at least from, you know, me talking to peers and, you know, reviewing reports. And I did a bunch of research in the last two years. And so that shift was basically, um, adversaries are not using hacking methods, at least in the traditional sense as their first stop shop right there, looking on the dark web for pre-owned accounts and credentials for organizations. And so I had to figure out a way to add that to my methodology when we did red team tests. And so I baked off, you know, all of the companies that did this because I wanted to, you know, provide the best, uh, you know, adversary emulation that I could. And so when I looked at all these companies, I stumbled upon flair, um, at a conference, met one of their reps and started using their trial and, uh, used it. And it was it was an order of magnitude better than any other vendor as far as finding creds for an organization. Um, and they do it in a, you know, a CRM, you know, kind of way, a credential exposure management threat, Intel management way. I mean, they sell that, but they also let pen testers and red teamers use the data as well for their customers. So if I have a customer for Arcanum, you know, I can use the I can use my relationship with them to look up creds on that company in the red team test. And so, um, like five out of the last six red team engagements that I had done in 2023, uh, flare credentials, which are pulled off of the dark web, telegram channels and stuff like that. Um, they came from the success came from the credentials that came out of flare. Um, and so I started talking to them and I was like, hey, um, you know, like, really like what you guys are doing. I ended up doing like a, I think one podcast with them. Um, and then that transitioned to them being like, hey, would you like to come work part time as our field CISO? And I was like, yeah, absolutely. So that's how that relationship started. And and now, you know, I do content for them. Um, I advise them on product. I do all kinds of stuff like randomly, you know, it's a startup. Everybody wears every hat. So yeah, that's that's how that started.

No, that's very cool. And it flows really well with what you're doing in Arcanum. Right. Because you're doing red team over there. You're doing training over there. You're doing all kinds of stuff.

No, that's very cool. And it flows really well with what you're doing in Arcanum. Right. Because you're doing red team over there. You're doing training over there. You're doing all kinds of stuff.

Yeah, I mean, it comes in handy with the red teaming. The purple teaming. Um, you know, the, you know, the times when we do consult a little bit on blue teaming as well, which is, you know, threat intelligence and exposure management and um, yeah, really, it's been awesome. And they've been really receptive to from, you know, when I am a customer asking for, you know, features, they're on it, they're like, hey, like we'll build that soon. It's on the roadmap. So um, and they're one of the only players, I think that also works with, um, like those pentesting companies, right, where you can redistribute that threat Intel data and that exposure data to use it in your engagements. So I think that's really cool too.

Yeah, I mean, it comes in handy with the red teaming. The purple teaming. Um, you know, the, you know, the times when we do consult a little bit on blue teaming as well, which is, you know, threat intelligence and exposure management and um, yeah, really, it's been awesome. And they've been really receptive to from, you know, when I am a customer asking for, you know, features, they're on it, they're like, hey, like we'll build that soon. It's on the roadmap. So um, and they're one of the only players, I think that also works with, um, like those pentesting companies, right, where you can redistribute that threat Intel data and that exposure data to use it in your engagements. So I think that's really cool too.

Yeah, I really like that red team focus that that's really powerful. Um, so what what would another protection scheme look like for a customer? So let's say you're a regular customer and you buy a flare. Is this essentially threat Intel that's coming down to you to notify you that a credential has been compromised? So, you know, to rotate it? Is that like the main use case?

Yeah, I really like that red team focus that that's really powerful. Um, so what what would another protection scheme look like for a customer? So let's say you're a regular customer and you buy a flare. Is this essentially threat Intel that's coming down to you to notify you that a credential has been compromised? So, you know, to rotate it? Is that like the main use case?

Yeah. So in in kind of the dark web world. Right. That attackers kind of go through there's, there's really the stepping stone or like I call it levels of, of data that's exposed via the dark web. Right. And so this is part of that research I did in my last two years. And so the first level is creds that have already made it to the clear web. Right. So this is stuff that you will see. And have I been pwned and leaked X. And you know some things like this. Right. Um, and so these things are already on the public web. They're posted via paste sites, they're already on torrent listed sites and stuff like that. And so that's the first place an adversary will go, okay, um, to look for creds. Now, uh, there are several other intermediaries, but eventually you get to one of the higher tiers, the higher levels. And that level is looking on telegram, discord, WhatsApp. Um, and, you know, some of the dark web forums that are invite only to find really fresh what we call, um, you know, basically they're the result of Steeler malware. Um, and so these packs of, um, you know, data from Steeler malware end up being sold, and they include, uh, credentials and cookies, um, from a user that might be associated to your business. And so that's where attackers will end up. And then right after that is the step where they actually try to hack you. Right? Um, but they'll do all the easy stuff first.

Yeah. So in in kind of the dark web world. Right. That attackers kind of go through there's, there's really the stepping stone or like I call it levels of, of data that's exposed via the dark web. Right. And so this is part of that research I did in my last two years. And so the first level is creds that have already made it to the clear web. Right. So this is stuff that you will see. And have I been pwned and leaked X. And you know some things like this. Right. Um, and so these things are already on the public web. They're posted via paste sites, they're already on torrent listed sites and stuff like that. And so that's the first place an adversary will go, okay, um, to look for creds. Now, uh, there are several other intermediaries, but eventually you get to one of the higher tiers, the higher levels. And that level is looking on telegram, discord, WhatsApp. Um, and, you know, some of the dark web forums that are invite only to find really fresh what we call, um, you know, basically they're the result of Steeler malware. Um, and so these packs of, um, you know, data from Steeler malware end up being sold, and they include, uh, credentials and cookies, um, from a user that might be associated to your business. And so that's where attackers will end up. And then right after that is the step where they actually try to hack you. Right? Um, but they'll do all the easy stuff first.

Okay. And then so we hear a lot about like toufar bypass or whatever. So is this where the Toufar bypass comes in with the cookie stuff?

Okay. And then so we hear a lot about like toufar bypass or whatever. So is this where the Toufar bypass comes in with the cookie stuff?

Yeah, exactly. So, um, you can have your credentials stolen in a myriad of ways, right? Uh, and that is stymied by kind of traditional, um, you know, traditional security advice of using toufar. Right. And I think that what a lot of people miss out on is that most of the time when credentials are stolen, other than from, like, a breach, right? They're stolen via credit stealer malware. which owns your whole computer. And that means that the cookies in your browser, like Chrome or Firefox, are stolen from, you know, from that malware and sold as well. And so that means that you can just inject a cookie into a website and never be asked for a password or a cookie. You know, the cookie. You know, for those who aren't really, um, you know, aware of the, you know, technology or I'm sure most people who watch your show, you know, are aware of what cookies are, but in most senses, authentication cookies. Just tell the website that you are already authenticated, and you can view a page for a certain amount of time or an authenticated section of an application. So you have you have Netflix, right. And so, you know, you leave Netflix logged in for weeks, months, years sometimes. Right. And that's controlled by the cookie. When your browser visits Netflix, the first thing it does is it looks for the Netflix authentication cookie. And it says yes, Daniel has that one. It's it's hasn't set to expire yet. And so we know this is Daniel coming from this cookie and we'll let them in without asking for username and password.

Yeah, exactly. So, um, you can have your credentials stolen in a myriad of ways, right? Uh, and that is stymied by kind of traditional, um, you know, traditional security advice of using toufar. Right. And I think that what a lot of people miss out on is that most of the time when credentials are stolen, other than from, like, a breach, right? They're stolen via credit stealer malware. which owns your whole computer. And that means that the cookies in your browser, like Chrome or Firefox, are stolen from, you know, from that malware and sold as well. And so that means that you can just inject a cookie into a website and never be asked for a password or a cookie. You know, the cookie. You know, for those who aren't really, um, you know, aware of the, you know, technology or I'm sure most people who watch your show, you know, are aware of what cookies are, but in most senses, authentication cookies. Just tell the website that you are already authenticated, and you can view a page for a certain amount of time or an authenticated section of an application. So you have you have Netflix, right. And so, you know, you leave Netflix logged in for weeks, months, years sometimes. Right. And that's controlled by the cookie. When your browser visits Netflix, the first thing it does is it looks for the Netflix authentication cookie. And it says yes, Daniel has that one. It's it's hasn't set to expire yet. And so we know this is Daniel coming from this cookie and we'll let them in without asking for username and password.

Yeah, that totally makes sense because like in the course of a session or even, you know, half a day or a day, you're hitting hundreds of things, right? And you can't be re-authoring each time. So you're just sending a cookie. So that makes sense. So I imagine in the forums they're going to have like decay numbers for how long this token is going to be valid.

Yeah, that totally makes sense because like in the course of a session or even, you know, half a day or a day, you're hitting hundreds of things, right? And you can't be re-authoring each time. So you're just sending a cookie. So that makes sense. So I imagine in the forums they're going to have like decay numbers for how long this token is going to be valid.

Yeah. And the dark and the dark web forums, you know, they'll they'll sell the packs of, you know, like Red line is the biggest credential stealing malware right now. In fact, I think Cisa came out with an advisory just yesterday that, uh, or the DoD just came out with an advisory saying it's their number one, like focus is to fight, um, Red line, which is one of the credential stealer malware and um, and yeah, so that'll steal the cookies and the credentials and a whole bunch of other stuff too. Like when you see one of the packs being sold, it's usually, uh, you know, sold. And it has a whole bunch of zips in it, and the zips in it have the result of the malware. You get a screenshot of the desktop, you get that person's stored Chrome credentials for all the sites they visit. You get the cookies for all the sessions that the browser is logged into. So all of their consumer apps, you get a full hardware listing of every app that's running on the infected machine. Yeah. It's crazy. I mean, I mean, Red line is a pretty advanced infostealer. So yeah.

Yeah. And the dark and the dark web forums, you know, they'll they'll sell the packs of, you know, like Red line is the biggest credential stealing malware right now. In fact, I think Cisa came out with an advisory just yesterday that, uh, or the DoD just came out with an advisory saying it's their number one, like focus is to fight, um, Red line, which is one of the credential stealer malware and um, and yeah, so that'll steal the cookies and the credentials and a whole bunch of other stuff too. Like when you see one of the packs being sold, it's usually, uh, you know, sold. And it has a whole bunch of zips in it, and the zips in it have the result of the malware. You get a screenshot of the desktop, you get that person's stored Chrome credentials for all the sites they visit. You get the cookies for all the sessions that the browser is logged into. So all of their consumer apps, you get a full hardware listing of every app that's running on the infected machine. Yeah. It's crazy. I mean, I mean, Red line is a pretty advanced infostealer. So yeah.

Yeah, I saw a thing yesterday. I got it marked for, um, for the show later. Uh, Russian national Roudometof, uh, just got captured for the red line. Yeah. And evidently they've got full source code and everything, and, uh. Yeah, bad OpSec was, uh, which has never happened before. Bad ops never happened. Yeah.

Yeah, I saw a thing yesterday. I got it marked for, um, for the show later. Uh, Russian national Roudometof, uh, just got captured for the red line. Yeah. And evidently they've got full source code and everything, and, uh. Yeah, bad OpSec was, uh, which has never happened before. Bad ops never happened. Yeah.

Yeah.

Yeah.

I mean, yeah. That's interesting. So. So you just really like the flow that flare is using here to like, are they, are they better at going deeper into these forums. Like what do you think sets him above right? Because there's a lot of people playing in this space.

I mean, yeah. That's interesting. So. So you just really like the flow that flare is using here to like, are they, are they better at going deeper into these forums. Like what do you think sets him above right? Because there's a lot of people playing in this space.

Yeah. For sure. So, um, I mean, I don't recommend a product unless I, I review like kind of the whole space, right? So, um, you know, like, in another life, I probably could have been a Gartner analyst or something like that, you know, but, uh, uh, but yeah, it is the level at which, um, they go for their credentials. It's really the research team. They're finding other novel ways to of surfacing the data that ends up on the dark web. Um, you know, I'm, uh, I may, may or may not be aware of a new feature that's going to launch pretty soon around this whole thing of cookies. Um, coming out in, uh, in a couple of weeks. But, um, to help people just. Yeah, in mass invalidate, um, cookies from B2C companies. Right. So, like, Netflix is a great example, right? So we could, you know, flare could work with Netflix and give them a list of all cookies that have been compromised, and then they can feed that into a script that will invalidate those sessions. Oh yeah, and in real time over API too. So, um, so those are some exciting things. And that's the kind of stuff like, you know, we talk about internally, they're building quickly, but it is really the, the depth of the, um, you know, the threat research or whatever you want to call it, right? That the team that gets into the forums and, and the telegrams and the discords is better than any other I've seen. So, I mean, it's really at the end of the day for any of those platforms, it's how deep can they get into the ecosystem. Um, you know, so bad that, you know, sometimes, you know, we see people talking about flare on the dark web and like lamenting the fact that we're, you know, like exposing all their stuff. So yeah.

Yeah. For sure. So, um, I mean, I don't recommend a product unless I, I review like kind of the whole space, right? So, um, you know, like, in another life, I probably could have been a Gartner analyst or something like that, you know, but, uh, uh, but yeah, it is the level at which, um, they go for their credentials. It's really the research team. They're finding other novel ways to of surfacing the data that ends up on the dark web. Um, you know, I'm, uh, I may, may or may not be aware of a new feature that's going to launch pretty soon around this whole thing of cookies. Um, coming out in, uh, in a couple of weeks. But, um, to help people just. Yeah, in mass invalidate, um, cookies from B2C companies. Right. So, like, Netflix is a great example, right? So we could, you know, flare could work with Netflix and give them a list of all cookies that have been compromised, and then they can feed that into a script that will invalidate those sessions. Oh yeah, and in real time over API too. So, um, so those are some exciting things. And that's the kind of stuff like, you know, we talk about internally, they're building quickly, but it is really the, the depth of the, um, you know, the threat research or whatever you want to call it, right? That the team that gets into the forums and, and the telegrams and the discords is better than any other I've seen. So, I mean, it's really at the end of the day for any of those platforms, it's how deep can they get into the ecosystem. Um, you know, so bad that, you know, sometimes, you know, we see people talking about flare on the dark web and like lamenting the fact that we're, you know, like exposing all their stuff. So yeah.

That's cool. Yeah, yeah. Uh, what what other stuff are you thinking about right now? Um, in terms of, like, malware activity that that, um, flare already catches or you're looking forward to them catching like other types of, like, forward leaning malware or attacks.

That's cool. Yeah, yeah. Uh, what what other stuff are you thinking about right now? Um, in terms of, like, malware activity that that, um, flare already catches or you're looking forward to them catching like other types of, like, forward leaning malware or attacks.

So exposure of, you know, exposure of, um, malware that is like infostealer malware or credential stealer malware, um, is is kind of what flare started with. But, you know, that's part of a sub, you know, category of threat Intel. Right. And so like threat Intel includes a whole bunch of types of IOCs, right. Um, and so over the course of, you know, this last year and this next year, we've really been focused on also providing traditional threat Intel or forum monitoring or brand monitoring for a business when a campaign might start against them. Or we've been working with the US government and several branches of government, you know, tracking even, you know, some high profile threats to the nation, election integrity, you name it. We're working with big companies who I can't mention, you know, but AI companies and, you know, fraud and abuse and AI based on threat actor like IOCs and recognition. So there's that There's also we did an acquisition really recently for Attack Surface Management, which I know you're an expert in. Um, and so for eternal attack surface management, that'll be something we also move into offering in 2024 or 2025. Um, and so, you know, my dream of what I've told flair is that, you know, I feel like external attack surface, like kind of this brand monitoring or campaign monitoring on top of the credential exposure. Um, really great stuff that they do already. I feel like this can fit into, um, like a dashboard and a flow of, you know, general threat intelligence that I think no one else really offers. And I'm really excited to see when we can put it all together in, you know, for one, one person to access it in one place.

So exposure of, you know, exposure of, um, malware that is like infostealer malware or credential stealer malware, um, is is kind of what flare started with. But, you know, that's part of a sub, you know, category of threat Intel. Right. And so like threat Intel includes a whole bunch of types of IOCs, right. Um, and so over the course of, you know, this last year and this next year, we've really been focused on also providing traditional threat Intel or forum monitoring or brand monitoring for a business when a campaign might start against them. Or we've been working with the US government and several branches of government, you know, tracking even, you know, some high profile threats to the nation, election integrity, you name it. We're working with big companies who I can't mention, you know, but AI companies and, you know, fraud and abuse and AI based on threat actor like IOCs and recognition. So there's that There's also we did an acquisition really recently for Attack Surface Management, which I know you're an expert in. Um, and so for eternal attack surface management, that'll be something we also move into offering in 2024 or 2025. Um, and so, you know, my dream of what I've told flair is that, you know, I feel like external attack surface, like kind of this brand monitoring or campaign monitoring on top of the credential exposure. Um, really great stuff that they do already. I feel like this can fit into, um, like a dashboard and a flow of, you know, general threat intelligence that I think no one else really offers. And I'm really excited to see when we can put it all together in, you know, for one, one person to access it in one place.

Yeah. That's fantastic. So basically, you'd be able to look at your entire attack surface, see where you have like exposures or whatever. It's almost like outside in and then inside out. Right.

Yeah. That's fantastic. So basically, you'd be able to look at your entire attack surface, see where you have like exposures or whatever. It's almost like outside in and then inside out. Right.

Yeah. Yeah. I mean imagine Imagine logging into a dashboard and seeing all your assets. Everyone that has a login understanding. If you breach credentials, work on that login, understanding how to defend against that B2C or corporate app. You know, invalidate sessions. Also understand, you know, what kind of threat actors are targeting, which apps on your infrastructure. And you can do that both externally and potentially internally as well.

Yeah. Yeah. I mean imagine Imagine logging into a dashboard and seeing all your assets. Everyone that has a login understanding. If you breach credentials, work on that login, understanding how to defend against that B2C or corporate app. You know, invalidate sessions. Also understand, you know, what kind of threat actors are targeting, which apps on your infrastructure. And you can do that both externally and potentially internally as well.

So yeah starts to tie in a little bit with like IAM type stuff where you're just you just understand all the logins and how those logins work and which ones are federated, like which ones have or have not been compromised or whatever, maybe even like which ones haven't been used, like they might be more vulnerable, you know? Yeah.

So yeah starts to tie in a little bit with like IAM type stuff where you're just you just understand all the logins and how those logins work and which ones are federated, like which ones have or have not been compromised or whatever, maybe even like which ones haven't been used, like they might be more vulnerable, you know? Yeah.

I mean, we already have filters for freshness. And you asked earlier like kind of like how I consume it since I'm a red teamer. Right? I use the credential browser feature the most for flare. And so you log in and you just put in a domain. So like, you know, unsupervised learning.com or something like that. And then it just filters down. You know what types of credentials have been on the dark web for it? So what do they come from? Breach lists or they come from stealer logs, or they come from some other chatter or whatever. And then you get that immediately and you can export that to just start using. Um, but but yeah, that's the way I use it. But organizations, you know, obviously have a more holistic kind of want there as well. So we're continuing to develop a whole bunch of features. And you know, my my big pie in the sky view will, you know, you know we're still working towards that. The bread and butter has been the, the uh, the exposure management, um, both GUI and API. Um, and that's what we've been focusing on for a majority of it. But, um, you know, we recently, um, you know, extended the team and hired a bunch of new researchers as well. You know, there's there's whole areas that, um, we want to get deeper in and build more features for. So I think that, um, the sky's the limit, honestly, for for flair.

I mean, we already have filters for freshness. And you asked earlier like kind of like how I consume it since I'm a red teamer. Right? I use the credential browser feature the most for flare. And so you log in and you just put in a domain. So like, you know, unsupervised learning.com or something like that. And then it just filters down. You know what types of credentials have been on the dark web for it? So what do they come from? Breach lists or they come from stealer logs, or they come from some other chatter or whatever. And then you get that immediately and you can export that to just start using. Um, but but yeah, that's the way I use it. But organizations, you know, obviously have a more holistic kind of want there as well. So we're continuing to develop a whole bunch of features. And you know, my my big pie in the sky view will, you know, you know we're still working towards that. The bread and butter has been the, the uh, the exposure management, um, both GUI and API. Um, and that's what we've been focusing on for a majority of it. But, um, you know, we recently, um, you know, extended the team and hired a bunch of new researchers as well. You know, there's there's whole areas that, um, we want to get deeper in and build more features for. So I think that, um, the sky's the limit, honestly, for for flair.

Yeah. That's fantastic. Now is everything, um, kind of like pull. You go to the portal to get the latest updates. Like, what if someone forgets to go to the dashboard, they just lose their login or they're just busy or whatever? Is there also, like a push, like notifications or email or that type of thing? Yeah, we have.

Yeah. That's fantastic. Now is everything, um, kind of like pull. You go to the portal to get the latest updates. Like, what if someone forgets to go to the dashboard, they just lose their login or they're just busy or whatever? Is there also, like a push, like notifications or email or that type of thing? Yeah, we have.

We have full API access. So you could use Chatops to remind you with a webhook to remind you via slack or Teams or whatever you use at your organization. In fact, a lot of really forward facing companies are using Chatops to do this kind of stuff, right? For a lot of security data, not just us, but, you know, for everything, right? Where, you know, you log into slack in the morning and there's a whole channel that would be like flare ops or something like that, and it gets pushed like here, the new, you know, six credentials that we found between the time you went to sleep and the time you woke up and you know that that have appeared on the dark web, here's where they come from, you know, and then you can add that to your teams, you know, um, list to check to see if those sessions have been compromised or whatever. So.

We have full API access. So you could use Chatops to remind you with a webhook to remind you via slack or Teams or whatever you use at your organization. In fact, a lot of really forward facing companies are using Chatops to do this kind of stuff, right? For a lot of security data, not just us, but, you know, for everything, right? Where, you know, you log into slack in the morning and there's a whole channel that would be like flare ops or something like that, and it gets pushed like here, the new, you know, six credentials that we found between the time you went to sleep and the time you woke up and you know that that have appeared on the dark web, here's where they come from, you know, and then you can add that to your teams, you know, um, list to check to see if those sessions have been compromised or whatever. So.

So I know you're doing a whole bunch in AI as well. And AI automation on the Arcanum side. Have you all been thinking about any sort of chatops sort of optimizations, like something drops into the channel? Can we actually go in and validate that credential or something? Yeah.

So I know you're doing a whole bunch in AI as well. And AI automation on the Arcanum side. Have you all been thinking about any sort of chatops sort of optimizations, like something drops into the channel? Can we actually go in and validate that credential or something? Yeah.

So that is usually in the, in the B2C kind of world, like like a Netflix or an Amazon or anything like that, right. Um, that is usually up to the client, you know, to, to implement. Right. Because each app is different. And we would have to know, you know, kind of the general app login flow. So usually that part is left to them. But for the for the corporate logins, you know, where a lot of people need to log in via an identity provider or SSL or something like that, that is more easily for us to find. And, you know, maybe in the future that could be something that we offer an automated service for, you know. So, um, testing the credentials of.

So that is usually in the, in the B2C kind of world, like like a Netflix or an Amazon or anything like that, right. Um, that is usually up to the client, you know, to, to implement. Right. Because each app is different. And we would have to know, you know, kind of the general app login flow. So usually that part is left to them. But for the for the corporate logins, you know, where a lot of people need to log in via an identity provider or SSL or something like that, that is more easily for us to find. And, you know, maybe in the future that could be something that we offer an automated service for, you know. So, um, testing the credentials of.

An agent there, listening, watching that channel, taking actions. right?

An agent there, listening, watching that channel, taking actions. right?

And it could easily be done with some of the AI that exists right now. Honestly, it's just, uh, you know, like, um, I think that a lot of people I mean, the features we have right now in the platform for AI are more based around translation and correlation of data. So we do have an AI agent that's built into flair. And so when you go into any of the views, um, first of all, the first great thing about it is let's say you're dealing with a threat actor post that's in Russian. Well, you know, I can translate your ROI, which is called, I think it's called Alexandria internally we call it. But, um, it can it can translate that instantly. So you can read the context of the conversation, um, about your company. And then it can also tie together disparate sources of information, whether something showed up in a steamer log. And then there's also conversation about it in a forum, conversation about it in a chat channel, you know, something like that can tie those things together. Um, so those are, those are all things that, you know, were the first really easily automatable things. And then we're going to continue to, um, to deploy, I'm sure more and more AI features. Yeah.

And it could easily be done with some of the AI that exists right now. Honestly, it's just, uh, you know, like, um, I think that a lot of people I mean, the features we have right now in the platform for AI are more based around translation and correlation of data. So we do have an AI agent that's built into flair. And so when you go into any of the views, um, first of all, the first great thing about it is let's say you're dealing with a threat actor post that's in Russian. Well, you know, I can translate your ROI, which is called, I think it's called Alexandria internally we call it. But, um, it can it can translate that instantly. So you can read the context of the conversation, um, about your company. And then it can also tie together disparate sources of information, whether something showed up in a steamer log. And then there's also conversation about it in a forum, conversation about it in a chat channel, you know, something like that can tie those things together. Um, so those are, those are all things that, you know, were the first really easily automatable things. And then we're going to continue to, um, to deploy, I'm sure more and more AI features. Yeah.

Yeah, that makes sense because I mean, it's kind of similar. Um, threat Intel is kind of similar to vulnerability management. It's like you do the cool thing, which is you surface this thing. But then on the other side of the threat, Intel and the other side of the vault management is fix, right? Take the action. So I could imagine, like we were saying, some sort of agent that sits there and is like it's hooked up to Jira, it's hooked up to these different control systems. It can actually push ACLs, you know, invalidate credentials, stuff like that. But, um, it's also early days for AI, so you don't want to be hooking up too much power for AI on production systems, right? Yeah.

Yeah, that makes sense because I mean, it's kind of similar. Um, threat Intel is kind of similar to vulnerability management. It's like you do the cool thing, which is you surface this thing. But then on the other side of the threat, Intel and the other side of the vault management is fix, right? Take the action. So I could imagine, like we were saying, some sort of agent that sits there and is like it's hooked up to Jira, it's hooked up to these different control systems. It can actually push ACLs, you know, invalidate credentials, stuff like that. But, um, it's also early days for AI, so you don't want to be hooking up too much power for AI on production systems, right? Yeah.

I mean, definitely a double edged sword, right? Like for every AI feature you put out has to be tested against a multitude of things, right? Um, yeah. So. Yeah, definitely.

I mean, definitely a double edged sword, right? Like for every AI feature you put out has to be tested against a multitude of things, right? Um, yeah. So. Yeah, definitely.

Yeah, totally. Um. Well, not going to let you get off without talking about Arcanum. What are you doing over there?

Yeah, totally. Um. Well, not going to let you get off without talking about Arcanum. What are you doing over there?

Yeah. Yeah, absolutely. So, uh. So Arcanum is my company. The name comes from a fantasy book that you and I have both read. But if anybody else hasn't read it, uh, name of the wind is probably one of the best fantasy books of our generation. And, um, The Arcanum in that book series, which doesn't have a conclusion yet, which is really sad. Um, is is the school of magic. And so, uh, you know, we're we at Arcanum do a ton of training. So we have two classes. One is an offensive security based course. Uh, and it's my 20 years of experience in doing penetration testing and web app hacking through bug bounty. Um, and so it's my experience there, uh, high focus on reconnaissance and some Osint stuff, some red teaming techniques, and then also just a lot of web hacking. Um, and it's, that's a three day course that we run. And so that was the first thing that we launched Arcanum for, was that training. And then shortly after that, this year we launched an AI training. But it's not a how to hack AI training. It's a how to use AI in your security role training. And so we call it red blue, purple AI. And and that, you know, that training basically is teaching people, whether you're a red team or a blue team or a purple team or how to scale yourself, um, you know, with AI and so that's a two day course. And then, you know, usually, I mean, just being honest, we're very small still early days, but, um, but, you know, usually we'll do those trainings. And what will happen is, you know, someone will be like, oh, that was excellent. Can you come do some consulting for us? Whether they want us to do their red team or a purple team engagement or a pen test or, you know, do some AI consulting and then, um, so we'll do custom consulting too, um, for, for a lot of places.

Yeah. Yeah, absolutely. So, uh. So Arcanum is my company. The name comes from a fantasy book that you and I have both read. But if anybody else hasn't read it, uh, name of the wind is probably one of the best fantasy books of our generation. And, um, The Arcanum in that book series, which doesn't have a conclusion yet, which is really sad. Um, is is the school of magic. And so, uh, you know, we're we at Arcanum do a ton of training. So we have two classes. One is an offensive security based course. Uh, and it's my 20 years of experience in doing penetration testing and web app hacking through bug bounty. Um, and so it's my experience there, uh, high focus on reconnaissance and some Osint stuff, some red teaming techniques, and then also just a lot of web hacking. Um, and it's, that's a three day course that we run. And so that was the first thing that we launched Arcanum for, was that training. And then shortly after that, this year we launched an AI training. But it's not a how to hack AI training. It's a how to use AI in your security role training. And so we call it red blue, purple AI. And and that, you know, that training basically is teaching people, whether you're a red team or a blue team or a purple team or how to scale yourself, um, you know, with AI and so that's a two day course. And then, you know, usually, I mean, just being honest, we're very small still early days, but, um, but, you know, usually we'll do those trainings. And what will happen is, you know, someone will be like, oh, that was excellent. Can you come do some consulting for us? Whether they want us to do their red team or a purple team engagement or a pen test or, you know, do some AI consulting and then, um, so we'll do custom consulting too, um, for, for a lot of places.

Yeah, yeah. And I can say for myself, I've, I've attended both and they were absolutely fantastic. Honestly, I think you're the best trainer in security. Oh, I know, I know, we're best friends, so, like, I'm going to be biased, but, um, I think I'm good at being objective. And I really think you're the best trainer in security, so thank you. Encourage people to check that stuff out. Yeah. Um, yeah. And the I class was absolutely fantastic. Even better the second time. Just absolutely loved it.

Yeah, yeah. And I can say for myself, I've, I've attended both and they were absolutely fantastic. Honestly, I think you're the best trainer in security. Oh, I know, I know, we're best friends, so, like, I'm going to be biased, but, um, I think I'm good at being objective. And I really think you're the best trainer in security, so thank you. Encourage people to check that stuff out. Yeah. Um, yeah. And the I class was absolutely fantastic. Even better the second time. Just absolutely loved it.

Yeah, I think I think I learned a lot from, um, well, from you and some other people too, about creating very fresh content. Right. So, um, you have augmented, which is an AI course that focuses on more than just security. Um, but I think what I learned is that there is a craving for training that stays up to date. Right? Because like a lot of the training organizations that exist right now, they just create a training and then it's out there and then they never update it. Right. And security and I move so crazy fast and it's like it's like, okay, so by the time you take that training. A lot of the tools are outdated. A lot of the methodologies are outdated, especially in the AI. Like AI, AI by far is like, you know, every class I teach, which is once a quarter live, I have to basically re dev the whole class because there's new, you know, advents in prompt engineering, there's new advents in rag, new advents and agents, all that stuff. And so I think that's what makes my trainings different than other people's. Right. Um, because, you know, I'm doing that. And then also, I think one of the crazy cool things was while cohort one, you were in, um, as a guest. And so in all my courses, whether it's the offensive security one or the AI one, every day I bring in 1 or 2 guests who offer either like a different viewpoint than me, or who are specialists even above me in some cases. And we will talk for about 30 to 40 minutes as like an interview included in the class, and I will ask some very hard questions to them that only you know, like that only really like a homie would give you the answer to in a small group setting, and I think that has also made the classes great. So like last one in the offensive security class, we had Sam Curry Zls come on talking about his hacking methodology, and he's the guy who just did the big Kia hack with his group of, you know, hackers, which was Ian Carroll and some other people too. We've had some, uh, subs come on, Shabaam Sha. And he talked about, uh, like pretty hardcore reconnaissance methods that weren't talked about anywhere else. And so luckily, I know people. You came on cohort one and talked about your philosophy for agents flows and everything like that. Um, from, you know, from augmented. But you gave away some secrets there too. So that's how I like to run a class. Like it's like a small, intimate group. And yeah, it does.

Yeah, I think I think I learned a lot from, um, well, from you and some other people too, about creating very fresh content. Right. So, um, you have augmented, which is an AI course that focuses on more than just security. Um, but I think what I learned is that there is a craving for training that stays up to date. Right? Because like a lot of the training organizations that exist right now, they just create a training and then it's out there and then they never update it. Right. And security and I move so crazy fast and it's like it's like, okay, so by the time you take that training. A lot of the tools are outdated. A lot of the methodologies are outdated, especially in the AI. Like AI, AI by far is like, you know, every class I teach, which is once a quarter live, I have to basically re dev the whole class because there's new, you know, advents in prompt engineering, there's new advents in rag, new advents and agents, all that stuff. And so I think that's what makes my trainings different than other people's. Right. Um, because, you know, I'm doing that. And then also, I think one of the crazy cool things was while cohort one, you were in, um, as a guest. And so in all my courses, whether it's the offensive security one or the AI one, every day I bring in 1 or 2 guests who offer either like a different viewpoint than me, or who are specialists even above me in some cases. And we will talk for about 30 to 40 minutes as like an interview included in the class, and I will ask some very hard questions to them that only you know, like that only really like a homie would give you the answer to in a small group setting, and I think that has also made the classes great. So like last one in the offensive security class, we had Sam Curry Zls come on talking about his hacking methodology, and he's the guy who just did the big Kia hack with his group of, you know, hackers, which was Ian Carroll and some other people too. We've had some, uh, subs come on, Shabaam Sha. And he talked about, uh, like pretty hardcore reconnaissance methods that weren't talked about anywhere else. And so luckily, I know people. You came on cohort one and talked about your philosophy for agents flows and everything like that. Um, from, you know, from augmented. But you gave away some secrets there too. So that's how I like to run a class. Like it's like a small, intimate group. And yeah, it does.

It feels extremely close knit and intimate. And after like the second hour and definitely after like the first day, you feel close with all the other people because it's a very sort of welcoming thing, like it's just discussion happening and everyone's listening to you, but it's also just a yeah, it's just a really good vibe. It's the best training vibe. And I've been taking sand since, you know, whatever, early 2000. And it's like it's the best training vibe I've ever seen.

It feels extremely close knit and intimate. And after like the second hour and definitely after like the first day, you feel close with all the other people because it's a very sort of welcoming thing, like it's just discussion happening and everyone's listening to you, but it's also just a yeah, it's just a really good vibe. It's the best training vibe. And I've been taking sand since, you know, whatever, early 2000. And it's like it's the best training vibe I've ever seen.

Yeah, I think, I think one of the cool things too is that like, um, I don't ever consider myself that I'm going to be the absolute master. I think overall my methodologies and the structure of the training is very well put together. But if someone comes in chat, you know, for one of the courses and is like, hey, have you thought about this thing? You know, sometimes we'll divert and look into like a new tool or a new piece of methodology right in the class and you know, you can't get that anywhere else. Um, so, so I think that vibe is I'm never going to consider myself the ultimate expert in that vibe is helpful for people who also come to the course and are experts. So.

Yeah, I think, I think one of the cool things too is that like, um, I don't ever consider myself that I'm going to be the absolute master. I think overall my methodologies and the structure of the training is very well put together. But if someone comes in chat, you know, for one of the courses and is like, hey, have you thought about this thing? You know, sometimes we'll divert and look into like a new tool or a new piece of methodology right in the class and you know, you can't get that anywhere else. Um, so, so I think that vibe is I'm never going to consider myself the ultimate expert in that vibe is helpful for people who also come to the course and are experts. So.

Yeah, totally.

Yeah, totally.

Yeah.

Yeah.

Awesome. And, uh, what is next for flair? Like you talked about? You hinted at a few different things, but what do you see happening? Like you talked a little bit about your pie in the sky version of mixing like C10 and all the different stuff altogether? Yeah. And any features that might be coming out end of the year or first part of next year.

Awesome. And, uh, what is next for flair? Like you talked about? You hinted at a few different things, but what do you see happening? Like you talked a little bit about your pie in the sky version of mixing like C10 and all the different stuff altogether? Yeah. And any features that might be coming out end of the year or first part of next year.

Yeah.

Yeah.

So I think that's, um, I actually don't know what I'm allowed to talk to you about, but hopefully it's fine. Uh, is, uh, is there's going to be some new features, um, around cookie exposure because a lot of people are getting really, really great at, uh, mitigating breached credentials, but less good on the cookie exposure stuff. So some APIs there that'll help you track cookies which are fresh, which have been exposed via malware campaigns or a whole bunch of stuff. Right now, we focus a lot on the stealer log data, but we're starting to focus more and more on career phishing campaigns by threat actors. Um, and taking that too, right? Because the two methods that adversaries use to steal your creds and cookies, one is stealer malware. They'll get malware on your machine. Some bot somehow, either via drive by download, you download a torrent, your kid downloads a Fortnite, you know, X or something like that, you know, or you get spear phishing with credit capture and cookie capture in the middle right, which is predominantly what red teams do. This is what I do in my campaigns, right? We'll set up, you know, something like Evil Jinx and fake an Okta portal, and then phish all your people, and eventually they will log in with credentials and will capture both the credential and the cookie. So that's the same thing bad guys do. I think the stats are, you know, it's like 54% of initial access for breaches. Is them just buying a cookie from stealer malware. And then 33.8% is still phishing these days to do to do credit capture. Um, I'm looking at the CSA stats that I had in a browser window over here. So, um, yeah, so we want to get more into that data as well. We do some of it already, but we want to get even better at it. Um, and then yeah, more traditional threat Intel features coming for flare. Um, and better visualizations, better dashboards, better filters like these are all things that, you know, are table stakes for a threat intelligence platform. Um, and then we haven't we haven't implemented yet a ton of the attack surface. We just, um, you know, uh, Nick Ascoli is one of the guys that we purchased his, um, ESM, um, product. And so we haven't implemented a ton of it yet. But, you know, over 20, 25, we're going to implement a ton of it. And then like you said, it bleeds into vulnerability management too, right? So at what point do you know, at what point do companies like us or even other ESM companies what at what point do they consider exposing vulnerability information like, you know, doing scanning of some sort for vulnerabilities, you know, and including that in the visibility? Because at the end of the day, as a consumer of something like this, I really don't like to be logging into so many disparate platforms. Right? I would love all of this to be in one place. Um, but, um, you know, no one's no one's perfected that out. Everyone's trying it, but no one's perfected that yet, so.

So I think that's, um, I actually don't know what I'm allowed to talk to you about, but hopefully it's fine. Uh, is, uh, is there's going to be some new features, um, around cookie exposure because a lot of people are getting really, really great at, uh, mitigating breached credentials, but less good on the cookie exposure stuff. So some APIs there that'll help you track cookies which are fresh, which have been exposed via malware campaigns or a whole bunch of stuff. Right now, we focus a lot on the stealer log data, but we're starting to focus more and more on career phishing campaigns by threat actors. Um, and taking that too, right? Because the two methods that adversaries use to steal your creds and cookies, one is stealer malware. They'll get malware on your machine. Some bot somehow, either via drive by download, you download a torrent, your kid downloads a Fortnite, you know, X or something like that, you know, or you get spear phishing with credit capture and cookie capture in the middle right, which is predominantly what red teams do. This is what I do in my campaigns, right? We'll set up, you know, something like Evil Jinx and fake an Okta portal, and then phish all your people, and eventually they will log in with credentials and will capture both the credential and the cookie. So that's the same thing bad guys do. I think the stats are, you know, it's like 54% of initial access for breaches. Is them just buying a cookie from stealer malware. And then 33.8% is still phishing these days to do to do credit capture. Um, I'm looking at the CSA stats that I had in a browser window over here. So, um, yeah, so we want to get more into that data as well. We do some of it already, but we want to get even better at it. Um, and then yeah, more traditional threat Intel features coming for flare. Um, and better visualizations, better dashboards, better filters like these are all things that, you know, are table stakes for a threat intelligence platform. Um, and then we haven't we haven't implemented yet a ton of the attack surface. We just, um, you know, uh, Nick Ascoli is one of the guys that we purchased his, um, ESM, um, product. And so we haven't implemented a ton of it yet. But, you know, over 20, 25, we're going to implement a ton of it. And then like you said, it bleeds into vulnerability management too, right? So at what point do you know, at what point do companies like us or even other ESM companies what at what point do they consider exposing vulnerability information like, you know, doing scanning of some sort for vulnerabilities, you know, and including that in the visibility? Because at the end of the day, as a consumer of something like this, I really don't like to be logging into so many disparate platforms. Right? I would love all of this to be in one place. Um, but, um, you know, no one's no one's perfected that out. Everyone's trying it, but no one's perfected that yet, so.

Yeah, that makes sense. Um, cool. Well, where can people learn more about flare?

Yeah, that makes sense. Um, cool. Well, where can people learn more about flare?

So if you go to the main flare page, there's a free trial. This is also something that made it really easy for me to benchmark them. Was that flare actually offers a like a free trial. Anybody can sign up. They just have to be approved by, you know, a flare representative internally for legitimate use. But, um, yeah, flare was the only one that was easy to access and really start taking off. Um, so I think that, um, you know, our wonderful staff gave you a link, um, in the doc, but I don't have it in front of me. So do you have the free trial link?

So if you go to the main flare page, there's a free trial. This is also something that made it really easy for me to benchmark them. Was that flare actually offers a like a free trial. Anybody can sign up. They just have to be approved by, you know, a flare representative internally for legitimate use. But, um, yeah, flare was the only one that was easy to access and really start taking off. Um, so I think that, um, you know, our wonderful staff gave you a link, um, in the doc, but I don't have it in front of me. So do you have the free trial link?

I do, yeah.

I do, yeah.

So it's trifler.io/unsupervised learning, and. Oh, there you go. Free seven day trial.

So it's trifler.io/unsupervised learning, and. Oh, there you go. Free seven day trial.

Oh, awesome.

Oh, awesome.

So that's even better than the regular free trial. So yeah.

So that's even better than the regular free trial. So yeah.

Yeah. Okay.

Yeah. Okay.

Very cool. And where can people learn more about Akana?

Very cool. And where can people learn more about Akana?

So Akana, our our website is Arcanum. Arc. Arc. Arcanum. Arc. And, um. Uh. Dash. Sex.com. Um. And then, uh, you can follow me on Twitter. I'm AJ Haddox and so I'll talk about all this stuff randomly on there.

So Akana, our our website is Arcanum. Arc. Arc. Arcanum. Arc. And, um. Uh. Dash. Sex.com. Um. And then, uh, you can follow me on Twitter. I'm AJ Haddox and so I'll talk about all this stuff randomly on there.

Awesome, man. Well great conversation. So glad to have you on the show and, uh, talk to you soon.

Awesome, man. Well great conversation. So glad to have you on the show and, uh, talk to you soon.

Awesome. Thanks, man.

Awesome. Thanks, man.

Unsupervised learning is produced and edited by Daniel Miessler on a Neumann U87 AI microphone using Hindenburg. Intro and outro music is by Zomby with a Y, and to get the text and links from this episode, sign up for the newsletter version of the show at Daniel Missler Comm Slash newsletter. We'll see you next time.

Unsupervised learning is produced and edited by Daniel Miessler on a Neumann U87 AI microphone using Hindenburg. Intro and outro music is by Zomby with a Y, and to get the text and links from this episode, sign up for the newsletter version of the show at Daniel Missler Comm Slash newsletter. We'll see you next time.