Crowdsourcing Phishing Defenses for Herd Immunity

September 3, 2019 • Zane Pokorny

Our guest today is Josh Kamdjou. He’s co-founder of Sublime Security, a company that’s looking to address the widespread security issues of phishing and spearphishing by offering open source tools that alert users to a range of potential indicators, as well as giving users the opportunity to share their findings with the community, to more quickly spread the word about new and growing threats.

We’ll learn about his career journey, get his thoughts on threat intelligence, and hear his advice for folks looking to enter the field.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 123 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest today is Josh Kamdjou. He’s co-founder of Sublime Security, a company that’s looking to address the widespread security issues of phishing and spearphishing by offering open source tools that alert users to a range of potential indicators, as well as giving users the opportunity to share their findings with the community to more quickly spread the word about new and growing threats.

In addition, we’ll learn about his career journey, get his thoughts on threat intelligence, and he shares his advice for folks looking to enter the field. Stay with us.

Josh Kamdjou:

It all started for me in high school. I was fortunate enough to attend a high school that had an information technology program. My high school was ahead of its time. And we even had the opportunity of getting networking certifications like CCNAs and Security+ and A+ certifications. And so that’s really where I got my foothold and interest in technology in general, all started in high school. I was really motivated by some of my early successes there. I was doing really well, I got some certifications and eventually, I made my way into security just by tinkering and really gaining an interest in just breaking things and getting access to things I shouldn’t be.

Dave Bittner:

You had that natural curiosity but also the tools clicked for you as well.

Josh Kamdjou:

That’s right. That’s exactly right.

I was fortunate enough to be exposed to some of those things, the fundamentals of those things. And from there, I just went all in and started exploring the security side of things and the offensive side of things just on my own.

Dave Bittner:

And so you finish up high school, were you off to college then?

Josh Kamdjou:

That’s right. I went to the University of Maryland and I studied computer science there. I was heavily involved in extracurriculars as far as technology and cybersecurity go. Freshman year, I joined the cybersecurity competition team. So I was heavily involved in like CTFs and breaking into networks and reverse engineering and doing Jeopardy-style CTFs and that kind of thing. And eventually ended up leading the competition team towards my later years in college really just solidified my interest in cyber and offensive cyber, specifically.

Dave Bittner:

Yeah, it’s interesting. I, too, went to the University of Maryland and had a great experience there. But as I graduated, looking back on it, it was really those extracurricular things that led me to the professional opportunities that I enjoyed after getting out of school.

Josh Kamdjou:

100%. So much more of university time is more than just your academics. Particularly in a university environment that affords all these different types of extracurriculars. If you have the opportunity to be involved in these types of things, that’s where all these relationships are formed, that’s where the experience is gained. That’s where you get to put a lot of the things that you’re learning in a classroom environment to the test. And it’s just a lot of fun. I mean, you’re not being evaluated on your grades or how effective you are on a test, but you get your hands dirty and you get real-world experience doing really fun things. Extracurriculars are absolutely key.

Dave Bittner:

Now, when you got out of school there, what sort of work were you pursuing when it came time to pay the bills?

Josh Kamdjou:

I have a mixed work experience background. I have a decent amount of primarily some government work, in the DOD space, doing offensive types of cyber, doing some forensics, doing some reverse engineering. Mainly offensive cyber-related things. And additionally, I went into some private sector work as well, mainly doing red teaming, penetration testing, phishing engagements. It pretty much all gravitated towards offensive cyber.

Dave Bittner:

Now, you decided to start this company, Sublime Security. And it’s my understanding it hasn’t been a straight line, sort of, affair. You, perhaps, what you guys set out to do hasn’t led you to where you are today.

Josh Kamdjou:

That’s right. That’s right.

We started Sublime in 2017 as a result of my offensive work. I was realizing that there weren’t really any defensive email security products that were stopping me on my engagements. And this is still true today. Email phishing attacks are the number one cause of compromise. I’m also a software engineer by trade. So I decided to take the problem into my own hands and build a solution that would stop me as an attacker.

What we set off to build was a point solution that would identify advanced forms of spearphishing. Instead of trying to make a binary decision on whether we’re going to quarantine an email or let it through, we would operate in this very gray area where the advanced attacks live. We would present signs of suspicion to the user directly in their inbox.

We would warn them when we think something is suspicious and we would tell them why. So as an example, we would say, “This domain was registered three weeks ago and you’ve never contacted this person before, so we think this is suspicious.” That worked really well. What we realized was that there was an even better way of solving the problem. We had some early adopters, we had some early customers, we were catching attacks that were bypassing all the other email security products today. What happened was, there was an attack that bypassed our product as well. We quickly started responding to this and building defenses to address this attack vector. We realized that this is a common thing that all organizations do and all email security vendors do, they respond to attacks in this single threaded environment, but there’s no collaboration, there’s no sharing, there’s no automation when it comes to this.

What we realized was, if we could open up our platform and make it open source and make it free to enable everyone to use it, we could actually respond to attacks a lot faster by enabling organizations to do the things that are already doing, like responding to attacks, but modify the core of the platform so that you’re no longer reliant upon the email security vendor. You have the power in your own hands and you can share those detections, share those improvements with other people in the community.

Dave Bittner:

So how does that play out, from a practical point of view, do you find that … I would imagine some folks are reticent to share those sorts of details.

Josh Kamdjou:

Yeah. The platform, as a whole, does not have much sensitive in nature. It’s just technology, techniques for detection. But how you actually string these detections together to stop an attack are the things that are customizable. As an organization that creates a detection, you can choose who you share those detections with. If you have a very close knit group of colleagues that you trust, then you can choose to only share it with those people. And the beautiful thing is that this type of sharing is already done today, but it’s very manual and it’s very asynchronous over things like mailing lists or Slack groups. We want to enable real-time response to immediately adapt to threats. So, to remove this manual component and allow people to collaborate in real time.

Dave Bittner:

Well let’s back up a little bit. And maybe you can help me understand a little bit about this particular problem. When I think about email, it seems to me that garden variety spam is pretty much a solved problem. I don’t see ads for Viagra popping up in my email box. It seems as though the big email providers, they pretty much have that taken care of. Why is phishing different?

Josh Kamdjou:

Yeah, that’s a great question. And I would agree with that assessment.

Phishing, and spearphishing in particular, are different because they’re designed to look like legitimate business email. The really sophisticated attacks are not discernible or barely discernible from a legitimate email that you may receive in the course of your organization’s business. That’s why phishing defense is so difficult, because you could stop all attacks, but you risk dropping or affecting legitimate business email delivery. There’s a very fine line that you have to walk. This was why our point of attack security training with these warning banners was so effective

Dave Bittner:

Because rather than simply hiding an email, you would inform the user that, “Hey, there’s a certain percentage of chance that this is something that requires a little more of your attention.”

Josh Kamdjou:

That’s exactly right. If the user is expecting this email, then they can safely disregard these warning banners. But we give them the information that they need to make an informed decision. This training methodology with these banners has now become one component of our overall platform. As an administrator or someone writing a detection, you could say, when these criteria are met, then insert this banner and say these things. It’s very difficult to do something that customized today in email security.

Dave Bittner:

And so the notion here is by sharing this information, it seems to me like taking it to a different scale than it was previously possible to do. You described how organizations are doing this, but it seems as though they’re siloed within the organization by being able to share that information with a much broader group of people, that sort of a force multiplier.

Josh Kamdjou:

That is 100% spot on. Companies, especially sophisticated organizations, are doing this work in isolation today. You have a SOC that is responding to an email threat and they have some kind of customized tailored solution to respond to a phishing attack that bypasses their defenses. Today, there is no way of sharing that effectively in a common format. Besides just like the simple IoC. Maybe you could share a domain name or IP address, even that is difficult to ingest and share in a dynamic and automated fashion. We want to enable, just like you said, sharing at a different scale. The work that’s done is no longer in isolation, it’s fully sharable, it’s fully automated. We can remove the human in the loop, in some cases, so that we can respond to threats in real time.

Dave Bittner:

How has this changed your own thinking when it comes to being a penetration tester? Knowing how your own tools are going to respond to the attempts that you would make yourself? Does that create an interesting little mental puzzle for you?

Josh Kamdjou:

It does. In fact, this approach makes me terrified as an attacker. Particularly, a couple of things make me terrified as an attacker. The warning banners, because those are really effective. And as a nation state or as a sophisticated attacker targeting multiple organizations, the speed at which organizations can now share detections to stop entire classes of attack vectors also makes me worried as an attacker. As we are developing these defenses and thinking through how are we going to stop the next evolution of techniques or of TTPs, my attacker hat is always on. And I’m thinking as an attacker, how would I bypass this? How would I fool the system into allowing this through?

It’s constantly a factor in the defenses, which is part of the reason why they’ve been so effective and we’ve been able to build things that are catching attacks that no other email vendors are.

Dave Bittner:

Where do you suppose this is going to head next? I mean, it seems to me that we’ve seen this shift to phishing and social engineering partly because the technical tools have gotten better and so the attackers had to move on to something else. Do you have any insights or any vision for, as our tools get better and being able to fight these spearphishing types of things, do you have any guesses where the next domain might be for the bad guys to come at us?

Josh Kamdjou:

Yeah, it’s a great question. I don’t think the email threat vector is going anywhere. I think defenses are going to get better, but I think attackers are going to get better and we’re all going to evolve.

What I do think we will see is as the landscape becomes more challenging for attackers, the lower tier ones will start to pivot to different domains, more accessible domains that have not been addressed as effectively. And so we’ll see things, we’ve already started to see some of this and in the form of SMS phishing and other types of group chat environments. We’ve seen some, just recently, I think there was a headline today on deep fake voice impersonation for BEC effectively. BEC over artificial intelligence powered deep fake for voice. And so they got an organization to wire money by faking the CEO’s voice.

I think we will start to see these different domains as the phishing landscape becomes harder, but I don’t think the email landscape is going anywhere. I think that is here to stay. And the reason is, organizations conduct all of their business through email, externally, this is how they communicate with other people. I don’t think it’s going anywhere. We’ll just have to adapt as new domains come into existence and present a threat.

Dave Bittner:

I want to get your perspective, your take on threat intelligence and the part that you think it plays when it comes to organizations defending themselves.

Josh Kamdjou:

Threat intelligence is key. There’s this concept of herd immunity and there is a concept of benefiting from other collective knowledge. You would be a fool not to benefit from a collective body of knowledge. That’s effectively what threat intelligence is.

You have identified either confirmed or purportedly suspicious indicators. You should benefit from those in your organization’s defenses. Now, the question is, how are you doing that and where is your threat intelligence coming from? What is the fidelity of your feeds? How are you implementing them in your organization’s defenses? Is it a first line defense? Is there any manual review? Is it automatic ingestion? And if so, how confident are you in the true positives or the false positive rate?

There’s a lot of considerations, particularly in an environment today, where threat intelligence, the field, has become a bit flooded with vendors. You do have to take care in your selection and be mindful of how you’re employing that in your environment.

Dave Bittner:

What advice do you have for that person who’s coming up, either coming up through school and is interested in cybersecurity or maybe even somebody who’s thinking about switching careers, what advice do you have for them?

Josh Kamdjou:

It’s a lot of fun. Cybersecurity is one of my passions. I would say if you are not really interested in the subject, then you should think about whether you really want to be in this field. And the reason is that the field is constantly evolving and you have to stay current with the latest trends. Obviously, it depends on what you want to be doing in the field. For a lot of specific roles or specific types of work in cybersecurity, you have to stay current. I would say, ensure that you really want to do it. And if you do, it’s going to be a wild ride. It’s going to be a lot of fun.

Get your hands dirty as much as you can. Don’t just read, actually stand up environments and put into practice what you are reading because that’s what helps solidify the learning. That’s what helps you learn all these different edge cases and that’s what really makes you more well rounded.

Dave Bittner:

Our thanks to Josh Kamdjou from Sublime Security for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Zane Pokorny, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.