January 27, 2025: Cristian Rodriguez, Field CTO of the Americas at CrowdStrike, joins Drex for the news. How do organizations navigate the blurred lines between groundbreaking innovation and the vulnerabilities of sensitive data co-mingling in AI models? Cristian shares insights on China's sophisticated adversary ecosystem, raising thought-provoking questions about the interconnected nature of global cybersecurity threats. The conversation also explores the delicate balance between collaboration among defenders and the bad actors' ever-evolving tactics.
Article Mentioned 16:54: LLM Agents can Autonomously Exploit One-day Vulnerabilities
Key Points:
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[:Powered by the CrowdStrike Security Cloud and world class AI, the CrowdStrike Falcon platform leverages real time indicators of attack, threat intelligence, insights on evolving adversary tradecraft, and enriched telemetry from across the enterprise to deliver hyper accurate detections, automated protection, and remediation.
All this, and elite threat hunting and prioritized awareness of vulnerabilities. CrowdStrike. Unified platform, one agent, complete protection. Today on Unhack the News.
uch a high velocity and such [:
Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.
. And now, this episode of Unhack the News. (Main)
Everyone. Welcome to unhack the news. I'm Drex DeFord. That guy over there is Cristian Rodriguez. He's the field CTO at CrowdStrike and the host of his own podcast called the adversary universe. It honestly, and I'm not blowing smoke up your skirt. Cristian is one of my favorite. I love what you guys do over there.
, want to focus on adversary [:And so sometimes I feel like we should just have a little fun. Really, , putting a spotlight on what the bad guys are doing.
I love it. You guys do a really good job. Adam Myers, the head of counter adversary operations is your co host. And I love the, so here's a, just a little inside baseball for everybody.
Who's listening. I sent an email to Cristian and it probably had, like, I don't even know. A thousand words and I said, like, let's talk about this. Let's talk about this. What do you think about that? And so his response was like four words. Let's talk about AI too. And I'm like, okay. And so I'm laughing because I was listening to your last podcast.
you guys both kind of admit [:It's a lot. Exactly. It's a lot to keep up with. At least you
kind of say that you, you do read it, but just right before the show starts,
it's usually right before the show that Adam
actually just said, I don't even know what you're talking about. He's like, Oh, yeah, I do know what you're talking about, but I don't.
Yeah, he definitely doesn't read it. He'll say. , I've been on sessions where he jumps in and he's like, Hey, what are we talking about? And I go, Oh, it's, it's about this topic. And he's like, Oh, okay, sure. And it actually kind of speaks volumes to just how much he knows about the bad guys. It's amazing.
he comes in, you ask him a bunch of really hard questions and he's rolling off with like specific Chinese adversaries and departments inside. Exactly.
Exactly.
I mean, you know, PLA and I'm just like, holy cow.
Yeah, I'm still trying to figure out our org chart at our company.
PLA's org chart looks like. [:Well, I'm really glad you're here and I feel like it's old home week when we get together. let's talk about the news and let's start with the AI thing. , you had sent me a note back and said, let's talk about AI and like everything's AI right now.
And the bad guys have it, the good guys have it. There's a lot going on in healthcare, especially just talking about, like, how do you run it? How do you manage it? How's it get prioritized with everything else? You wake up on Wednesday and there's a new button and an application and it says, click here for more AI.
What's your take on this?
think there's no slowing down, right? With AI. I think that there are also misconceptions on how much impact AI is going to have to your business in terms of, you know, making it easier also, right? I think that people think that AI is going to be a magic button.
er side of that too, is that [:They are having challenges doing things like data classification within AI, because you have this team of developers that say. Okay, the business initiative is we're adopting some type of large language model and if it's for especially in health care, we're going to take all this health information, whether it's symptoms or whether it's pharmaceutical specific type of results or, you know, the byproduct of some type of testing phase for some new medicine.
And that is basically going to go into this data set. And then we're going to co mingle that with unclassified data. And we're going to co mingle that with third party data. And we're going to co mingle that with something that's very IP that we're working on that we don't want anyone to access. But, you know, the whole Gen AI concept is to be generative and produce something new.
s data store and a no one is [:or
controlling it or maybe, you know, like, you know, like how PCI has standards for the way that you do data fencing, right?
It's very rare that people do that with their own IP, right? Or really what they consider Sensitive data, right? Once it goes into a model like this, it's there, right?
This is one of the things that I think it's like we've built a formula one race car and it has an amazing engine, but nobody's quite figured out the gas yet.
Fuel the data is the fuel and you've got to do a lot of work to kind of, like you said, classified and make sure that it's clean and right, not just junk and
all of that. So that
foundational step is still something I think a lot of folks are working on.
Yeah. Yeah. But even with that foundational step missing, it hasn't slowed many organizations down from adopting AI.
hink that even from a day to [:Where we can't even function without AI doing something on our behalf, right? Yeah. It's similar to, when email first came out, right, all of a sudden, you know, people weren't picking up phone calls anymore, . They were just like, send me an email. And I think that AI is going to have a similar impact, but I think that pace at which we're adopting AI and organizations are adopting AI, I think it's at such a high velocity and such excitement of how novel and what newness can come out of this new model,
that we're adopting and we're implementing I think there's a lack of understanding on the type of risk that it brings into where that data ends up. Cause even when it goes into this big data set and this AI model is crunching through all this information, like what happens when someone, uses a prompt to actually start exfiltrating data that's sensitive that you didn't even think about beforehand.
ecognize. And I think it's a [:And they're using
AI to create the code that is exactly
exactly. Yes, exactly. The problem doesn't go away. It just becomes like bigger, much faster. And I think that's something that we're probably gonna see a lot of challenges.
Yeah. It's amazing to think that, we only really started talk about this generative AI thing like two years ago.
Yeah. That's
really when we got started, I'm older than you obviously I'm, I'm significantly older than you. In the military, I used ARPANET, and I thought ARPANET was like the coolest thing ever. And then I was a beta tester for the Mosaic browser, and I was like, Oh God, the whole internet now is like a whole new thing.
like our main way of sort of [:I can definitely see that. You know, it's interesting. I my kids are older. I have a 21-year-old, a 19-year-old and a 17-year-old. Right. And so I am a little older than, you know, my LinkedIn profile picture basically lends itself to.
Everybody has that problem.
Exactly.
But, you know, I even see my son is a 17 year old. He rarely uses a browser for anything. I mean, it's, you know, he goes some of his school applications, but when he's looking things up. He's either like on Instagram or Snapchat or they do these very, you know, social networking applications or he has an instance of like chat GPT and it's interesting, he will use chat GPT to validate his homework, which I think is actually pretty Honorable as a teenager, because there's an easy way to say, I'm just going to have this Chat-GPT give me the answer to something, but he actually does like his math work.
you did a really good job on [:Yes, exactly. To say like, like, you know, that person in high school that you would hang out with that was smarter than you, or always did their homework and, you know, handed it on time, he has like a virtual iteration of that on his phone, right. In the form of chat, GPT. And I think it's fascinating that.
You know, he's leveraging it in a way make himself better, not just kind of cheap, but I I think we're gonna be like that in the next 10 years where just everywhere. Right. And there's no slowing down on. And I don't know what's gonna happen to the browser, but I think it's gonna be limited use cases.
We can talk about this all day. I'm going to move us on. Maybe we'll do one more thing. There's so much stuff happening with the Chinese and the whole typhoon scenario right now. Obviously there's probably some AI being used over there too. But you guys are really into this, obviously on Adversary Universe.
your insight, your overview [:, there's a complexity just to even, the amount of different agencies, if you will, that are tied to some of the attacks coming out of China, right. Like the PLA, for example and, you know, several iterations of, their equivalent of, their offensive security teams, right. Remaining nameless for now, but there's a whole slew of these groups that they're changing in targets and they're varying in targets.
ery, very public with , their:I think we could do a whole episode on the TikTok Ban. Right. And what that truly means and the influence that was an application like TikTok has had here in the U S specifically, but I think it's interesting because we tie some of the activity into just think about the iSoon episode.
s, to different agencies and [:Not being prejudiced when it comes to their victims, right? They're not just targeting other governments. We're targeting the private sector. There are divisions that are focused on capturing healthcare data, the capturing data that's tied to medicine and, , pharmaceutical development and all of these different pieces of information.
I think it's interesting. I've spoken to companies where they say, I don't know why the Chinese would attack or target me, right? I'm in an industry that doesn't necessarily need, you know, government classification, if you will, or that category of being a government entity. And it's like, no, no, your data is extremely valuable,
your data is very valuable. Exfiltrating your data could be a major impact to even your business, right? Your business can go under because, someone as an extension of the Chinese government steals your IP and they start to maybe create something that is in competition now to what you have, and now they're undercutting you from a pricing perspective.
lt of that. And then there's [:Yeah. These breaches have led to the exfiltration of phone call records and text messages and geolocation data. Right. And that is actually very important information that, you know, going back to AI, you could put that into an AI model and now you can ask a question like, where, what is the pattern of travel for these, agents, right, these federal agents, what are these text messages truly mean in the context of why,
and so forth. I think that really sets the stage for espionage and. Shifts in even like the way that they position themselves for economic growth right by having all this information and it allows them to posture themselves against things like potential acquisitions that are coming up right or it may even lead them into a certain area of development and maybe even building or developing again, if we're talking healthcare,
at on our side? Or how do we [:we need to go to steal data to make sure that exactly ahead of the curve.
Yeah,
absolutely. Absolutely. So it's so complex. It's a spider web of impact, when it comes to the industries that are impacted. There's a plethora of these different groups that are launching these attacks. And I think we're going to be talking a whole lot more about them this year.
There's a lot of you know, I hear that from time to time, even in place, small hospitals or clinics that say like, I don't have anything that, that the guys want, but the reality is. We're all connected together to so they might not really want anything that you have, except that you're also connected to something, somebody that has stuff that I really want.
And so we all sink or swim together, I guess, ultimately is
100%. Yeah, 100%. I think the one last thing I'll say about this is I was at this event in Chicago recently, and I was presenting to this audience and the CISO for this company said, Hey, I think we need to do a better job , as a community, as defenders, right?
icating more because the bad [:I'm like, wow. And even on the e crime side, we see this a lot where these forums where these e crime actors are just exchanging information and access brokers are publishing their stolen credentials. These, groups are communicating with each other. And a lot of
them are, in those , I think you use the term marketplace maybe actually in one of the episodes I've listened to recently, but that idea that there are bad guys who have specialized in particular types of skills that essentially are acting as independent consultants for a hire to be put together like puzzle pieces.
of people still think about [:You know, create chaos is the absolutely today. Yeah,
no, absolutely. They'll hire the best of the best, . In an effort to carry out their objective from start to finish. And again, and they're collaborating. And I think as defenders, we need to start doing a lot more collaboration.
Yeah, no collaboration community, obviously for us, like one of the.
One of the big deals. What haven't I asked you about that? I probably should ask you about. You have a new report out yeah,
our global threat report for:ve to cite this in the notes [:Used a variety of different large language models like, like Bard and Lama and, GPT 4 is right when GPT 4 came out and long story short, they basically fed these different models, the descriptions of CVEs, and they asked these models to develop an exploit for those CVEs, which I thought was fascinating.
And so out of all of the different large language models that were used at the time. All of them produce or yielded, you know, between zero and like a 3 percent success rate, but chat GPT for produce an 84 percent success rate, right. Which is a monstrous number. Right. To say that they're simply just feeding this model
of like taking a CVE or a zero day.
Yeah, really a one day,
really like a one day. Okay. A one day. Right. So like it's a one day.
CVEs out.
Yeah. And
saying, turn this into an exploit.
ate. And I think even though [:You no longer have to be this. Expert in understanding things like buffer overflow or some type of memory allocation attack technique that you need to be an expert on. You can ask a model to build it for you.
Cause that used to be really hard to do, right?
There weren't a lot of people in the world who were super smart and able to sort of take it at CVE and disassemble it into its parts and understand what were happening and then build it. Exactly.
Huh. Wow., so it lowers the bar and it increases the velocity, which I think is gonna be an interesting challenge going into speeds.
Everything. Yes. Exactly. So more to come, but we do have a report coming out and you know, in February. So pretty excited to have that distributed and we're, we're gonna be talking a lot more about that this year. Nice.
Nice. Hey, thanks for being on the show today. I really appreciate.
Of course. Appreciate it. Thanks for having
me. Thanks for having me.
It's good to see ya.
Yeah, likewise.
even opinions on the latest [:Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.
As always, stay a little paranoid, and I'll see you around campus.