Think Like a Spy, Hunt Like a Hacker: Former FBI Agent Eric O’Neill on Outsmarting Cybercriminals

Show Notes

In this episode of the Cybersecurity Mentors Podcast, Eric O'Neill shares his experiences as an undercover FBI agent who caught one of the most damaging spies in U.S. history, Robert Hansen. He discusses the evolution of cybercrime, the importance of understanding cyber attacks, and the intersection of espionage and cybersecurity. O'Neill emphasizes the need for a proactive approach to cyber defense, the dangers of the dark web, and the psychological tactics used by cybercriminals. He also provides valuable advice for aspiring cybersecurity professionals and highlights the importance of traits like attention to detail and flexibility in investigations.

Chapters

• 0:00: Spy Mindset Meets Cyber Defense
• 1:32: Sponsor And Show Kickoff
• 1:58: Eric O’Neill’s Hansen Sting Background
• 5:20: From FBI To Cybersecurity Leadership
• 7:14: Why Cybercrime Now Outpaces Espionage
• 8:55: Spycraft Skills Translated To Cyber Tactics
• 11:02: Verify Then Trust: Human Deception
• 13:33: Healthy Suspicion Over Paranoia
• 15:45: Holiday Scams And AI’s Role
• 17:18: Why Write Spies, Lies, And Cybercrime
• 19:05: Inside The Dark Web: A Case Study
• 22:05: DICE And PAID Frameworks Explained
• 25:15: Ransomware War Story And Stalling Tactics
• 29:10: Career Advice: Learn Offense And AI
• 32:06: Traits Of Great Investigators
• 34:22: Breach Movie And Cultural Impact
• 36:54: Hansen’s Skills And Insider Exploits
• 39:31: Charm Over Code: Social Engineering Power
• 41:04: Where To Get The Book And Newsletter
• 42:14: Two-Factor And Mindful Clicking
• 44:30: Closing Thanks And Community CTA

Transcript

SPEAKER_01: 0:00

And so what I teach in the book is how to think like a spy and act like a spy hunter. All the tips and techniques that I learned in FBI counterintelligence back at the Academy in Kuanaco, Virginia, the FBI Academy, translated into techniques that will help stop cybercrime. And while we're at it, spies. And so the idea is that we need to not sit and build defenses around our data anymore. We need to go on the offense.

SPEAKER_04: 0:29

Could you teach me? First learn stand, then learn fly.

SPEAKER_05: 0:37

I know what you're trying to do. I'm trying to free your mind, Neo. But I can only show you the door. You're the one that has to walk through it. What is the most inspiring thing I ever said to you? Don't be an idiot. Changed my life.

SPEAKER_02: 1:02

We aren't here to waste your time with buzzwords. In IT and cybersecurity, what you know and what you can do makes all the difference. We are ACI Learning. Training built for novices and pros who need measurable results. Hands-on labs, real-world checks, courses that get you certified and ready for what's next. Build confidence. Strengthen defenses. Achieve more. Visit acilearning.com slash simply cyber to learn more.

SPEAKER_03: 1:32

Welcome to another episode of the Cybersecurity Mentors Podcast. In this podcast, we're talking with Eric O'Neill. And I want to start out talking a snippet from his book, The Spies, Lies, and Cybercrime, Cybersecurity Tactics to Outsmart Hackers and Disarm Scammers. So in December 2000, FBI Supervisory Special Agent Gene McClellan, the boss of the elite team of undercover ghosts I belonged to, showed up at my apartment and briefed me on the case that would alter the course of my life. In an unprecedented investigation, I would go undercover at FBI headquarters to catch a spy. What I didn't know going into the case was that my target, Robert Hansen, codenamed Gray Day, was Russia's best place mole in the U.S. intelligence community. He was also America's first cyber spy whose penetration of FBI computer systems led to him passing on some of the most damaging information ever provided to a foreign adversary. Hansen, an FBI veteran, had spied for s for the Soviet Union and Russian Federation for 22 years of his decorated 25-year career. In three short months, without specific training to go toe-to-toe with the spy, I learned everything about him, gained his trust, and found the smoking gun that would lead to his arrest and conviction. Hansen got away with his crimes for so long because he was a master at deception and a hacker in a time when the FBI computer systems had not properly secured networks from internal threats, where he had converted his fascination with computerization into theft, and I had sought to discover holes in security to strengthen defenses. It took a hacker to catch a hacker. Excellent. So that's a good uh uh intro to Eric. Thanks, Eric, for being here. Um I you know, I when I first got a message about doing this, I was like, I think I've seen this before. I've seen the movie. Um, but tell us a little bit about your background, Eric.

SPEAKER_01: 3:47

Um we're glad to have you here. Certainly, John, Steve, it's good to be here, good to be on the podcast. Uh as you read from my book, and I would have loved to see you doing that in an armchair with a nice cup of coffee, holding the book in front of you, right? As that's how I want people to read my book and learn these things. My background is in the FBI. My uh background that matters the most to people. Uh I was an undercover counterintelligence and counter-terrorism investigator. My job was to follow spies and terrorists and stop them before they did the damage that would either steal secrets or blow things up. That was essentially my job. Uh my final job in the FBI, my my last case before I left the FBI was to go undercover and catch Robert Hansen. As that snippet from the book details, he was not only our most damaging spy in U.S. history, but our first cyber spy. And because my background wasn't uh an education in computers, but just like Hansen, uh, I was one of those hackers in the 80s who just enjoyed trying to get into systems for fun. I never did anything malicious, otherwise I wouldn't have made it into the FBI. But I was fascinated by breaking security in order to make it stronger. And I was, if you want to think about it, the white hat hacker versus the black hat hacker, uh, a bunch of people who were not, you know, college trained but self-trained and going up against each other in FBI headquarters. And if you want that story, that full story, my first book, Grey Day, tells that entire story from start to finish from behind my eyes of how we uh learned about Hansen, the investigation to catch him. Since uh leaving the FBI after successfully catching Hansen, I have worked as an attorney in national security for one of the biggest law firms on earth. I still consult as an attorney as an of counsel to a company named Impresa. I started a company called the Georgetown Group, which does competitive intelligence and investigations. A lot of the stuff I did in the FBI, but on the corporate side, working for companies who want to trust those that they are going to partner with or those they are going to hire, and sometimes looking into some of the strangest requests and ideas that our clients have. And very recently I founded a company called Nexashore where I service the national security strategist. This is a cybersecurity advisory company, and I figured if I'm gonna talk so authoritatively about cybersecurity for all these years, I think I'm gonna found my own company. And I did with some very close friends of mine from the old Carbon Black and VMware days, if you have heard of those companies. And we took the best from there and founded our own company. So it's been one heck of an amazing ride. And as I have been a thought leader in cybersecurity for the past 20 plus years, mostly speaking about espionage and how we have to start defending the homeland, our companies, from cyber espionage, I started to realize that cyber espionage isn't the be all end all anymore. That in fact, for most companies and individuals, from the consumer all the way up to the CISO, we need to worry about cybercrime, the fastest growing business on earth. And one of the most damaging aspects to any company and to a lot of people that we're facing in in these years, and certainly since the pandemic. And we can get into all that because that made the basis of my book, Spies, Lies, and Cybercrime.

SPEAKER_00: 7:21

Absolutely. Thank you for that. That that's that's an amazing story, amazing background. And like I said before we started recording, it's an honor to have you here and to speak with you about your book and just your background and your experiences. So one of the things that I wanted to ask was what are some of the skills that translate from spy craft into cyber defense, in your opinion?

SPEAKER_01: 7:45

Steve, that's a great question because the premise of the book, Spies Lies in Cybercrime, and it carries forward a theory that I developed in Gray Day, is that it takes a spy hunter to catch a spy, and all cyber criminals are modeling the best in the business, spies. And in fact, we've seen data that the top cyber criminal gangs and what I call syndicates, because they are so large and spread out and sophisticated, are hiring intelligence officers from the best intelligence services in Russia, China, Iran, North Korea, to come over and teach them, as they moonlight and made it make extra money, you know, on top of their salary as an IO, intelligence officer. Teach them how to launch these attacks and use the best clever deceptive techniques from traditional espionage in a modern environment to come after all of our data. And data is so critical to us right now. On an individual level, it's all the things on your computer, it's your finances, it's all the pictures of all your children growing up and your entire life, it's uh everything in your bank account, it's your emails and your communications, the things that could cause you incredible damage because most of your passwords and usernames are in there. And at a CISO level, at an enterprise level, it's the lifeblood of your business, it's your intellectual property, it's all of your customer lists. This is what criminals are after, and spies. And there's no difference between criminals and spies today because the top-tier cybercrime gangs are operating just as effectively as if you're getting attacked by Russia or China. And so it takes a spy hunter to catch a spy, and it takes a spy hunter to catch a cyber criminal today. And so what I teach in the book is how to think like a spy and act like a spy hunter. All the tips and techniques that I learned in FBI counterintelligence back at the Academy in Kuanaco, Virginia, the FBI Academy, translated into techniques that will help stop cybercrime. And while we're at it, spies. And so the idea is that we need to not sit and build defenses around our data anymore. We need to go on the offense. And that's the change we're going to be seeing in the next number of years in cybersecurity in general. I believe it's going to be very much more offensive tactics, which means that we're constantly hunting threats, we're investigating threats, we're looking for the threat to land, we're assuming that it will. And the idea is damage control. We're going to catch the threat as as fast as we can as soon as it lands and reduce the impact, whether it's to you personally or whether it's to the company that you're protecting.

SPEAKER_00: 10:27

So when you're when we're reflecting back into the Hansen case, a lot of those tactics and just skills that you used then, are they similar now, or have they evolved due to just the advancement of just cybersecurity and just technology as a whole?

SPEAKER_01: 10:43

They they have evolved, but they're also very similar. And here's what I mean by that. Most cyber attacks today, and here this is a big misconception we can clear up right now. And I spent a lot of time in the book uh trying to clear this up. Cyber attacks aren't somebody with a hands on keyboard, right? Type, type, type, type, typing. And you know, in every movie and TV show, he finally hits one key, click, and then he says, What? I'm in. Right? It's just so stupid. Into what? That would be magic, right? That's not how this works. What cyber criminals and attackers are doing today is they are launching these incredibly deceptive attacks against people. And they're fooling you and me into just handing over the keys to the data because we trust and believe the lie that they're selling us. It's old tactics, old traditional espionage tactics of impersonation and confidencing schemes and exploitation in a modern environment. And what they can use is the anonymity of the internet to further fool us and deceive us. Because we tend to believe what we see online when we get an email, when we receive a text. Now, when we receive a video call from someone, we have to be suspect of all of that. We need to move from an idea of trusting what comes across our phones and our computers and our tablets to looking at it and scrutinizing it and investigating it and see if we can find a way to trust. So our default has to not be to trust, has to be to be skeptical. Especially if you're seeing something over email and social media. That is where criminals live and thrive.

SPEAKER_00: 12:21

For us in organization, we try and uh instill this paranoia. Always be paranoid. Trust no one. Trust and verify, like John likes to say as well.

SPEAKER_03: 12:31

Uh like Eric says it differently. He he really says verify, then trust. Right.

SPEAKER_01: 12:37

Yeah. Right. So you verify first and then trust. And what I like to say is, you know, when I was operating undercover, which is incredibly high stress, and there can be moments where you've spent hours just looking at a tail light. And that's all you can see is the tail light, right? Hoping that it lights up, or the a crack, just the side of a door, you know, just waiting for the door to open and your target to walk out and them to go somewhere. And uh and you know, there's this moment where you look down and you look up and you wonder, oh no, did did they get by me, right? Um, that would be that paranoia. And so what I say is healthy suspicion is good, right? You're you're staying alert, you're keeping your eyes out, you're watching the corners, you're watching your sticks behind you, uh, you're being suspicious of things. Paranoia means you shut down. Now you can't do anything, right? Every email's out to get you. So that healthy suspicion is very important and can keep you safe physically, you know, you know, keep your eyes up when you're walking around a city, right? Don't just have earbuds in and looking down at your phone and not paying attention around you. Uh when you're online, you have to do the exact same thing because uh when we are online, what we have to understand it's not a happy place. It's filled with threats. When you're scrolling through social media, especially now, you know, we're in October, October, November, December, January. It's the favorite time of year for cyber criminals. And they are feeding so much garbage into our social media streams just to get us to click and open attachments and hand them our wallets and money over all of these online scams. I mean, they're they're countless, and we don't even see them because AI is making them so slick and and hard to detect. So we need to be incredibly careful because that's the way that they're coming after everything. Whether it's us personally, uh, a company, a government agency, they're using people as the fulcrum to get themselves in.

SPEAKER_03: 14:35

Yeah, let's let's talk about the book a little bit more. So what what I think this around the pandemic is when you started writing the book, but what inspired you to write the book?

SPEAKER_01: 14:47

Well, the end of Grey Day, which is really about the evolution of espionage, from espionage from the traditional cloak and dagger I started with to these cyber attacks that I ended my career with in the FBI and then moved into as a national security strategist. But I wanted to write a book that takes that and extends it to cybercrime. Because let's be honest, uh, you know, if Russia or China is coming after us as individuals, we're in a lot of trouble. But unless you're, you know, a top official in the government administration or a military, they're not really coming after you. But it could be a cyber criminal who's learned from those techniques and tactics and is coming after you. And that's what we need to be aware about. I also realized that there was this fascinating intersection between intelligence um techniques and cybercrime. And I wanted to show that to my readers. I wanted to show them a lot of what I've been uh talking about on stage. When I'm not on podcasts and writing and an author, I'm usually on stage somewhere in the world providing a keynote. I'm a I'm a very prolific keynote speaker. And as I've been talking about these things and seeing how much they resonate with audiences, I wanted to write a book about it. And one thing that's in the book that is uh gaining a lot of attention is how I do a deep dive into what the dark web really is. Not just sort of the mechanics of it and the anonymous servers and how it functions, you know, plenty of people have talked about that. But but actually what's in there and what you can find, how difficult it is to get to the deepest depths, how dangerous it is if you go there, and some of the incredibly depraved things you can find down in the dark web. And in fact, I spend an entire chapter on a case that we took with the Georgetown group, where uh my my friend and colleague, who's a dark web, I call him a dark web spelunker, he goes, he puts the suit on and goes deep down into the caves of the dark web to find things so that we don't all have to get dirty. Uh to go try and find a uh a Russian cybercrime gang who had exploited a teenage girl and uh tried to find what they were doing with those pictures and give her some peace of mind, try to try to remove that stuff from the dark web marketplaces. Uh and as we dove deeper and deeper into some of the most horrible uh, you know, onion sites is what they're called on the dark web, I show my readers exactly the steps we took and how to get down there and some of the things we found. And that's not done very often. Certainly not in a book, and that uh that those chapters right there are really resonating with people.

SPEAKER_03: 17:29

Yeah, and some of the things I really liked, and um I and I told you this before we recorded, just that connection. I mean, you are really uniquely suited to connect the dots between the two, right? Having been in in the FBI and involved with the spy hunting and and espionage side of things, and then and then cybersecurity, and then how that is, you know, it is very similar. It is the same, and that's what they're using. And so coming from you, I think it is unique. If somebody else said it, then I might like, uh, is it really? But coming from you, really, I was like, well, that's number one, that's cool, right? It kind of puts us in in that domain that I've never really thought about um as spy hunters, but everybody needs to think that way, and that's really part of what your angle is, is like this is not just for cybersecurity folks, but everybody needs to think this way.

SPEAKER_01: 18:22

Yeah, exactly. And what I'm teaching my readers to do is become a spy hunter. You're learning the same things that I learned in uh the FBI Academy in Quantico, and you might think, well, how's he writing these things? You know, these secrets from the FBI, and that's what they are. They're secrets from the FBI. I had to get the FBI to approve the book. I couldn't show it to anyone until it went through their pre-publication review just to make sure that there wasn't something in there that they really didn't want out, and they were kind enough to allow pretty much everything I put in there. So you're seeing true insider information that you're not going to find anywhere else. This stuff hasn't been published anywhere uh before.

SPEAKER_03: 18:59

Yeah, and another thing that you do a great job of, it's very up to date. Like a lot of the stuff that you add about, and there's a lot of history of breaches that have happened, but a lot of the AI content that you include throughout the book is very relevant and and really right now of people really aren't I don't see a lot of people talking about that other than in IT and in cybersecurity, right? So I think when you when somebody reads this is not in our world, right, then I think there's gonna be a lot of eye-opening of like, oh, I you know, I just thought Chat GPT was a cool thing to make images. Right. So I think that's a good thing that you really do well, is help reveal, like, yes, it is good, but it's also scary.

SPEAKER_01: 19:46

Yeah, AI deepfakes are costing families, and now we're we're talking about the consumer level, uh, you know, uh in the in the high hundreds of millions of dollars, not that's not individual families, so it's plenty of families, but there are there are a scourge of AI voice deepfakes going across the world right now, where it's a combination, it's one of either, you know, I've been kidnapped, and then the next voice you hear is the kidnapper, send us money, or we're going to harm your loved one. Or more recently, there's this there's this new one going around, which is actually very clever. Your your daughter, your son, or your sister, or you know, a family member normally calls and says, I screwed up, I've been in an accident, uh, I'm arrested, I hit somebody. And the last one I heard um it was, I think I hit a pregnant woman, I'm not sure if she's gonna make it. And then the next voice is the public defender who says, Yes, she's in prison, uh, in jail. You know, you're gonna have to pay$2,000 for bail. Uh, if you wire this to me right now, I can get it paid, I can get her out today. This is the only phone call she gets. She's not gonna be able to call again. Um, otherwise, you know, she's gonna be in jail for the next week, and uh, you know, the court case is gonna start, it'd be better if she was with you. Yeah, I mean, and that pressure situation, that that emotional content that they're using to scare you, and then a pressure situation, pay now, or this bad thing will happen. It it there's psychological ingredients that uh of a scam that are getting these families to just shell out thousands of dollars. And you know, when they hook you for$2,000, then they call back the next day, okay, you know, there was a problem with bail, it was set a little higher than we than we wanted, you know, I'm gonna need another thousand, right? And and and so on and so forth. At some point, of course, you contact your loved one and the scam's over. But um, so so they want to get the money as quickly as possible. On a business level, I companies are getting scammed with the old school business email scam that used to come from your chief financial officer or CEO to some somebody in finance saying, hey, pay this wire real quick, or the whole company's gonna go under, we'll lose this project, you know, and that pressure situation once again it comes from authority. That's still, by the way, like a$49 billion a year scam that still works. But now imagine that instead of getting an email from the CEO, you get a voice call, you know, a FaceTime call, right? Or a call over Teams or a call over Zooms. And there's the CEO, just like me in this box in the podcast, talking to you, saying, Hey, we need to send this wire quick. It's confidential, so I'm reaching out to you directly. I'm gonna wait here while you send it, right? And it's all an AI avatar. Wow. On stage, I've created AI avatars of myself that say anything they want. They look exactly like this, and I just use an image to create it and then type, and it says anything. And it scares audiences because they realize how real this can be. And just you both wait until our next election. By then, I'm like 2028. Uh the uh the video, the the fidelity of deep fake video is going to be completely impossible to discern from reality. And man, uh, there are going to be crazy hijinks around that. We're not going to be able to believe anything we see online.

SPEAKER_03: 23:13

Yeah. And and one thing I've joked around about this, but I think you're some of the things you talk about, well, and well, you talk about a lot of the, hey, here's what's happened, here's what's happening, and then you, and then throughout the book, you have the think like a spy hunter. And then at the end, though, you have the paid framework. And you want to talk a little bit about the diced and the paid frameworks and how you uh separate those and describe them.

SPEAKER_01: 23:37

Yeah, absolutely. I was thinking, I was trying to figure out a methodology that would last in people's mind, right? So if you, you know, if you in the FBI Academy, you know, the government loves to break things into acronyms, right? So my my acronym for thinking like a spy, right? Understanding the way that bad guys attack, putting yourself in the mindset of the criminal so that you see the attack, so you see the punch as it's coming, right? Not get hit in the face and then go realize I got punched, is dice. Deception, impersonation, infiltration, confidence schemes, exploitation, and destruction. Six buckets, six key ways that traditional espionage has come after us for centuries, right? The world's been plagued by these things. And this is how cyber criminals are using traditional espionage to attack us. So if you understand those six key areas, and each of them has a few chapters in the book where I tell stories. I mean, the book is all storytelling. It's it reads like a true crime story nonfiction book. The second half of the book, we turn the tables. Now you've learned how to see the punch coming at your face, but how do you block it, right? That's paid. Prepare, assess, investigate, and decide. It's like a loop. You're constantly preparing, you're preparing ahead of the attack, you know when it's coming, you see it coming, you're assessing is this an attack or not. When you assess there's an attack, you investigate to figure out how it landed, where it went, and then you decide to act. You block that attack and you save yourself. Uh, if we can follow that four-aspect chain every time we're looking at cybersecurity, we can make the world safe from cyber attacks. Now, of course, there's a lot of detail in paid, that's the second half of the book, but I take the stories from DICE, the first half, where you've learned how to think like a spy, and then I tell you in the second half, if you had used the paid methodology, here's how you could have protected against this cyber attack. And uh I do it once again with storytelling, and then there's more stories in the back because I believe that we learn through stories. Actually, I know we learn through stories, psychology's proved it. And uh, if I can give you a great story that sticks in your head, then you'll recognize the attack because you'll remember it from a story.

SPEAKER_03: 25:57

Yeah, and I don't I don't want to spoil the story that you use for your example throughout the book of your experience. Um, but you you know, you do have a ransomware incident, and I I do like the way you weave that through the book, and you you're you're experiencing this while you're also talking about other incidences and breaches that have happened. Um, but you get a phone call from the ransomware group, um, and it just so happens that they're from Russia and your wife is there who speaks Russian. Right. And um, I thought that was funny, and in my in my head, I I was curious. I was like, I wonder if Eric was like, hey, you know, tell speak back to them in Russian and freak them out. If that came to mind at all. I don't know if that came to mind, but I thought that's something I thought.

SPEAKER_01: 26:44

That would have been funny. I I wanted to, they were trying to, so the story, there's a through story in the book. It's not just a series of stories that that that reads like a book of short stories. There's a story from start to finish that I wake up in the morning, uh, of course, on a on a Saturday morning, because attacks always start on a Friday and normally before a holiday weekend, from the CISO of a company I was advising, saying, I think we have a problem. And you never want to hear that. A massive large-scale ransomware attack that had uh shut down the company, it was spreading, headquarters was under siege, they were they were moving through VPNs to other field offices all over the world. And uh, you know, he and I right there had to make a rapid decision. And because the company hadn't planned for an event like this, uh, you know, part of uh plan, assess, investigate, decide, right? Uh we had to shut everything down. We we told 3,000 employees close your laptop, unplug your Ethernet cable, you know, turn off your wireless, walk away from your machine uh so that we could isolate the attacker and figure out where he was. And then the entire throughout the book, there's this story of how we were able to find the attacker, what we did. Uh, and finally, yeah, the attacker was pretty bad we weren't paying. And because he was so deep in headquarters, he was able to get phone lists and he found my name and people know me. And he's like, Oh, this guy, right? Uh, you know, calls himself a spy hunter is helping them. So he called me on my personal cell phone. It was it was surreal. That's never happened to me before. That was normally you talk to these guys um over the dark web using their message boards, right? And which I which I did after that. But uh, but yeah, he called and he's like, Why aren't you paying? You know, don't let your insurance company trick you. You know, they'll they'll pay, just pay. And we know what your policy is. We pulled the policy from your record. We know that you can pay up to this many millions of dollars, so just pay and get this over with, right? Uh and I just I just kept them on the line and we kept stalling them and stalling them and stalling them uh until we were able to discover exactly what they stole. And uh I won't I won't I won't give the ending away, but uh but it but the ending was incredibly satisfying.

SPEAKER_00: 28:53

Excellent. No, that's a that's a great story. Um so uh you know we before the story we talked a little about some of the frameworks that you talk about in the book, and a lot of the things that you listed are things that we as mentors try and and you know, some way, shape, or form instill into the future cybersecurity professionals. So, in your in your opinion, is there any advice that you could give to you know people that are starting to get into cybersecurity or might be and then just trying to move up uh their careers professionally that you know would help them along the way?

SPEAKER_01: 29:29

Certainly. So there are a few things that I think that anyone who wants to break into cybersecurity should start thinking about. One, it's not enough just to get a computer science degree, right? Uh it gives you a basic idea of computers and programming and how it works, but that is not going to translate directly into cybersecurity, which is a little bit of a different animal. You need to look for courses and certifications, and there are tons of them out there, that are directly direct toward the discipline of cybersecurity. What I tell everybody to Do is start learning as much offensive cybersecurity as you can. I'm not mean, I don't mean like I'm going to offend you. I mean offense, playing, going on offense as opposed to defense, right? Because that is threat hunting. If you can find certifications on threat hunting, if you can start learning how to use the top-tier cybersecurity software and their consoles to go find uh attacks. We we used to do this thing at uh Carbon Black and VMware where we would uh you know do a hunt the threat and we would get teams of people and we would launch this staged attack and they would have to sit there uh and figure out you know where the attack landed and where the attacker was and hunt them down through the environment. It was really cool. It was like capture the flag and um you know someone would win. You know, that kind of gameanship always always makes people perform better. But those sort of disciplines and learning uh will, you know, if you're looking to get into the industry in the next year, that's what all of the companies are moving toward and that's what they're gonna be looking for. Also, start learning about AI. Start learning about how AI is coming after us, uh, not just the great, wonderful things it can do, because it can write fast and you know it's starting to code now, which makes coding easy, and uh it's gonna change the world. If you listen to most people who talk about AI, they're talking about the the way it's going to do good. I like to talk about the bad it's doing, and we need to understand that because it is changing us. You know, in the book I talk about how it's changing our children, right? How they are not becoming as creative anymore. They're not exercising that flexibility and that creativity that is what makes us human, the ability to go from nothing and invent something, whole cloth, right? Whether it's a wheel or a light bulb or you know, discovering electricity or fire. That's a human experience. AI can't do that. All it can do is regurgitate what we have created in the past. So if we don't establish that creativity, and I know I'm getting a little bit on a tangent, uh, then we won't have a lot of that in the future. We'll just be in that movie Idiocracy, where we're just recycling the same content over and over and over and scrolling until we die. So I think understanding AI and understanding how AI can be used to augment cybersecurity is the next holy grail of cybersecurity. And every company that we're advising now, everyone we're talking to, uh, is building AI into their software in order to hunt that threat faster than the threat can hunt them. Because bad guys are using AI. They have dark web AI, and that dark web has no guardrails. It will do anything you ask it to do. That's where you're seeing some of the most horror, horrendous content that we see out there. It's being created by that dark web AI that uh will do any depraved thing you ask of it. Um, and and then, of course, read my book. It'll give you this great baseline understanding of the threat that's out there and tactics you can use to protect yourself uh against them and deploy and sound really smart when you're in interview trying to get a job at a cybersecurity company.

SPEAKER_00: 32:57

Absolutely. No, I completely agree. AI is everywhere, AI will continue to grow, take over. So it is something we also try to advise people. If you haven't done it yet, start just start using it, right? Just start using it and just experimenting and just just just be in the note. Um I did have another question, and uh I I'd like to get your thought because you know it could be that many people didn't really think about wanting to become a spy or go down that line of work and tied to cybersecurity. But are there any habits or traits that would make a good investigator or someone to join that field that you would say? Certainly.

SPEAKER_01: 33:41

Attention to detail is important. You you can't miss things, right? So if you're looking at me right now and you can uh look at my background and spend like uh a few seconds and then close your eyes and list out like 10 of the things that are behind me, that that's probably a good clue that you're good at attention to detail. If not, that's something you can learn and that's something you can work on. You have to be able to think very flexibly and be ready to just change your plan at a last minute because in investigations you never know where the facts will take you. And you have to be prepared to set aside any pre-existing bias or ideas you had at a moment's notice and just let the facts be cure pure and take you there. In cybersecurity, when we're investigating and threat hunting, when we're looking for where the attacker landed and where they went, we're following what we call bread uh breadcrumbs, right? The little footprints through the data, what they touched, what they accessed. Uh, you have to be very open to uh to seeing where they came from and where they went, because it might not be what you expected at all. Um and then finally, uh, to be a very good spy hunter, you have to be very diligent, which means that you have to have that mental capacity to and tenacity to stick through an investigation, to not give up and to fight through until you finally catch your bad guy, wherever that person is.

SPEAKER_00: 35:04

Perfect, thank you.

SPEAKER_03: 35:07

Yeah, so um I guess just kind of a few things before we wrap up on just what it was like to see the movie Breach being made, and you I'm sure they brought you in and be um part of that experience um and see yourself portrayed on the big screen. Like what was that like?

SPEAKER_01: 35:27

It was a surreal experience. You know, it it it still is it still is a little bit uh strange to me that there is a critically acclaimed major motion picture by Universal Studios about me. Movie Breach. I mean it I I I it still boggles my mind. Uh Ryan Philippi plays me uh as Eric O'Neill. Chris Cooper plays Ryan uh plays Robert Hansen, Laura Linney is in it, Dennis Habsburg has an all-star star cast. It was an excellent movie. And you know, uh I was I I met with the actors, I spent a lot of time with them. Ryan Philippi and I became very close friends. In fact, I was just out at his house three days ago and we filmed our own little interview. We decided we're gonna interview each other, and uh that's coming soon. But uh the the premise was it, you know, could a spy become an actor and could an actor become a spy, right? And and we asked each other questions to see whether it was possible. I think an actor could become a spy. I think it's a lot harder for a spy to become an actor, honestly. You know, uh we actually we get to act in real life, like in the real world, and they they sometimes have to uh to create the world around them and imagine it, and that's really hard. So it it you know it was it was a fascinating experience, and you know, the one thing that I took away from that movie, and of course I always say, if you have an opportunity to have a movie made about you, uh, you know, I highly suggest you do, uh, as long as it's done well. And um I I was portrayed well, I was my my history was handled very well, and it opened countless doors for me. Um I don't know that I would be, you know, I would have the stage presence I have and the opportunity to get out in the world and speak to amazing crowds and share my ideas and stories if if that door hadn't been opened by Universal Studios to uh first show show a little piece of my history to the world.

SPEAKER_03: 37:20

Yeah, and and a few things when I was reading the book and also from the movie, this thing about Robert Hansen. And it's it's kind of hard to tell. I think I think he he seemed, you know, you mentioned him and and you guys both dabbling in computers and had computer skills. How how skilled was he? Like he was he uh I mean one of the things from it may have been the movie or the book, talking about writing his own encryption for his palm pilot, right? That seems pretty skilled. Like, but you know, and some of the things he found, maybe it was because he was really interested in finding those weaknesses, but was he really skilled or where was he in that skill level from a computer and and cybersecurity perspective?

SPEAKER_01: 38:03

He was skilled enough to the point where the FBI was concerned that they might not be able to catch everything he did. Uh and you know, whether he wrote his own encryption or just grabbed his own encryption, you know, grabbed an encryption scheme and encrypted his data, uh, he was a he was a pretty powerful liar. So I'm not exactly sure. Um you know, if he wrote it, it was it was a it was a basic, you know, RSA type level encryption, um, or maybe even a little weaker than that. Um, because that's right now, until there's quantum computers, and I get into that in the book, yeah. That still works real well. Um so the FBI did crack it in days, so it was probably a bit weaker than that level of encryption, which we're still not 100% able to crack. So I, you know, but but the fact of the matter was that he was an incredibly adept, trusted insider at a time that the FBI was not particularly looking for trusted insiders within our own nest. And he was able to exploit that ability to move unobserved and his uh adeptness with computer systems in order to stay under the radar for uh two decades, uh, and was never caught until the very end of his career before right before he was going to retire. And had already done immense and uh and difficult to calculate uh damage to the entire US intelligence community.

SPEAKER_03: 39:30

Yeah, absolutely. One of the pro one of the the stories that came out about ACS and the system that the FBI used that it's like that is a good h hacker mindset that he had with being able to see who was under investigation by just the first, you know, first few characters without knowing the full character string, even like it was X'd out, but you could still see who that was. That that's a that's kind of that hacker mindset of like, well, you know, there's something here, but it really isn't effective at hiding what is happening. And obviously, you talk about how many times he may have looked himself up in that system.

SPEAKER_01: 40:08

Yeah, and just to explain what he would do is the ACS system had a flaw. If you were to type in a name and uh and that person, whoever it was, you would you could put in a name address, as much identifying information as possible, and it was just a big database, and you put that name in, and that person was under investigation, but you as an individual did not have a need to know, you didn't have the security clearance to see that case, the case would pop up, but it would all be starred out, right? And Hansen realized that all I got to do is put the names of people that Russia is interested in into ACS, and they would send him a list, and he would just type all the names and information in. And if it came back start out, he would know there was an open investigation for that search that he had done, and then he would he would drop back to the Russians, hey, this guy is under investigation, and then the Russians would take it from there, and normally, you know, that spy that was uh was trying to help the United States would be arrested or executed.

SPEAKER_03: 41:12

Wow. Yeah. Thank you.

SPEAKER_00: 41:15

So, in your opinions, uh, what is more dangerous? A hacker with code or a con artist with some charm?

SPEAKER_01: 41:24

Con artist with some charm. Absolutely. A hacker with code can only do so much. A con artist with some charm, which is where cyber criminals have moved and spies, can do everything. They can get uh anywhere and go and do anything. They don't even need a line of code nowadays in order to uh penetrate systems. A great example I tell in the book is uh MGM was attacked, you know, the MGM chain of hotels in Vegas, uh, and the attackers were able to get in and bring down Vegas for a week with a single 10-minute phone call. Just fold. And not only were they able with that 10-minute phone call to reset their username and password for a systems administrator, one of the people who has the ability to create passwords, elevate privileges, you know, give you access to more and more things. Um, they were also able to reset that person's two-factor authentication. So uh, yeah, that con artist is that that's the new way that attacks are happening. And that's that's a huge basis of the book to fix that misconception that we need to defend against code. We don't. We need to defend against people and psychology.

SPEAKER_00: 42:34

Awesome. Perfect. So, where could listeners follow you? Where could they get the book and stay in touch?

SPEAKER_01: 42:41

Well, the number one way that people can uh collaborate with me is my weekly newsletter. It's free and it's a companion to the book. So I couldn't put everything that happened in the book. And every day there's 10 more huge cyber attacks that happen that I wish I could just just jam into the book. So what I did is I created a newsletter, also called Spies License Cybercrime, and you can sign up there for free. It only comes once a week. It doesn't bombard your mailbox, and it's uh ericoneil.net backslash newsletter. Really simple. Or just go to eric O'Neill.net and top and click the top banner with the silly little fire emojis, and that'll take you right to the newsletter. Uh, you can get the book through that same website or wherever books are sold. And if you really enjoyed hearing my voice during this podcast, I'll put a little more base in it for you, then uh you can get the audible version and uh and listen to me read my own book. Perfect.

SPEAKER_00: 43:36

Thank you so much. And just one, I wanted to ask one what is one final advice uh that you have for our listeners? Like what is one mindset or behavior that they could start doing today to outsmart hackers?

SPEAKER_01: 43:51

Yes, so there are two things. First of all, the number one thing that everyone should do right now, I say this everywhere, uh and stop me if you've heard this one before, but listen is turn on two-factor authentication everywhere. It's the number one Achilles heel in cybersecurity. Uh, the password needs to go away. We need to stop using passwords, we need to stop relying on them. You need to have something more than a password, or else you will lose your data. Uh, the second is to be mindful, to uh take a moment whenever you're online, when you're scrolling through social media, when you're going through Instagram and you're looking at reels, and you stop at that perfect Halloween costume, 70% off, or that Christmas present, or there's a dozen roses for uh Valentine's Day that you know have to go and pay now. It's only good for another two hours and a countdown timer's going. Stop. Take a breath, take a step back, don't give in to pressure. That could that's probably a scam because if it looks too good to be true, it almost always is too good to be true. Thank you.

SPEAKER_03: 45:02

Yeah. No, thanks for thanks for being here, Eric. Um, our listeners go go out. It's a good time to buy a book for you know the holiday season's coming up. And like Eric said, it reads like a spy novel. You can share it with your family and friends. It's like, hey, this is you can be telling them, hey, you gotta beware, but this is a great way to have them read through why they need to beware, right? And then what to do about it. So certainly.

SPEAKER_01: 45:28

And give it to every one of your friends and family who constantly comes to you every time they have an IT problem because it will resolve about 50% of those IT problems. They'll be able to do it themselves and they'll understand it themselves, and it'll save some of your weekends.

SPEAKER_03: 45:44

Excellent. Well, thanks, Eric. We're so glad to have you, and thanks for sharing about your stories and and about the books.

SPEAKER_00: 45:50

John, Steve, it was great to be on the podcast. Thank you. And a huge thank you to our sponsor for season five of the Cybersecurity Mentors Podcast, HCI Learning. You can check out HCI Learning at hcilearning.com/slash simply cyber. Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.

SPEAKER_03: 46:10

Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

SPEAKER_00: 46:20

Do you have questions or topics you'd like us to cover, or do you want to share your journey? Join us on Discord at Cybersecurity Mentors Podcast and follow us on LinkedIn. We'd love to hear from you.

SPEAKER_03: 46:33

Until next time, I'm John Hoyt.

SPEAKER_00: 46:35

And I'm Steve Higger at F.

SPEAKER_03: 46:37

Thank you for listening.