EP 19 – Trust Under Attack: Spies, Lies, and the New Face of Cybercrime

David Puner: You are listening to the Security Matters podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.

While the casino floor in Las Vegas buzzed with a din of light and sound, the real action unfolded quietly behind the scenes. A polite caller reached the help desk with a simple story and a confident voice. In just 10 minutes, an administrator account was reset, a password changed, and two factor authentication fixed. I’m saying that with air quotes. No malware, no zero day exploit. Just trust expertly manipulated.

Hours later, attackers held the keys to half the strip, locking systems, choking operations, and demanding a payout. This is the face of modern cyber crime. It’s not computers attacking computers. It’s people attacking people with keyboard scripts and call centers. They exploit trust and identity to make lies feel true and doors swing open.

Our guest today is Eric O’Neill, the former FBI spy hunter who famously brought down Robert Hansen, one of America’s most damaging spies. In his first appearance on the podcast, Eric revealed how to catch a malicious insider. This time we dive into his new book, Spies, Lies and Cyber Crime, exploring how attackers weaponize trust, why pressure is their sharpest tool, and how to think like a spy and act like a spy hunter. Before the punch lands, here’s my conversation with Eric O’Neill.

David Puner: Eric O’Neill, former FBI spy hunter, welcome back to the podcast. Appreciate you coming back on.

Eric O’Neill: David, it’s great to be here and to talk about Spies, Lies and Cyber Crime.

David Puner: Excellent. And there is so much we could talk about. I just finished reading your new book, Spies, Lies and Cyber Crime, and it is really a great read. I recommend it to anyone because I’ve been working in the cybersecurity realm now for five years and it was certainly eye opening for me. I would imagine that most everybody is going to find something in here that they can use from an actionable insight standpoint and take back to their own personal cyber hygiene.

Eric O’Neill: Well, that’s great to hear because that’s why I wrote the book. For insiders and people who don’t really understand this world. I wanted it to be just as effective for someone who is a chief information security officer running an enterprise as it is for somebody who is a consumer, a grandfather, a teenager, a parent, somebody breaking into business who wants to protect their data and their wallets from cyber criminals. And the whole idea was to tell stories so it reads like a true crime thriller. You will remember those stories and remember how to identify the attack and act like a spy hunter to defend against it.

David Puner: Absolutely. Lots of great advice and tips for parents, as you mentioned there. I’ll be having some conversations with my kids this weekend. That’s for sure.

Eric O’Neill: Yeah, look at their phones. That can be a very sobering moment when you say, I would like you to unlock your phone and let me see your apps. Most parents will be shocked.

David Puner: Yeah, I imagine so. So to dive right in then. With your background as the FBI ghost, or undercover operative who helped bring down one of America’s most notorious spies, Robert Hansen, which we discussed in depth the last time we spoke a couple of years ago, and now as an author and advisor, you’ve seen firsthand how trust can be both a weapon and a vulnerability. How do you see trust being manipulated in today’s cyber landscape?

Eric O’Neill: It all comes down to trust. For years I’ve been saying that data is the currency of our life. In fact, that was one of the earliest titles for the new book. But that’s changed. It’s really trust. Trust is the most important thing we have. Trust that the person you are talking to is a real person. Trust that the business transaction isn’t a fake or a scam. If we can empower trust with cybersecurity, we can make the world safer from cyber attacks.

So many of these attacks, especially cyber crime and espionage, use deception to get us to trust something that isn’t true and ultimately harms us. Whether it’s a scam or a counterintelligence attack or a terrorist attack, it all goes back to trust. What a spy wants to do is exploit that trust by wrapping us up in a deception that is so perfect we never see it coming.

David Puner: And of course the underlying theme is trust nothing, verify everything, which ties back to zero trust. Is that inherent to human nature?

Eric O’Neill: It’s not. We tend to trust, especially on the internet, which is too bad because that’s the place you absolutely don’t want to trust. When I say verify first and trust only when you’ve verified, that applies to everything we receive online. Whether you’re getting a DM on social media or scrolling through your favorite reels. Whether you’re looking at an email, which is still the number one way business scams happen. Or even now if you’re getting a call or a voice message or a FaceTime call. In the world of AI and deepfakes, soon we won’t even know if the person we’re talking to is a real person.

David Puner: A terrifying thing to contemplate. And I will point back to the book where all of this gets laid out, which is definitely a lot to take in, but you also end every chapter with actionable things you can do to verify, to determine if something is real or not, and then lots of other websites and resources to track it all.

Eric O’Neill: Yeah. The point of the book is to identify for you through storytelling. It reads like a true crime story book, but the idea is that through the stories you’ll recognize the attacks when they happen to you, and they will. Maybe they already have and you need to go back in your memory. Cyber crime is the fastest growing business on earth. I want you to recognize the scam because you remember it from a story. That’s like someone throwing a punch and you see the punch coming. Now it’s up to you to decide how to act. In the book I teach you all the ways you can block that punch before it hits you. Seeing it coming is the number one thing that protects people.

David Puner: You mentioned it in the book, and it’s been mentioned by other guests on this podcast, but the famous Mike Tyson quote: everybody has a plan until they get punched in the mouth. That definitely seems to resonate when it comes to cyber crime.

Eric O’Neill: There are two quotes in cybersecurity that everyone uses. That Mike Tyson quote. And the military idea that no operation survives first action. The second you go operational, everything has to change. Part of that is being able to pivot. When you can think like a spy, you understand all the ways attackers come after us. Then you can pivot quickly toward the threat, understand it, identify it, investigate it, and act in a way that protects you.

David Puner: You’ve spent your career tracking everything from classic spies to today’s cyber criminals. With the rise of AI, deepfakes, and the industrialization of cyber crime, what’s the biggest change you’ve observed in how attackers operate? And what does that shift mean for defenders on the front lines?

Eric O’Neill: I love that question, David, because it really gets into the core of how attackers are making 14 plus trillion dollars a year in dark web cyber crime. And that’s where we are. And that’s trillion, not billions. So that makes dark web cyber crime right now the third largest economy on earth, easily, and actually bigger than Germany and Japan put together. If the dark web was a place, its gross domestic product would be bigger than most countries on earth. Crazy.

What attackers are doing is, and maybe I should start by getting rid of a misconception. Something that used to be the way attacks would happen. You’d have a computer, you’d turn it on, and some sort of malware, or we used to call them viruses, would infect your computer and steal your data. It was computer to computer. They were exploiting problems in operating systems, and you would get it from software. Someone was using a computer to attack your computer and steal data.

That’s not how it happens anymore. The majority of cyber attacks, the overwhelming majority, are a person who uses a computer and the anonymity of the internet to fool you. And sometimes there isn’t a single line of code. They’re just fooling you into believing a lie is true.

So for example, when MGM was attacked, and I tell the story in the book, that was the biggest owner of hotels in Vegas. I didn’t even realize that. MGM doesn’t just own the Grand. They own half the hotels in Vegas. They were hit by a massive ransomware attack. The attackers were able to get in and burrow into their systems with a phone call. A single 10 minute phone call to tech support that reset a username and password for a systems administrator. Someone who had access to change passwords and create accounts and do all sorts of mayhem if they go rogue. And they even reset their two factor authentication with just a phone call.

Now we’re seeing cyber criminals come after people like you and me on a personal level. By sending emails and texts and DMs that don’t even have a line of code. It’ll say something like, we tried to deliver your package and couldn’t get it to you. It’s being held. Call us on a toll free number to get it released. And you call and talk to a person. You don’t click a link, you don’t open an attachment. You pick up your phone and call.

This happens every year around tax season with IRS scams. People pretend to be the IRS. You might have gotten a text from a toll booth saying you didn’t pay a toll. If you don’t pay right away, they’ll cancel your license or send a fine. But it doesn’t say click this link or open this attachment. It says call here. And now you’re talking to a dark web call center. These people are slick and professional. They say pay us $200 right now and we’ll get rid of the fine. It was over a billion dollars last year spent on this toll booth scam.

So the scams are getting clever and clever. But the point is cyber attackers are attacking you and me, not our computers. So we have to be the ones who recognize the attack and defend against it.

David Puner: And it’s all very obvious that the attack method is via a keyboard as opposed to something out of Oceans 11. When they’re in person, or an old school crime like the Louvre. There’s less human stake in the game. Is that a way of looking at it?

Eric O’Neill: Yeah, let’s take the Grand Paris heist, which is fascinating, and I’m going to highlight it in my next newsletter just because it’s cool. We talk so much about cyber crime, and most crime is now cyber crime, because if you’re a criminal, why would you smash a bank, have the police chase you, and eventually get caught?

In the Paris heist, they use a bucket truck, go to the second floor, smash a window, go in with grinders in plain sight of everyone, including guards, smash the cases, take everything, and run. They jump on motorcycles and rocket away. They’re wearing masks. The reason the guards didn’t stop them is because their training is not to get into an altercation. They could accidentally shoot a patron, and there were patrons everywhere.

I think they had some inside information. Often these big attacks, whether it’s a physical inside job or a cyber attack, involve an insider. But what are they going to do with all those jewels? You can’t fence them. They’re some of the most well known items on earth. Crown jewels of France. So they’ll have to break them down and sell them piece by piece, which is a lot of work.

These same attackers could have made more money if they just went into ransomware and launched cyber attacks. And there’s almost no chance they’d get caught. Once in a while we see high profile physical attacks. But more often criminals are going cyber because it’s seen as a victimless crime. They never see their victim, and it’s incredibly lucrative. It’s a low chance they’ll be arrested.

David Puner: Let’s go back to the dark web for a moment. This hub of cyber crime. So much of today’s cyber crime, ransomware, credential theft, even the sale of deep fake tools, relies on the dark web as its marketplace and meeting ground. In your book you paint a detailed picture of the dark web as a thriving underground economy. From your actual exposure to the dark web, what’s one aspect of how these markets operate that would surprise most people? And how should that reality shape the way we defend against these threats?

Eric O’Neill: I spend a lot of time on the dark web in the book only because I’ve been speaking on stages for decades. In the last ten years I’ve been asking my audiences to raise their hands if they know exactly what the dark web is. Maybe one or two people will raise their hands, usually an FBI agent. There’s a huge misconception about what the dark web is, what the deep web is, what the surface web is. I detail all of that, with storytelling.

I take my readers over the shoulder of a dark web spelunker, a friend of mine who was paid by the DOD to become a bad guy, a big drug trader, so he would have the credentials to go in and not get assassinated by cyber criminals. We go way down into the dark web.

Something that would surprise you is you can buy anything there. It is literally depravity at the touch of a button. Cyber crime is huge. If you want to get into cyber crime and you’re industrious and learn how to Splunk into the dark web using the Tor browser and onion websites, and you’re in the know, it’s possible. It’s not like there’s a Google for the dark web. There are search engines, but they’re fake. As soon as you click a link on them, you’re infected. So you need to be in the clubs and message boards that tell you which sites are real marketplaces.

Once you’re deep, it’s fascinating, sobering, and disconcerting. You can buy any malware on earth. You can hire attackers to launch DDoS attacks or breach organizations. There are e-learning platforms if you want to become a ransomware affiliate. You can download toolkits, launch attacks, and pay 25 percent to the syndicate.

Outside of cybercrime, there’s the drug trade and human trafficking, which is devastating. Pornography is the most searched thing on the dark web, and it includes terrible things. With AI, people are creating new content nonstop. You can buy guns, you can buy 3D printer plans for ghost guns. It’s a massive, sprawling system.

And something people ask: can it be shut down? No. The dark web is part of the internet. To shut it down, you’d have to shut down the entire internet, and that would make everyone on earth miserable.

David Puner: Wild. It’s the upside down internet essentially. And reading the book, you take us into this world and you mentioned people pay for this, that, or the other thing. The main method of payment is cryptocurrency. So how does that factor in, and does the fact that it’s somewhat untraceable have something to do with it?

Eric O’Neill: The reason that cryptocurrency is the payment method of choice, and the currency of the dark web, is because it’s decentralized. It’s very hard to freeze. There’s no central bank that law enforcement can go to and freeze funds. Now, they do rush in and work with the big cryptocurrency companies when a dark web cyber criminal or any cyber criminal is using them, to freeze wallets. They can freeze digital wallets. Sometimes they can get portions. But there are full companies on the dark web who will work with criminals. There’s a supply chain on the dark web.

You launch a ransomware attack and you’ve stolen an identity, and you set up a drop bank account using a fake identity, which is a legitimate account at a real bank using fake information. Then you change the name to whatever business you’re scamming the victim into depositing money into. That person wires their money into that account, and you immediately move it into one of these dark web marketplace companies that will start pushing it into different cryptocurrency wallets faster than law enforcement can find it. Then often into physical wallets or wallets on servers that law enforcement can’t touch. And it’s gone. The money is absolutely gone.

Law enforcement does have wins. The FBI is very adept. They have plenty of dark web spelunkers who get down there all the time to take down pornography sites, especially if it’s child pornography, or big cyber crime syndicates. But the problem is this is all based on a data architecture, and bad guys have backups too. So if you don’t arrest the bad guy, they will eventually restore all their systems from backup and be back up and running with different websites or onion sites and different names. They’ll even rebrand.

David Puner: On somewhat of a tangential note, I saw in the book, I read in the book, how you tried to buy some cryptocurrency early on. What, in like 2008, 2009? About a hundred dollars’ worth, which would have been worth how many dollars now? Tens of millions. I was just gonna—

Eric O’Neill: I was just gonna buy a hundred Bitcoin, and you couldn’t figure out how to do it. I figured out how to do it and I thought, I’m a cybersecurity consultant and thought leader, or aspiring at that time, and I should figure out how to buy this cryptocurrency. Now, it wasn’t like today where you can buy it through banks or through apps. It was actually very complicated, and you needed someone who knew how to mine it to help you. And you weren’t sure if you were going to pay them and they would actually do the mining and you’d get the coin delivered.

So I went through all the steps and felt like, okay, I can explain this on stage now. I’m not really gonna buy this crap. It’s going nowhere. And that was one of the biggest mistakes of my life. Because had I bought those 100 Bitcoin, which would now be worth tens of millions of dollars, I probably wouldn’t be on your podcast. I’d own my island somewhere and just be relaxing and writing books for fun.

David Puner: Our gain on your sliding doors moment there. But I could feel the sting in that one for sure.

Eric O’Neill: Well, it gets worse. The safest thing to do when you have a lot of Bitcoin, or a lot of cryptocurrency period, is keep it in a physical wallet that is not attached to the internet. It’s sitting on a hard drive, and the blockchain shows that you own these coins. So you could connect it to an exchange and sell it anytime. And people lose those drives. People forget the passwords to the drives. So they might have millions of dollars sitting on a physical device and they can’t access it. And it makes them crazy. Completely crazy. Imagine if you had five million dollars on a little thumb drive and you forgot the password.

David Puner: I can imagine that. I don’t like imagining that, but luckily it’s not my reality.

Eric O’Neill: Mine either.

David Puner: So then back to the book, which is divided into two sections. You’ve got Think Like a Spy in section one and then section two, Act Like a Spy Hunter. What does the spy mindset have to do with cyber crime? And if we’re charged with thinking like the attacker as cyber defenders and protectors, how does thinking like a spy complement that mindset?

Eric O’Neill: So one, spies are my brand. But more importantly, in writing the book, I wanted it to feel like reading something that is literally insider information, because that’s what it is. I went back to my origins at the FBI Academy, how we learned to be counterintelligence investigators. We learned by having instructors who would come in from Mossad, from KGB, from CIA, from all the different adversary intelligence agencies who were defectors or our own, and would teach us their tradecraft.

To understand how to counter the intelligence of an adversary, you need to understand their tactics, then know how to exploit those tactics against them. That’s what made me a great ghost. An FBI ghost, an investigative specialist, is really a spy who catches spies. It’s the coolest thing you can do in the FBI. It’s exhausting and incredibly stressful, but it’s cool.

I wanted to take that cool factor and put it in a book where everyone who reads it feels like, I could be a bad guy. Now I know how to do everything they do, without actually teaching them to do it. What I want my readers to do is recognize all the tactics the bad guy uses. That’s think like a spy. You see how the bad guys do it. You understand it intrinsically. You’ve read the stories, you’ve been immersed in it.

And then the second part of the book is how you protect yourself. Act like a spy hunter. Now you’re going to hunt those spies because you see them coming. That punch is coming toward your face, but you see it. You have time to react because you understand the attack, and then you block. The second part of the book takes those original stories and explains how, if you knew to do these things ahead of time, if you could see it coming, these are the ways you could stop it.

By educating people, because these attacks are people attacking people through computers, we can neutralize 99 percent of the attacks. Those are the attacks that cyber criminals are deploying against you and me, and we can drain the dark web of resources. If they don’t get paid, they don’t have jobs. If they can’t beat us with cyber crime, they have to go get real jobs.

David Puner: One of the important underlying points to all of this though, as you mention, is that spies play the long game. So what does that mean for spy hunters?

Eric O’Neill: The big difference between spies and criminals today is really only the outcome. They use all the same techniques and tactics. The difference is a spy will want to quietly slip into your system, steal everything they can, and slip out without ever being noticed. And they will use it into the future. They play the long game. A spy wants to attack major companies, government agencies. They want information that will improve their country or their policies. That’s what spying does.

On the other hand, criminals use the same tactics: slip in quietly, maintain persistence, be in your systems as long as possible to corrupt as much as they can. The difference is they don’t want to slip out quietly. They want to smash everything on the way out, set it on fire, blow it up, destroy it, and then say, I’ve got your data. I can give it back to you, or I have the key to your data. I can give you the key, but you have to pay me. And they use maximum pressure to get you to pay. That’s really the only difference.

So you’re going to see damage far off into the future from espionage. But with cyber crime, the damage hits fast because they’re desperate to get paid.

David Puner: Speaking of the cybercriminals wanting to get paid and demanding to get paid, ransomware crews now run like businesses, even calling victims customers. What should security and business leaders know about negotiating with these groups, and is there ever a right way to pay?

Eric O’Neill: First of all, it’s always best not to pay if you can. The FBI says never pay ever. They say that because it makes their job harder. Every time a company pays, every time a person pays, the cyber criminal gets away with it, and then they can scale their operations and hire more people and get more into the trade. It’s money that funnels into the dark web and grows it.

But if you’re not prepared, if you haven’t done the steps in the second part of the book, then when you get hit by a ransomware attack, you’re doomed. You can’t restore your data. You can’t get back up and running. If you’re a small business and you’re down for a week and can’t make a sale, and you’ve got huge reputational damage because you’ve lost customer data, and a cyber criminal is saying they’re going to post it online, that could bankrupt you. You may be faced with having to pay.

There, you need someone to help. I’ve been an advisor where we’ve talked to the cyber criminals and had them establish their credibility. Because they are businesses. They’ll send you a CV, like a resume. We locked all these companies, they paid, you can reach out and ask them, like references. They’re always like, of course we pay. If we didn’t, no one would pay us in the future. We’re honorable thieves. Right.

Better not to pay. Better to take the steps so you’re resilient, even if you’re locked. You know enough about your data architecture to see where they landed and to neutralize them, block them, keep them from spreading, catch them quickly, close the trap, kick them out, and restore to a point before they landed. That way they haven’t stolen a lot of data. You don’t have huge privacy notices. And you can restore from good backups.

There are great backup companies that allow this. And because you planned and were looking for the punch and blocked it, you’re able to get back up and running. It will cost money and a bit of pain, but not the catastrophic pain that could put you out of business.

David Puner: What’s the most difficult part of recovery after a ransomware attack, regardless of whether ransom is paid?

Eric O’Neill: The most difficult part for most companies is remediation. Something happened that allowed the attacker to get in. Now you have to make sure they don’t get in again. Companies that have spent a good amount of time with good cybersecurity advisory to understand where the holes are and to patch them can do this quickly because they already have the architecture to find the hole and close it.

Companies that haven’t done this have to start from scratch, usually while the house is on fire. You never want to be figuring out your security while it’s burning down around you. In fact, in my book, I tell the story of when my house burned down when I was in high school, because having been in cyber attacks and having had my house burn down, it feels a lot the same.

David Puner: There’s so much to take in. You think you can have that plan until you get punched in the mouth, and then you’re on your feet or on the ground, and I’m sure your thinking goes out the window. So you really have to have that plan.

Eric O’Neill: You have to know what you’re going to do if you’re hit. And you have to train with your employees. If you’re a company, you need training. If you’re an individual, you need a plan. What happens if you open your laptop and see the grinning skull and the message? They’re very polite now. We have locked you with ransomware. This is the encryption we’re using. This is why it would take you 52 years to break it. But here’s the good news. If you pay us, we’ll unlock you right away. And they even help you. They’re very pleasant when you pay.

You have to have that plan. Do you have a good backup? Is your backup somewhere the attacker couldn’t reach because it wasn’t connected? Can you just tell them no and restore from backup?

There’s more to do in a big enterprise, but it’s similar. You have to be prepared.

The one thing a lot of companies forget is: if we’re locked by ransomware, how do we talk to each other? Think about that. Most businesses can’t gather in a room anymore. You can’t use Teams, you can’t use email, you can’t use any of the ways we connect in a hybrid environment. So how do you communicate?

If you haven’t thought of that ahead of time, you’re in trouble. You have companies that switch to their personal Gmail accounts, which were probably compromised because the attacker was deep in the environment. Or they’re texting each other to figure out what to do. Those are things you need to think about before the bad thing happens.

David Puner: So should companies all respectively be adding their own carrier pigeon aviaries to their corporate headquarters?

Yeah.

Eric O’Neill: Carrier pigeons are great because they’re very hard to compromise with cyber. No, I’m kidding you. You know what a lot of companies will do is they will use something like WhatsApp or Signal or one of those apps that at least is encrypted, and they’ll have it as a kind of call tree already set up ahead of time.

That’s the cheap way to do it. Or you have a higher cost option, a little bit more expensive but more secure, like a Slack channel or something like that that’s set up with encryption so that if everything goes wrong, you can just send a message to the group. I’ve seen it where CISOs have entire IT teams all over the world on one WhatsApp chain.

And that could be a point of failure, but they’re not discussing anything. It’s just for emergencies, and they test it every once in a while, like everybody respond to see that everybody’s actually paying attention, staying

David Puner: on the thread of the plan or planning. Having a plan. In the book, you introduce the PAID framework — prepare, assess, investigate, and decide — as a practical way for organizations and individuals to defend against cyber threats by thinking like a spy and operationalizing trust and verification. What does that look like in practice, and where do organizations most often stumble in that process?

Eric O’Neill: Yeah, so it’s a really easy four step method — PAID — that you can remember, because we all want to get paid, right? And you do get paid if you follow PAID. If you don’t follow PAID, you get launched by a ransomware attack and the only payment goes to the bad guy.

So prepare, take the steps ahead of time. What organizations have to do is be prepared and understand that an attack will come. It’s not whether, it’s a matter of when. So you’re prepared for the attack, which means you’ve hired the cybersecurity advisor, right? If you don’t have a very knowledgeable cyber team or CISO who can do it, you hire someone outside, they come and they look at your data.

You’ve taken the steps to organize your data, your architecture, the vendors you’re using, and how cybersecurity ties in to safeguard all of that. You’re segmenting your data. That’s really important too. You can’t have everything on one drive that everyone has access to. That’s a recipe for absolute disaster.

You’re layering your most important and expensive security around the data that matters most, and you’re limiting access to only the few people who really need to see it. That’s FBI stuff. That’s James Bond stuff. That’s for your eyes only.

David Puner: Mm.

Eric O’Neill: That way, you don’t lose everything. If you’re hit, you only lose one compartment and not everything that you have, which minimizes the damage, it keeps the fire from spreading.

So you’re prepared. You’ve got your cybersecurity advisory, you’ve done your work to understand your data, and you’ve paid for some cybersecurity software and applications that are constantly out there working to protect you. But that’s not it. You can’t set and forget. You don’t install something and say easy button, I’m done.

You have to continually assess, and in the world of hunting spies, that’s where analysts do their work. You assess — constantly assessing, looking for the threat, monitoring, auditing, seeing whether employees are doing weird things they don’t normally do. Like suddenly this person who works in California is sitting in China in the middle of the night downloading terabytes of information. You know, that’s an extreme case, but that has happened, and that’s a pretty good clue, right?

David Puner: Mm-hmm.

Eric O’Neill: But it could be other things. Normally they come into the office, but today they’re at a coffee shop downloading a lot of stuff, and they don’t normally do that. That could be a clue. If you have the right data architecture, you can see that.

So you’re analyzing, and when your analysis says, oh man, we’ve got a problem, like something could be wrong, red flag. That’s where people like me come in. Investigators, spy hunters, your cyber sleuths who know how to take that little bit of analysis, that actionable intelligence that we might have a threat, and go in and see if there’s a threat.

You investigate. You get to be the spy hunter, and when you find that there’s a threat, you work your plan and you decide to act. You have to decide to act. You can’t sit there and put your head in the sand while everything burns around you. You have to take innovative and immediate steps to minimize the damage and protect yourself or your company from a cyber attack.

David Puner: Speaking of innovation, earlier on you had mentioned AI. How have social engineering tactics evolved with the rise of generative AI and deepfakes?

Eric O’Neill: It’s changed the whole game. I mean, AI isn’t just for using Sora to make crazy Mr. Rogers videos, which is flooding the internet right now.

David Puner: Seen a couple of those.

Eric O’Neill: Oh God, they’re everywhere. But what it does do is it’s creating ever more impressive and distracting deepfakes that deceive us into believing that a lie is true. And these have been used against families to scam them out of thousands of dollars by saying your daughter’s been kidnapped — and you hear your daughter screaming on the phone.

Or the newest one that’s come around is you hear your sister, your daughter, or a family member’s voice, right? And it says, Dad, I got into trouble, I screwed up. And you’re like, what did you do? I got in a car accident. I hit this family. I think the mom is hurt, I don’t know if she made it. Look, you have to talk to this new person, he’s my lawyer.

And the next voice is the public defender who says yes, your daughter is in jail, she’s going to be arraigned, it looks like she’s not going to get out unless we pay bail. I have to go in really quick, the hearing is right around the corner, this is her last phone call. I need you to wire me $5,000 so I can pay bail and get her out, and you’re not going to be able to talk to her again.

That pressure situation using AI — you’ve just heard your daughter’s voice. And now imagine you get a FaceTime call from your daughter telling you she’s in trouble. Or your son, or your friend. You think it’s really them, but it’s an incredibly clever AI.

David Puner: Which is just becoming more and more believable day in and day out, leaps and bounds.

Eric O’Neill: Certainly. It’s being used against individuals, it’s being used against businesses, and we are going to see an enormous amount of AI manipulation in misinformation and disinformation. Just wait till the 2028 election. That is going to be chaos.

I’m hoping that as AI continues to improve and become more hyper realistic, cybersecurity will pivot, and I predicted that relatively soon we’ll all be installing an application that provides a layer on all the devices we use to access the internet. Your phone, your tablet, your computer systems — everything — that will be like an AI detector.

It’ll analyze an incoming call, an incoming video chat, scrolling through social media, even an ad on social media for that Halloween costume 70% off, click here, only two hours left. And it will say this is fake, or 85% AI deepfake. So it triggers in our mind, wait, take a moment, figure out if this is real.

David Puner: Sitting side by side with folks who have been under attack, and also sitting with the defenders, how are you seeing generative AI changing the game for defenders?

Eric O’Neill: One, defenders have to, just as we do, recognize that AI is being used to attack.

So what’s happening is cyber criminals are using AI to scale their operations, to create novel code, to scan systems, to find flaws they can exploit. Right now, cybersecurity also needs to pivot, to deploy AI that does its own analytics. Because if bad guys are using AI for analytics, then on the defense side we need to be doing the same thing.

It’s tongue in cheek, but in the book I state that if you want to create a mental image of what’s happening in cyberspace right now, AI versus AI, it’s really like the original movie Tron. If you want to see the cybersecurity AI fighting the dark web AI with lightsabers and light cycles, go ahead.

And we’re hoping the good guys win because attackers who are using AI can move very quickly. Humans just can’t respond as fast. So cybersecurity is now deploying its own AI to do the analytics and respond as quickly as the AI is attacking.

David Puner: So there’s been a surge in cyber threats and attacks targeting critical infrastructure like energy, water, and healthcare. What makes these sectors especially attractive to attackers? And what’s one thing leaders in those environments should prioritize to boost resilience and recovery?

Eric O’Neill: In my chapters on destruction, I spend a lot of time on critical infrastructure attacks. I think I start one chapter with what keeps me up at night, because that’s a large-scale critical infrastructure attack here that turns off lights, power, water, the things that we really need.

People forget that there are huge numbers of areas of critical infrastructure. There’s a lot we rely on to be safe, happy, and live lives that are well. All of it is attached to the internet, so it’s all a potential target, including wastewater. If you don’t flush your toilet and it goes away, that can be a huge problem. You can cause sickness and disease. Finances, telecommunications — critical infrastructure is under attack right now. It is the biggest war that’s being fought that no one knows about.

David Puner: Mm.

Eric O’Neill: Foreign threat actors primarily from Russia, China, Iran, and North Korea have embedded themselves in Western critical infrastructure launching what’s called probe attacks.

They haven’t tried to shut it down, but they have successfully demonstrated that they can burrow deep enough to shut things down if they wanted to. And they continue — as soon as we kick them out, they get back in, using all the different ways any attacker would get into a system. And critical infrastructure is not always on brand new patched systems with great cybersecurity. It’s often on aged systems with big flaws no one has looked at in years.

So the bad guys are able to get in. That’s a threat. And in the book, I even said I start that chapter with a story of how I put 25 solar panels on my roof and a big power wall in my basement. Just so when everything goes out, I still have power. I’m the only house in the neighborhood with power, so I’m going to become incredibly popular, right?

But on the other hand, that’s the long game — preparing for any future war, which is going to be fought in cyberspace, not here in the US at least with bullets and guns. Criminals are targeting critical infrastructure, including entire cities, because imagine the pressure to pay when a city goes down. When a power company goes down. When a company that transmits oil and gas from the west coast to the east coast goes down and people can’t fill their cars with gas. People can’t turn on the lights. People can’t pay their bills. People can’t get a book from the library. People can’t call 911.

When that happens, there is enormous pressure to pay, and the bad guys know it.

And when a city goes down, the ransom isn’t $10,000 — the ransom is in the millions. The millions of dollars. And now cyber criminals, because they’ve demonstrated so much success, are asking for tens of millions of dollars when they launch a sophisticated big game hunter cyber attack.

David Puner: So then for organizations without a full security team, what’s the first step to defending against threats? It seems so industrialized.

Eric O’Neill: The good news is there are solutions out there if you can’t hire. I mean, the cost of a really good CISO right now is $300,000, and a lot of organizations can’t hire that.

But you can come to a good cybersecurity advisor and get a virtual CISO. You can rent somebody — and my company InGuardians, we do this. You can get a virtual CISO who will come in part-time and help you get to where you need to go. You need to restructure this way. You need to hire at least this person who can be a director of security. I’ve looked at your IT team — they’re really good for the networking side, but they don’t know anything about cybersecurity. You need to patch that hole, and here’s what I think you should do.

They’ll put the plan together for you, and that can be a very low-cost way to get you to a place where you’re more resilient than the other ten companies at your size and level.

You know, it’s kind of like that old story — how do you outrun a bear? Trip the slow guy and keep running.

David Puner: Yeah.

Eric O’Neill: Unfortunately, that displacement of crime does work. You need to make sure you’re resilient and you’ve taken the steps, and that is a low-cost way to do it. You still have to pay the cost, but the cool thing is when you do that, we’ve shown you can lower your cybersecurity insurance premiums by demonstrating to the broker that you have adequate cybersecurity.

You’ve met a standard, and here it’s been certified by the cybersecurity advisor, so you’re a safer bet for their insurance money. And those premiums are skyrocketing because there’s so much crime. So you want to lower them as much as possible. And you absolutely have to have cybersecurity insurance. That’s a non-negotiable for any business. Because if you’re hit with a cyber attack and you don’t have it, you’re just naked out in the wind on a freezing day.

So that is a way to do that work when you can’t afford an entire security team. And then you have the director of security you’ve hired who knows enough to know I don’t know what to do here, and I can call over to the advisor I have on retainer.

And that’s the new model. Technology is helping. It’s answering some of the questions. It’s helping people learn a lot about cybersecurity. You can have a really good console that says these are the threats you need to look at today. And you can seem really smart when you go talk to your executive team and your board, but you do need that help if you don’t have the personnel in-house.

David Puner: Lot of good advice. Since we last spoke a little over a couple of years ago, how have insider threats changed, and what are the earliest warning signs leaders should watch for?

Eric O’Neill: Yeah, that’s a great question because we sometimes forget that there are still people who get angry and go rogue. There are still people who are disgruntled.

There is still corporate espionage. Sometimes your people are hired by a competitor and you don’t even know it, and they’re stealing data. I tell a story in my first book about Wan Jin, who was an American citizen who had family in China, and she was hired by a competitor of Motorola to go in. She would go in at night and steal information, and she was caught. The company learned that she was sitting at her cousin’s competitor company in China downloading terabytes of information from her company, in China, while she said she was on sick leave.

So trusted insiders still happen. You catch them the same way you catch a cyber spy. You have to understand your data, you have to understand who’s accessing it, and you actually have to do the work to audit.

One of the reasons Robert Hansen, the spy, got away with it for two decades is the FBI just wasn’t looking internally. He was using the automated case system and the database of all the cases the FBI was running in ways he shouldn’t. He was accessing things he shouldn’t, but no one was looking. And because they weren’t auditing people’s access, he was able to get away with it.

It’s the same today. If you don’t have a limiter on what your employees are allowed to access, what’s a true need to know, then you’re never going to know when they’re accessing something they shouldn’t. And being able to know that is the earliest indicator possible that you might have a trusted insider, and then you can lock them out.

And the worst thing that happens is they get really angry because they can’t work. And you’re like, sorry, we just saw an alert. Why are you in Starbucks today? And they say, I couldn’t work from home another day. Well, come into the office. You flag anomalies in how people are working or what they’re accessing, and then you investigate.

David Puner: Mm hmm.

Eric O’Neill: It’s just that you’re prepared. You can see it, you’re assessing, you see there’s a problem, someone’s doing something they don’t normally do, and you investigate it. Maybe the best outcome is you apologize and say, yeah, get back to work, we’re turning everything back on.

David Puner: So then from that contemporary situation to the future, to the unknown with quantum computing on the horizon, what’s your practical advice for organizations wanting to prepare now?

Eric O’Neill: Know that you will have to prepare. Which means we will change our entire encryption architecture. One of the most important things for a company today is to make sure you are not the victim of a cyber attack.

Do everything you can to not be the victim of a cyber attack. The reason is attackers are doing what’s called store now, decrypt later. Cyber criminals are doing it. Adversarial countries are doing it. They steal information from companies. They know they can’t see the information because it’s encrypted.

But when a quantum computer comes online, they will be able to open all of it up. So you don’t want your data in two years, three years, five years, when we have a quantum computer, suddenly be all in the clear, completely decrypted and exploited against you.

So do everything you can to not be the victim of a cyber attack. Do all the right things and you will hedge your bet. And know that as fast as different countries and major companies are working to develop a quantum computer, there’s an arms race right now between the west and China and Russia in particular. Those two are working together. There are companies who are working on quantum encryption. That is going to be the new layer of encryption we will all have to adopt and use.

There will be an immensely painful series of years where everybody is trying to figure out a new quantum world. AI is going to start running on quantum computers, and I can’t even predict how insane that is going to be. Imagine AI that moves faster than we’ve ever seen. The hijinks bad guys will get up to. But also the amazing cool things we’ll be able to do, like movies that generate as you go and you’re immersed in it.

That is going to open up a brand new world that is incredibly speculative right now, but something everyone in security has to start thinking about today. I spend a chapter on that in the book.

David Puner: Yeah, things are certainly moving fast and to see that coming on the horizon is a bit staggering. To wrap things up, for listeners who want to start thinking like a spy today, what’s one habit they can start this week?

Eric O’Neill: Here’s a great one. Don’t give in to pressure. What criminals want to do is put you in a pressure situation. Every one of these attacks going person to person, these deceptive attacks, whether it’s impersonation or confidence schemes, is designed to put you in a pressure situation.

That is a good clue this might be a cyber attack. They don’t want you to have time to think. Anytime you feel that pressure, stop and think. You might have someone from the IRS saying you’re going to go to jail if you don’t do this right now. Or a family member saying they’re going to be arrested if you don’t do this right now. Or that amazing deal you’ve seen for a guitar for your kid that is $200 off but only for the next two hours.

When you see that right now pressure, stop. Take a breath. Pause. And put on your spy hunter hat because it’s very likely that thing causing that pressure, or that thing that’s too good to be true, is too good to be true. Or it’s a pressure moment designed to get you to click or open an attachment or do something you know you shouldn’t.

Don’t give into pressure and you can identify so many of these attacks.

David Puner: The book’s called Spies, Lies and Cybercrime. Eric O’Neill, code name Werewolf, former FBI ghost and undercover operative. Thanks so much for coming back onto the podcast. Super eye-opening and informative, and I really look forward to catching up with you again down the road.

Eric O’Neill: I appreciate coming on the podcast and spending this time talking about my passion, which is cybersecurity, and those were great questions, so thank you for that.

David Puner: Alright, there you have it. Thanks for listening to Security Matters. If you like this episode, please follow us wherever you do your podcast thing so you can catch new episodes as they drop.

And if you feel so inclined, leave us a review. We’d appreciate it very much, and so will the algorithmic winds. Drop us a line with questions, comments, and if you’re a cybersecurity professional with an idea for an episode, drop us a line. Our email address is SecurityMattersPodcast at cyberark dot com. We hope to see you next time.