Think Bad, Do Good Podcast

AttackIQ’s video podcast series brings together security researchers, informed defenders, and intelligence practitioners for discussions about how security teams can build a strong threat-informed defense strategy. Listen below for lively discussions on emerging strategic concepts, threats and emulation plans, optimizing your cybersecurity investments, and cybersecurity events in the news.

Renee di Resta

Confronting the Disinformation Age:
A Conversation with Renée di Resta

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Renée di Resta is a pioneer in the study of disinformation, and through her research at the Stanford Internet Observatory and regular contributions to The Atlantic Monthly she has made her voice heard on the harms of amplified propaganda and the role it has in shaping public opinion.

How do false narratives spread? “You have human nature, which has not really changed very much in many ways over time, either. A lot of the kind of psychological motivators have been consistent. What do people need, what do they want, what are they looking for?” Renée investigates the intersection of platform algorithms with user behavior and factional crowd dynamics to get to the root of the problem. “What really does change is the communication technology. And when we’re talking about propaganda, which really is referring to messaging, we’re talking about ways in which entities who are trying to achieve a particular objective, use communication to send messages to the public.”

In this installment of Think Bad, Do Good, Renée and Jonathan examine the role of “filter bubbles” in the dissemination of false narratives and individual agendas, the creation of polarization in public opinion, blurred lines between fact and bias, and the growth and spread of extremism. “Another thing that we see a lot in our work is looking at what makes things go viral,” Renée says. “People make crazy claims on the internet all the time but what starts to happen is that you’ll see incentivized influencers with very large followings who will pick up that claim, but they do it in a really interesting way.”

Tune in to learn more.

Renée’s most recent articles:

“Breaking the Social Media Prism: How to Make Our Platforms Less Polarizing,” by Chris Bail

Josephine Wolff

Catastrophic Loss: The State of the Cyberinsurance Market Today, with Josephine Wolff of The Fletcher School of Law and Diplomacy

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Josephine Wolff

For anyone interested in understanding cybersecurity insurance, Josephine Wolff is the premier global expert on the issue. And cyberinsurance is a tricky market. “We’re all relying on the same infrastructure or the same fairly small set of infrastructure for our computer systems,” Josephine says in this episode of Think Bad, Do Good. Other types of insurers can diversify their risk portfolio and assume that all policy holders are not going to be hit by the same fire, the same flood, or the same car accident all at once. But due to the scope of cybersecurity risk, cyberinsurers lack that luxury.

How does it play out? “The ideal would be your insurer comes in, they assess your security posture, and then they price your premium based on how good your security is. And I think what a lot of companies feel now is like, they come in, they do this endless questionnaire, and then they’re just going to price your premium based on how big your company is anyway.” The impact is significant. “It plays into this larger dynamic of sort of caution on the part of the insurers, saying, ‘We don’t really feel we know how to defend against these types of incidents, so we would rather not be on the hook to be covering more and more and larger and larger of them.’” That issue rests at the core of the current public debate.

Author of Cyberinsurance Policy and professor at The Fletcher School, Josephine Wolff examines the development of cyberinsurance, compares it to other sectors, and details how the complexity of cybersecurity insurance can lead to legal disputes between insurers and policyholders. “Who ends up paying? What are all the various complicated legal and liability issues here? And what can we say about who gets held responsible and who doesn’t?” Tune in to learn more about the path ahead.  

Key links to Josephine’s work:  

Marcus Bartram

Lessons in Venture Capital: How to Build and Scale a Successful Cybersecurity Company, with Marcus Bartram of Telstra Ventures

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Marcus Bartram

Telstra Ventures’ Marcus Bartram understands the growing pains inherent in building a business. Working at high-growth companies early in his career helped him build wisdom and resilience and foster a sense of empathy towards entrepreneurs. As a venture capitalist, Marcus understands how to use capital as a tool for building a business, and he and his team have led successful investments in companies like CrowdStrike, Auth0, Corvus Insurance, Elastica, and vArmour, among many others.

In this episode, Marcus joins Jonathan to discuss the ins-and-outs of evaluating potential investment opportunities, the company profiles that attract venture capitalists, and the excitement that comes with building partnerships. “Who’s the team?” Marcus asks. “Do you believe in the vision they’re trying to paint? Do you trust them to want to give them literally millions of dollars of money? And do you think they can execute on the vision?”

Marcus recounts stories of navigating the turbulent dotcom boom of the late-1990s, reflects on the role it played in his career, and shares his views on the future of cybersecurity and technology. “For my sins, I really like the cybersecurity market, which is a huge, vibrant market with lots of opportunity,” he remarks. “What’s their unique view on that, and why are they different to the other thousands of cybersecurity startups that are in the market today? Are they solving a big problem, or are they solving for a feature in cybersecurity?”

Tune in for more.

Rob Hornbuckle's Headshot

Not Your Normal CISO: Lessons in Security Leadership, from Bartending to the Boardroom

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Rob Hornbuckle

Years before he became Chief Information Security Officer (CISO) at Allegiant Airways, Rob Hornbuckle studied acting and worked as a bartender – lessons that served him well as a four-time CISO. He understands business, he understands technology, but above all he understands human behavior.

“Something is eventually going to happen at any organization you potentially could work for,” says Rob. “If you work there long enough, something will eventually happen. What’s going to determine your success and your longevity long-term as a CISO is how you react to it, how you handle it, how well everyone trusts that you’ve both done the best you can, and that you’ve had the best interest of the organization in mind.”

Accountability matters a lot. “One of the most executive things you can ever do is stand up and take accountability when it’s your fault,” he says. “You will garner significantly more respect if you stand up and take accountability when it’s your fault than if you try to slough it off or if you act dodgy. It’s almost human nature to want to shy away, to want to not get in trouble, to want to try to curl up and defend yourself in some way. But the most executive thing that you can possibly ever do is stand up and take accountability when you were at fault either fully or even partially.”

In one of the most illuminating podcasts yet, Rob sits down with Jonathan to outline his vision for leadership development and success in security. Tune-in and read on for more.


Preparing for Disaster and Achieving Cybersecurity Readiness

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Juliette Kayyem

Juliette Kayyem wants you to fail safer when disaster inevitably strikes. A former assistant secretary of homeland security, Harvard professor, and contributor to The Atlantic Monthly, she is the author of the new book, The Devil Never Sleeps: Learning to Live in an Age of Disasters. In this episode, Juliette talks with host Jonathan Reiber about how we can get ahead of disasters and bounce back when the inevitable “boom” finally comes.

Christopher Frenz

Adopting a Threat-Informed Defense

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Christopher Frenz

In this episode, Christopher and Jonathan discuss the zero trust security model and look at how to achieve an evidence-based security program by adopting a threat-informed defense in the hospital sector. Hospitals and healthcare organizations are under siege in cyberspace following an increase in ransomware attacks and the broader pressures of the coronavirus pandemic.


Preparing for Russian State-Sponsored Cyberthreats

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guests: Adam Moore and Ken Towne

In the face of Russian aggression and with the risk of potential cyberattacks increasing, it’s time to make sure that your cyberdefense shields work. Join Ken Towne, Adversary Emulation Engineer, and Adam Moore, Head of Adversary Research and Development, as they talk with host Jonathan Reiber about threat behaviors that are being observed at this moment, how organizations can improve their cybersecurity readiness, and steps teams can take to validate their defenses against Russia-based attackers using a new attack graph in the AttackIQ Security Optimization Platform.

Uma Mahesh Reddy

Adopting a Threat-Informed Defense with AttackIQ Vanguard

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Uma Mahesh Reddy

In this episode, Uma and Jonathan discuss the practice of a threat-informed defense and how organizations can use real-time performance data to optimize their security program performance and make the most of their security investments. .

AttackIQ Vanguard has been instrumental in supporting Uma’s team with their cybersecurity readiness. Vanguard helps Prime Healthcare identify configuration errors, find security gaps, and enhance the team’s performance through continuous security control validation.

“Having cybersecurity controls (technology, people, process and procedures) in place will not alone protect your organization from breaches and attacks. Proactively measuring the effectiveness of your controls on a regular basis and fine-tuning them to keep up with the ever-changing threat landscape is imperative,” said Uma Mahesh Reddy.

When Jonathan asked Uma what AttackIQ’s slogan “we’ve got your six” means to him when it comes to cybersecurity programs, he explained with confidence, “You’re not only watching our back, you’re watching the other two sides too. We are focusing on the business, and how do we keep it running securely by having all these controls in place, but you are helping us to make sure that we are heading in the right direction towards our goal.”


Ted Harrington

Ransomware, Security Readiness, and Resilience

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Ted Harrington

In this episode, Jonathan speaks with Ted Harrington, best selling author of the book Hackable: How to Do Application Security Right, about the way attackers think, readiness and resilience, and how to live a purposeful career in leadership and public service.

About Hackable: How to Do Application Security Right

If you don’t fix your security vulnerabilities, attackers will exploit them. It’s simply a matter of who finds them first. If you fail to prove that your software is secure, your sales are at risk too.

Whether you’re a technology executive, developer, or security professional, you are responsible for securing your application. However, you may be uncertain about what works, what doesn’t, how hackers exploit applications, or how much to spend. Or maybe you think you do know, but don’t realize what you’re doing wrong.

To defend against attackers, you must think like them. As a leader of ethical hackers, Ted Harrington helps the world’s foremost companies secure their technology. Hackable teaches you exactly how. You’ll learn how to eradicate security vulnerabilities, establish a threat model, and build security into the development process. You’ll build better, more secure products. You’ll gain a competitive edge, earn trust, and win sales.

Jose Barajas

What to Know, How to Prevent: menuPass

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Jose Barajas

In this episode, Jose Barajas and Jonathan Reiber discuss MITRE Engenuity’s Center for Threat-Informed Defense and AttackIQ’s emulation plan for menuPass. This plan will enable defenders to replicate tactics and techniques used by menuPass, a cyber threat actor that has been active since 2006 and whose goals are aligned with the People’s Republic of China’s Five Year plan. Members of the group have, according to MITRE ATT&CK, worked in association with the Chinese Ministry of State Security’s (MSS).

What has been their impact? menuPass is responsible for global intellectual property theft in at least 12 countries. The group has targeted companies within the healthcare, defense, aerospace, and government sectors, with emphasis since 2014 on Japanese victims. As MITRE ATT&CK describes the group’s behavior, “menuPass leveraged its unauthorized access to these managed service providers’ networks to pivot into subscriber networks and steal information from organizations in banking and finance, telecommunications, healthcare, manufacturing, consulting, biotechnology, automotive, and energy.”

In this podcast, you will see and hear about how AttackIQ incorporates MITRE Engenuity’s Center for Threat-Informed Defense’s emulation plan into the Security Optimization Platform to automate the tactics, techniques and procedures used by menuPass. This allows AttackIQ customers to run the emulation plan against their existing and planned security controls to validate their effectiveness and improve their performance against the group. The Security Optimization Platform then provides detailed gap analysis and remediation reports.

Pete Luban

Pete Luban of Dimensional Fund Advisors on MITRE ATT&CK and Security Optimization

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Pete Luban

Chief information security officers and security leaders all over the globe struggle with complexity. Complex socio-political risk; complex risk management organizations; and complex technologies. Today on Think Bad, Do Good, we talk with one of the world’s leading cybersecurity operators not just about how you can decrease complexity and strengthen your security program, but how you can become a more effective leader for your organization.

Pete Luban knows the issues well. He is the head of the cybersecurity program for Dimensional Fund Advisors (DFA), an investment management service that operates with over $550 billion in assets under management. Headquartered in Austin, Texas, the 38-year-old company has over 1,700 employees and, in the words of Peter Luban, is “run by a group of computational geniuses.” As a global distributed firm with significant financial assets, it faces similarly significant cyberthreats to its assets and personnel.

For managing these risks, Pete calls the MITRE ATT&CK framework the “mother brain” for security effectiveness. Why? Since he started using ATT&CK, he has seen a fundamental increase in effectiveness in protecting his company, but also in how he communicates to his board. ATT&CK and AttackIQ give him a single tool to see threats and threat behaviors. “That is a giant value add use case that follows the life cycle of information or misinformation from beginning to end and gives me a tool by which to validate, no pun intended, that what we do is worth what the company spends on it, right? That’s a simple use case that is insanely valuable.”

Listen to today’s episode to learn more about what keeps Pete up at night, what Pete would like to see more broadly adopted in his community to increase communication and effectiveness, and how COVID has transformed cybersecurity for companies everywhere.

Kumar Chandramoulie

Kumar Chandramoulie of AmerisourceBergen on Cybersecurity Risk and Effectiveness

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Kumar Chandramoulie

Kumar Chandramoulie is no stranger to challenge. As Vice President, Cyberdefense, Data, and Threat Management at AmerisourceBergen, Chandramoulie is responsible for planning his firm’s approach to cybersecurity risk management across its global operations. This is a vital mission: AmerisourceBergen provides pharmaceutical products, value-driving services, and business solutions that improve access to care. Global manufacturers depend on AmerisourceBergen for services that drive commercial success for their products. Tens of thousands of healthcare providers, veterinary practices, and livestock producers trust AmerisourceBergen as their partner in the pharmaceutical supply chain. Data underpins the entire process, and Kumar is responsible for securing the firm’s networks across multiple borders, businesses, and platforms.

He uses MITRE ATT&CK and AttackIQ to achieve operational effectiveness and help his team do the best job they can. In this episode, Jonathan and Kumar discuss his approach to cybersecurity and how MITRE ATT&CK and AttackIQ help him secure AmerisourceBergen’s data. They talk about Kumar’s process of building a cybersecurity system, why MITRE ATT&CK is so useful for AmerisourceBergen’s security effectiveness, and how performance data helps AmerisourceBergen leadership understand their cybersecurity.

For more about how AmerisourceBergen uses MITRE ATT&CK and AttackIQ, you can dive into this case study here.


Julia Voo and the National Cyber Power Index

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Julia Voo

Julia Voo once auditioned for a part in Harry Potter because she wanted to go to Hogwarts. But it was much cooler to be a British foreign service officer in Beijing after Brexit covering China’s approach to cybersecurity policy and artificial intelligence from a trade perspective. Now, she’s crushing it on China and cyber policy at Harvard’s Belfer Center, where she serves as a Fellow, and has just led a global team in a comprehensive review of global cyber powers.

In this episode, Jonathan talks with Julia about how an innocuous one-off conversation kicked off the National Cyber Power Index (NCPI), the nature of cyber power in international relations, and the future of U.S.-China relations. Jonathan’s son also makes a brief cameo.

So who are the top ten most “cyber powerful” countries?  And why is the Netherlands number 6? The National Cyber Power Index provides an overall measurement of a country’s aptitude as a cyber power – far more than just offensive and defensive capabilities. It gives a new look at international cyberpower, who wields it the most, and how it can best be leveraged in foreign affairs. Learn more and tune in for more.


Defending Digital Democracy

Mis/Disinformation and the 2020 Presidential Election

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guests: Maria Barsallo Lynch, Siobhan Gorman, and Robby Mook of Harvard’s Belfer Center for Science and International Affairs.

Join cybersecurity and public affairs experts Robby Mook, Siobhan Gorman, and Maria Barsallo Lynch of Harvard’s Defending Digital Democracy project as they discuss the coming presidential election and how state and local government officials and American citizens can take steps to assure its integrity. Over the last four years these individuals have played significant leadership roles in the United States in helping the states learn about and prepare for cyberspace operations and disinformation operations alike, and last week the Harvard team released The Election Influence Operations Playbook, Part 1, to help election officials manage the threat of disinformation operations to the election.

Defending Digital Democracy was founded in the aftermath of the 2016 election by a group of bipartisan policy, technology, and political leaders to help defend the country’s democratic processes in cyberspace. Since then the Harvard team has produced over half a dozen playbooks and landmark research projects and engaged state, local, and federal government organizations as they address cybersecurity risks to the U.S. democratic process. Please see below for more information about the team and its research – and give the podcast a listen!

Jose Barajas

FIN6 MITRE Emulation Plan

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Jose Barajas, Technical Director, AttackIQ

Join Jose Barajas and Jonathan Reiber for Episode 4 of “Think Bad, Do Good” as they explore the FIN6 emulation plan and the work at the Center for Threat-Informed Defense that led to its development. What is the broad utility of this emulation plan, and how can cybersecurity teams best take advantage of all that it has to offer? How can emulation plans help organizations improve their cybersecurity by taking on a threat-informed defense approach more broadly? Tune in to learn more from our experts.


Best Practices in Threat-Informed Defense

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Ben Opel, Director of Customer Success, AttackIQ

Join Jonathan Reiber and Ben Opel for a discussion of threat-informed defense lessons learned from their time serving in the Department of Defense. Reiber and Opel reflect on lessons from their two separate but related career trajectories in the Defense Department, Reiber writing the DoD’s cyber defense strategies and working in the Office of the Secretary of Defense from the creation of U.S. Cyber Command, Opel joining the U.S. Marine Corps and serving as a cyberspace operator, and defending key terrain and running purple team operations, after graduating from the United States Naval Academy. Both reflect on the current state of operations today from the perspectives of their past experiences.


How to Achieve Cybersecurity Effectiveness

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guests: Adam Isles, Principal, Chertoff Group; Kurt Alaybeyoglu, Senior Associate, Chertoff Group

Less fear, uncertainty, and doubt. How can you optimize your cybersecurity investments to achieve maximum effectiveness? Listen to two of the world’s leading practitioners of cybersecurity and hear about their experiences managing major incidents from the top of DHS and operating in the U.S. Air Force’s cyber warfare wing.

Jose Barajas

APT29 and Threat Informed Defense*

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Guest: Jose Barajas, Technical Director, AttackIQ

APT29, threat informed defense, and how to take on a “purple” team approach. With Jose Barajas, Technical Director at AttackIQ, Ben Opel, AttackIQ Academy Purple Team Instructor, and Jonathan Reiber, Senior Director for Cybersecurity Strategy and Policy at AttackIQ.

*Note: this is an imperfect pilot episode for the series, and we’ll sort out our audio and video recording methods for the next episode.