The Microsoft Threat Intelligence Podcast 7.1.26
Ep 72 | 7.1.26

Casey Ellis on How AI Is Reshaping Vulnerability Research and Patching

Transcript

Sherrod DeGrippo: For years vulnerability disclosure operated on like a weird uneasy social contract. Researchers found vulnerabilities. Vendors patched them. Threat actors tried to move faster than everyone else. Things were pretty weird. I come from a time of what we called anti disclosure which was keep it for yourself and do something crazy with it. So today on "The Microsoft Threat Intelligence Podcast" we're going to talk to my guest Casey John Ellis, founder of Bugcrowd, co-founder of disclose.io, and one of the pioneers really on the forefront of the modern bug bounty programs and how we do coordinated vulnerability disclosure. So Casey spent decades doing this and we are going to go deep in to all of those things that everyone is talking about on the internet which is things like AI assisted vuln discovery. What is the future of disclosure? What does ethical hacking mean? Does it mean anything? And special for this episode this is my first video episode of "The Microsoft Threat Intelligence Podcast." So for those of you who didn't know what I look like this is my face. This is Casey's face. And we're trying video for the first time. Casey, welcome to the show.

Casey Ellis: Thank you for having me, Sherrod. It's great to be on.

Sherrod DeGrippo: I'm Sherrod DeGrippo with Microsoft and let's just like go right in to it.

Casey Ellis: For sure.

Sherrod DeGrippo: What is happening right now? Are we in vulnpocalypse or is vulnpocalypse coming later? Because it hasn't happened yet.

Casey Ellis: Yeah. I mean look. I tend to think that we were already in vulnpocalypse. You know, the fact that writing software is hard and there's vulnerabilities everywhere already, you know, this is before you kind of consider all the new code that we're creating at a rapid rate of [inaudible 00:01:53] right now. You know, from what I've seen through Bugcrowd, through working with security researchers, a lot of this stuff, like there's a lot more vulnerabilities out there than I think people, you know, care to admit or talk about kind of openly in that sense. And what's happening at the moment is that, you know, you're kind of -- the whole idea of like you must be this tall to ride in order to find some sort of issue, you know create a report for it, get it in to the vendor, that's dropped a lot. So you've got a whole bunch of like new people kind of joining the fun so to speak on the good guy side and the bad guy side as well as, you know, all of this new tooling that's kind of popped up and dropped itself on the internet over the past couple of years in the form of LLMs and AI and all that other stuff. It's actually it is a lot easier to get to some sort of outcome. So you put all those things together and there's just a whole lot of crabble happening at the one time. And that's I think what a lot of us are experiencing right now. So is it vulnpocalypse yet? Like we haven't really seen the internet can, you know, spontaneously combust just yet, but it's definitely showed signs of wanting to try to do that at the very least the past couple of months.

Sherrod DeGrippo: I feel like the system is being stress tested. Like I just feel the pressure in all of these institutional systems that we have had for such a long time. Let me ask you. You mentioned you must be this tall to ride. So let me -- let me frame it this way.

Casey Ellis: Sure.

Sherrod DeGrippo: Is AI mostly making the elite great researchers faster or is it making mediocre researchers more effective?

Casey Ellis: Both. 100% both. Like there was -- there was a really good thread off the back of Pwn2Own, you know, Chompie talking about because she's a phenomenal vuln researcher and like what she's gone out and tried to kind of communicate to everyone is that she hasn't kind of replaced her own creativity or process with AI, but the parts of the types of vuln research that she does that are like tedious or arduous or require just a ton of automation, you know harness, create -- like just all the boring stuff she's using AI to get herself to a point of success way more quickly. And like she's a phenomenal researcher so that to me is an example of someone who's already pretty elite. I think she referred to it last night on Twitter as like, you know, good researchers now have like super say on capabilities if they're using LLMs which --

Sherrod DeGrippo: Yeah. She did say that.

Casey Ellis: Which I think is a pretty good way of framing it because the folks that are really paying attention to this stuff and leaning in to it like they just they're just getting more and more efficient, more and more effective, which is really cool on the elite research side when you've got them working in your corner. It's reasonable to assume that the same benefits apply to the bad guys as well which is the scary part, but that is what it is. But yeah. To your point as well like there's a whole bunch of folk. You know, we've seen this in bug bounty. Like a lot of the patterns to me are very, very familiar because when we first started like encouraging bounty hunters and started really kind of building out this sort of bounty community as a subset of the existing security research community back in like 2013/2014 you had this phenomena of people that get like 12 out of 10 for enthusiasm, but maybe a 3 out of 10 for usefulness, if that makes sense. I like to --

Sherrod DeGrippo: I mean that can apply to a lot of parts of life really.

Casey Ellis: Yeah it's honestly it's not like -- I think the challenge with it is that they create noise and you have to deal with that noise. And if you're already struggling with vulnerability intake and triage and like fixing and all those different things and suddenly you've got this sort of bum rush of really like excited people showing up trying to help you it's not necessarily their fault and they're not necessarily like malicious or doing a bad thing, but it does create load. So like going back to what you just said before about the stress on the system, you know, I kind of I predicted that back in -- actually kind of went on record predicting that back in 2/4 of last year. Just saying year 2026 is going to be a triage crash fire for basically the entire internet and pretty much everyone in security because it's just the noise level's gone up right across the board. So yeah. The signal's gone up, but the noise has gone up at the same time is the shorter answer to that.

Sherrod DeGrippo: Okay. So then kind of going back to what you were saying about more stuff coming out --

Casey Ellis: Yeah.

Sherrod DeGrippo: Where are we and like at what point does publishing the research become simply enabling threat actors? Like we're standing on this razor's edge, quite frankly, of are we still doing good or are we doing harm? And that's been a question for a long time, but it's at a velocity now that you cannot ignore.

Casey Ellis: Yeah. And this is a lot of like a lot of what we do with disclose.io is kind of trying to speak in both directions to try and actually like talk to researchers, especially kind of the newer ones on the playing field, and help them understand the equities of decision making around stuff like that because yeah to me like full disclosure it's like death and taxes. Do you know what I mean? Like you can hide it all you like. It doesn't care. It's not actually listening. It doesn't really matter. Like to me that's like the lowest energy value state of when vulnerability coordination fails. And it ends up being the option of last resort for researchers that's just kind of there as the default state. So you can't really tell it to not exist anymore because it's just going to happen as a thing. But in the meantime like for companies like the way that they get better at avoiding that is to actually have like a good, you know, vulnerability disclosure policy. They've got like, you know, the ability to find where their intake points are. Like those are clear and out there and a lot of other stuff. And then you've got obviously a good coordination of management process on the back end of things. Some companies are really good at that. Others suck. Others haven't even really thought of it yet. So like when you think about it at a system level you've got all these like, like I said before -- like enthusiastic people that, you know, they read a Tavis Ormandy tweet from, you know, 2015 and think --

Sherrod DeGrippo: I was going to say from a while ago. Yeah.

Casey Ellis: Yeah. But this is the thing. Same as what we were saying before. You get, you know, especially kind of younger players jumping in. They just think that that's how you get things done. And in a lot of ways they aren't wrong. Like if you've got a vendor that's not responsive or you like really do believe that there's a risk that needs to get addressed and they're not listening to you for whatever reason creating public accountability around that is actually a pretty effective way to get the ball rolling in that sense. But to your point it does create additional risk for users. There's all sorts of equities that people don't necessarily think through in the mix as well.

Sherrod DeGrippo: Speaking of Tavis and 2015 and me even thinking back to like full disclosure mailing list which was one of -- you know, we were talking -- you know, I am talking a lot and thinking a lot about fun on the internet which we will bring.

Casey Ellis: Perfect.

Sherrod DeGrippo: We will bring fun to the internet. We will have it.

Casey Ellis: I love that, by the way.

Sherrod DeGrippo: Yeah. I'm very committed to having fun on the internet. Thinking back there has always been this disclosure debate. It is something that has raged since the '90s very publicly. Everyone's got a point. Everyone's got a feeling. What is the difference between disclosure debates from 15 or 20 years ago versus today and what we're looking at coming at us?

Casey Ellis: Yeah. I think probably two things. One is that, you know, in the '90s and the 2000s kind of when I grew up hacking the internet as well so like we both came up in an environment that like didn't really understand offensive security research, but also was pretty much like just afraid of people that could do the kinds of things that we could do by default. And we had to put a lot of work in to actually educating the fact that like locksmiths exist as well. We're not just burglars here. So I think, you know, when you think about sort of how it's all playing out at this point in time it is easier, I think, to have the conversation after things blow up. It's like no. I was trying to help. Like this is something that you need to get better at. Like if you're not thinking about opsec and risk management, all those different things, like if your initial introduction to the need to do that is someone kind of coming in through the front door and saying, "Hey, your baby's ugly." That's not an ideal way to start that conversation, but it does get things moving. Right? So I think like that's one part because it is a conversation that you can have now and it's like you're not explaining everything from scratch which is good. That's a good thing. I think on the downside to it like just collectively we're all doing stupid things faster with more energy at this point in time. Right? So like everyone's jumping in trying to help out. Like the bad guys are trying to figure out how to be more effective. You know, they're seeing opportunities get created in how technology gets deployed that they can exploit for whatever reason. And just in general like there's a lot. Like the overall kind of system that we're dealing with is way more dynamic and way more chaotic and like chaos is a ladder when it comes to, you know, bad guys doing bad things. So I think, you know, again it's like a -- it's not to me any one thing. It's the fact that like we're already pretty bad at this and we've just turned up the heat on the whole system and we're kind of experiencing that right now.

Sherrod DeGrippo: I put on my social media which I only use right now -- Twitter and Linked In, X and Linked In, whatever, the ones, those are the ones that I use.

Casey Ellis: It's always going to be Twitter. It will never be X. I'm with you on that one.

Sherrod DeGrippo: I'm tweeting on Twitter. I put out a call for questions for you. So I want to pull one of those in now.

Casey Ellis: Yeah. Sure.

Sherrod DeGrippo: And this is a spicy one so I like it a lot. How long should you wait if a vendor is ignoring you before disclosing a vulnerability? What is your opinion? Like what is your like philosophical point of view on that?

Casey Ellis: My philosophical point of view on that is probably not a bad starting point. I think the big thing with disclosure like publishing -- so let's start for a sec at the beginning. Like vulnerability disclosure. You've got researcher finds bug, researcher reports the bug, and then at some point in the future researcher publishes, you know, what they found. Like an advisory comes out there's some sort of public version of that initial private interaction. And I think I'm clarifying that because calling it all disclosure can get kind of confusing. There are like multiple steps to the process. Right? I think the thing from a publishing standpoint that's most important for researchers to consider is whether or not they've actually told the vendor that they're planning to disclose, to publish in that sense, because to me that's actually the most important part of that particular piece of the process because all of a sudden you start an encounter. Right? Like you created accountability. The vendor knows that like when this day comes you're going to push this stuff out on to the internet and it's going to become a matter of public record or public opinion or other stuff. So to me that's the most important part, and it's honestly one of the things I see a lot of researchers missing because they'll like fire off a submission. They'll, you know, not get a response or they'll get a response that they're not happy with, like whatever might be happening in that kind of initial reporting interaction, and they just kind of hit the fuck it button and publish it online to kind of move things along which, you know, again is effective in moving things along because all of a sudden you're creating like more, you know, attention around the problem. But like going back to what you said before at that point you've generally exposed the users to a greater level of risk at that point in time. And for what? Like if you could have just told them, "I'm planning on publishing this in 90 days." Check in day 45. Hey, how's that going? Like can you hear me? Are you dealing with this thing or not? Just so you know I'm still working to this timeline and this is the plan. You get what I mean. Like I think that that back pressure of the timeline is a really important part of it. The other side of it as well is that like, you know, it's I think like Google project zero done a lot around this whole kind of 90 plus 30 standardization that they have around software and libraries and hosted systems. In particular I know like the MSRC has been kind of one of the bigger like let's look at these guys and see what they're doing. And it is around how this whole thing kind of plays out. The reality is that like, you know, if I'm -- if I found a vulnerability in a pacemaker, for example, so if you're familiar with, you know, the work that Barnes and those folk did, you know, may he rest in peace, like all the while ago, you can't patch an entire fleet of, you know, internal cardiac defibrillators that are implanted inside humans within 90 plus 30 days. Like that's not going to work out. So there are I think a lot of different particularly safety critical systems and things that involve hardware, especially like satellites are another crazy one to think about. Like 90 days is not going to cut it. So you've got to figure out on the researcher side what is a reasonable thing to do. And I think the ideal scenario is when the vendor has actually said, "This is how long we're going to need." If we get things fixed before this date rolls around then we'll tell you and we can do a joint publication advisory, blah, blah, blah, but like just based off our products, based off our customers, based off the kind of risk that we assess, this whole thing kind of introducing in to that ecosystem, this is roughly how long we're going to need. And I think there is an opportunity for vendors to say that. If it's got to be a year it's got to be a year. Sometimes that's going to be true. Other times, and I think more often, it's actually probably less than 90 days because we are in a position where we can patch like hosted code on the internet way faster than that. So it's going to be your mileage may vary for anything. But I think aligning those expectations before the conversation starts is, you know -- in 15 years of like coordinating hacking the internet at scale like that is the one thing that works reliably. The more kind of aligned people can be on the expectations of the conversation before it kicks off 9 times out of 10 the smoother it goes.

Sherrod DeGrippo: In your experience you talk to a lot of -- many researchers that many of them -- you probably talk to some that this is their job. This is their source of income. This is what they do with their time.

Casey Ellis: Yep.

Sherrod DeGrippo: What is the kind of like mood and temperature out there in terms of like AI timelines? How does that sharpen things? Is there -- is the altruism waning? And when I say that what I mean is are researchers getting to the point where they're like, "You know what? I don't really care anymore. I'm doing what I'm going to do." Like what's the vibe out there? Give me a vibe check.

Casey Ellis: There -- yeah. I think yes definitely. Like I think the -- like the altruism is waning in certain areas, especially like among the folks that are doing this for a living, if that makes sense. I think that applies to folks doing, you know, vulnerability research, pen tests. Like it's -- I think that's actually kind of more of a general workforce phenomena right now because everyone's twitchy around how AI's going to affect the kind of value that they can bring that they're getting paid for. Right? I think a lot of people have that question on their mind. And the bounty community's no exception to that. Probably the difference is it's full of people that, you know, break things including the systems and the conversations that are going on. So when they get pissed off they do tend to get kind of noisy all at once. And you kind of see that on Twitter when you suddenly see this like flash point. Like oh my god. Why is everyone screaming about that particular issue? It's because there's some version of a thing that's affected one person that like everyone else is worried about and then they just all kind of jump on and start screaming on Twitter. There's a lot more of that. Like that's more frequent at the moment is the thing that I've observed. And I think in a lot of ways that's good because we get to round off the sharp edges of this and figure out how we go forward. Right? But in the meantime it is like it is a thing that people can look at and get concerned. You know, I think hunters just in general they're definitely the folks that kind of drag their heels a little bit on figuring out how to use AI to make themselves more effective. They're kind of regretting probably not getting in to it sooner at this point and playing like crazy catch up. But yeah. I mean to me this is no -- like there's -- like the version of this that's really familiar is when the bounty hunting community started to cotton on to the fact that like people don't know what there is on the internet back in like 2015/2016. Right? There was this whole kind of phenomena of like people getting paid a couple million bucks a year because they'd like go looking for publicly targetable assets that everyone else has probably forgotten about because like they're off in some weird part of the internet or it's an acquisition that's gotten forgotten or whatever else. Right? For us in the industry like we already knew that was a problem, but it took the bounty community coming along and pretty much setting it on fire to create kind of awareness around it. And, you know, off the back of that what ended up happening was a bunch of people creating tooling and basically the enterprise attack surface management category was kind of born out of that. So at that point in time a whole bunch of people that were using that strategy to make their money, you know, ended up kind of having to compete with the platforms and the different automations and all the other people kind of jumping in and doing a similar thing. This is kind of like that in some ways. I think it's affecting a lot more people in a lot more different ways all at once, maybe more than the example I just gave. To me the phenomena is pretty much the same.

Sherrod DeGrippo: I've seen a lot of that discourse I think where somebody is like, "This is my full time career now." And then they see things improve in security and say that entire class or that entire category of my financial future just got taken away from me because this became more secure. And it's a bit sour grapes, but it's also like that's what we're here for.

Casey Ellis: That's why we're doing this in the first place. Yeah. I spend a lot of time explaining that to people. And it can get -- I mean it's -- it's a weird one because I think again with like the history and the experience that people like us have kind of stepping back from the whole thing it's like duh. Like why? We're not doing this because being vulnerable is fun. It's because we want to know where we are so we can fix that. Like that's the entire point. So if you're helping us do that then logically the byproduct of it if you're doing it right is better resilience and you end up having a harder time finding vulnerabilities in whatever you're hitting up. Right? Not everyone thinks that part through because they just come and they're like, "Oh. Cool. It's a gold rush. Like I can do crazy hackery stuff and get paid for it." And as it gets harder, you know, there can definitely be, you know, a sense of sour grapes around that. But yeah. Yeah. I mean I think it's an important thing to remind folk. It's like we're not doing this for the lols necessarily. Like we're doing -- I mean there are definitely lols involved, but that's not really the point. The point is to try to figure out how to make things safer. So yeah. It's a weird one. I do think, you know, for folks that are running bounty programs in particular as distinct from like just a straight vulnerability disclosure program, you know, one of the things that I've always tried to encourage people to do in context of Bugcrowd, but just in general as well it's like your fireproof safe rating. Yeah. That's like your top kind of reward offer, if that makes sense. Oh cool. Like you're offering 10 grand. You started getting a whole bunch of P1s in that category with that level of incentive. And now you've made that harder so like that velocity of P1s that are coming in is reducing. Like congratulations. Your fireproof safe is now rated to 27,000 -- 2,700 Fahrenheit instead of 2,200 Fahrenheit. It's time to actually increase that reward so that you're encouraging more attention, you're encouraging -- you know, you're activating people that might not have been too excited about the reward that you're offering before. And you just kind of keep on iterating on that. And in the meantime the folks that are doing the work like they actually end up getting paid better for what is going to be like more difficult for them in terms of achieving an outcome. So like there's a balancing act to it that I think again in the middle of this like AI, you know, slopdemic I think is the part that we're in right now.

Sherrod DeGrippo: Oh. I love that.

Casey Ellis: It's just not necessarily the vulnpocalypse just yet. But everyone's kind of backing off a little bit because it's so noisy. I expect that to pass or to at least normalize at some point in the future at which point we can start coming back to stuff like what we were just talking about around how to, you know -- how do we reward these folk? How do we actually engage them, treat them like a strategic asset instead of a pain in the ass? Because ultimately they can be both. Right? But if we get better at dealing with the pain in the ass aspects of the process itself then all of a sudden we can focus back on the strategic asset part.

Sherrod DeGrippo: It's an interesting place to be, especially for I think -- you know, I have always been in like network security. I've always been in like detection engineering and threat intelligence. Right? Like watch what the threat actors are doing on the wire. Talk about it. Stop it. So like a lot of the bug bounty stuff is very actually new for me since coming to Microsoft over the past couple of years.

Casey Ellis: Right.

Sherrod DeGrippo: And what the whole new like advent of AI has shown me. First apparently I'm a software developer now which is a terrible thing.

Casey Ellis: We all are.

Sherrod DeGrippo: But she has -- oh my gosh. I am out there and I am causing trouble and I am telling Claude, you know, "Build me a million dollar startup. Make no mistakes. Do it now."

Casey Ellis: Yep. Yep. And also -- and also the trick there is to say Codex is going to check your work once you're done. So it gets up a little bit straighter just as a hot tip.

Sherrod DeGrippo: That is a hot tip. Another hot tip that I have found is to make sure that you have MD files referencing Gemini or one of the other -- you know, one of the other LLMs while you're having it check your code. I believe yes everything is based on my weird intuitive myths. I do believe that they are checking that and they are feeling competitive about it. So put them all in there and name them with the competitor's names and you probably will get better results.

Casey Ellis: Let's put it all in the jar. You shake it up and see what happens.

Sherrod DeGrippo: You know, drink it. Hallucinate it. Machine hallucinations are nothing compared to human ones. So what I'm finding is that, one, these capabilities, the LLMs are able to write code really well when it comes to things that are not -- when it comes to things that are public. So it's great at making HTML. It's great at making web apps. It's great at making things that it's probably been trained on that are open source. It's not great at mobile apps because most mobile apps are not available for code review. They're very closed. So I am kind of wondering where you see the potential for like the mobile app space to become even more dangerous because these LLMs are not writing good mobile apps. They're writing things that even I as a non traditional background person in terms of like development I'm looking at it and going, "Even as a security nerd I can see the unchecked input."

Casey Ellis: Hang on. Yeah. Yeah. Yeah. Look. I -- that's a fun one because I've always kind of worked off this principle that like vulnerabilities exist as a function of lines of code. And like it's a probability, you know, game. A lot of the frontier labs are working really hard. Like a lot of the reason why you've got stuff like Mythos and, you know, Aardvark or Daybreak out of Open AI, they're not necessarily trying to create these like master hacking machines. Like they're actually trying to figure out how to create code that's more secure. And they're learning offense, you know, model context in order to be able to do that. So, you know, what that should net out to over time is like LLMs getting better at definitely writing code that's like technically more perfect and technically more secure. The bit that I think gets missed there, and this is definitely informed by watching people break the internet at scale for the last 15 years, is it's not just the code that creates risks and vulnerabilities in these systems. Right? You've got like implementation issues. You've got like your classic kind of developer working with a really secure framework that makes a particular thing that they want from a feature standpoint difficult so they figure out some clutch to get around it and that clutch turns out to be stupidly vulnerable. Like that happens all the time. And that's a function of human incentive. Do you know what I mean? So for as long as people are the ones actually building stuff to me that's always going to be a thing just because security's hard. So yeah. In the short term like we're in this place where, you know, a lot of -- and I'm not speaking specifically to mobile apps here, but I do think it like applies right across the board. Like you've just got a whole lot of people building crap in a real hurry and not necessarily thinking through security because their main motivation is just to get the damn thing to work in the first place and get it out there and, you know, have passive income and retire to the Cayman Islands or whatever it is that's motivating them. Right?

Sherrod DeGrippo: I'm ready. I'm going to do it.

Casey Ellis: That sounds pretty great. Right? You can understand why this is going on. But it is, you know, like speed is the natural enemy of quality. And to me like security is ultimately quality's child. So like if you've got this acceleration of LOC getting released out in to the wild then logically you're going to end up with more vulnerabilities as a part of that. To me I guess the thing that will sort of flush that out over time is figuring out if the bad guys identify that like, oh crap, we've got a whole bunch of like really bad mobile apps now. And like as a financially motivated criminal, as a nation state actor, as a like whatever it is that's motivating me as an adversary, like I can achieve my outcome through that particular kind of net new attack surface. I haven't seen that happen yet, but you know it's not to say that it won't at some point in the future.

Sherrod DeGrippo: I think there's this idea and it's expressed really well in "The Rocky Horror Picture Show" final song and the line is, "Don't dream it. Just be it." And I do think that we are in a place right now where as security professionals if we can dream it the threat actors can be it. And so every crazy wild horrible idea that you have the threat actors had it first and they're going to implement it.

Casey Ellis: Yep. Yeah. And this is I mean honestly this is what got me in to crowd sourcing and bounty and just the whole kind of general concept that became Bugcrowd in the first place. It's like, you know, white hats or ethical researchers like preloading that question at some point.

Sherrod DeGrippo: Oh it's coming.

Casey Ellis: They're like folks -- yeah. Folk I know. Folks that are doing this in good faith for, you know, the benefit of my glorious beautiful nation of internet security. They're a reflection from a creativity and a skill standpoint of what the adversaries are capable of. So like what you kind of see bounty hunters doing you can reasonably expect that there's at least some version of that happening in bad guy land. And yeah. It like to me there's they do, you know, tend to learn from each other either directly or through like seeing breaches or seeing threat behavior that gets written up or whatever else. Like people get ideas and they just kind of cross pollinate. So yeah. If you can dream it you can build it. I think Vibe Crime is definitely, you know -- we've seen -- I mean honestly we've seen like a rise in like sloppy, but effective, you know, cyber criminal campaigns, especially ones that are financially motivated. Like that's been steadily ramping up over the past year. I don't think that will slow down because, you know, even if the frontier models put really good guardrails on not letting their systems be a part of creating stuff like that you've got all of the open weight models that are coming out now. You've got the ability to, you know, just ask it nicely like 10 times and it will do it anyway. You know all these tools are in everyone's hands at this point in time. So that's sort of the world that we're living in now and kind of the world that we're moving in to.

Sherrod DeGrippo: And I think yeah. And I think that I can feel in the general discourse and in the technological releases that are coming out which are rapid fire Anthropic in particular is a juggernaut machine of releasing products at velocity. I mean they just --

Casey Ellis: And then educating their entire dev role based on that too. Like that's the thing that I think they've really taken ownership of over the past period. Sorry to cut you off there.

Sherrod DeGrippo: Yeah. So I see that as well. Like they're not just releasing the products. They're releasing full video, full tutorial, full this is how you do --

Casey Ellis: This is how you do the thing. Yep. Yep.

Sherrod DeGrippo: And I have -- I have really benefited from that because, you know, I've never built anything before. I have always made this really clear distinction between the makers and the breakers. And in security we have a real breaker mentality. And I want to be clear to those of you who are like deep security hard -- you know, die hard in your DNA that are listening. Spend an hour talking to a software developer and it's like meeting somebody from another planet. They have light in their eyes still. They're excited. They want to build features and they want people to use those features. They want to ship --

Casey Ellis: They're generally grizzled, but like a different kind of grizzled I think is probably the way that I'd frame that.

Sherrod DeGrippo: Like they want to do stuff. Like they want -- they want to get -- they want to change people's lives. Like they just come from such a different mindset. And I spend a lot of time with developers at Microsoft. I'm leaving next week in fact to go teach a six hour workshop on threat driven software development which I've done 600 now developers at Microsoft. They have to come sit in the room with me the entire day. We do give them an open bar at the end, but they have to sit and learn what threat actors are doing. And so you talking about like Vibe Crime and all of this stuff let me ask you. We've always talked about nation sponsored financially motivated. What's going to happen in the social hacktivism, the disgruntled individual -- what's going to happen with one person now being fully enabled by all these new tools?

Casey Ellis: Yeah. That honestly is the wild card that's been keeping me up at night probably the most in all of this. And that's been for the last couple of years. Like I predicted kind of a return of the chaotic threat actor you know back in like '22 I think it was. You know, just in time for like scattered spider to show up. Like you've got the Com. You've got like all of these different groups that, you know, their motivations -- I think there's an aspect of cyber defense, particularly when it's threat informed, that does in some ways kind of rely on this idea of understanding what the adversary wants because it's like okay if they want to deny service so they can do ransomware I can predict that and I can start to mitigate the blast radius of that being successful. Like if they're a nation state, they want pre positioning or they want secrets or blah blah blah, like I'm going to increase detections or whatever else it might be. You know, you do have this scenario now where like a bunch of pissed off kids can just destroy stuff because they feel like it. Or because, you know, they've got someone kind of prompting them in a certain direction. Like the Com was definitely like that. You've got, you know, the Hacking Games is a group that I'm pretty involved with. And I got involved with that because they kind of stumbled across this fact that like kids are getting recruited on gaming platforms like Roblox and whatever else and basically brought in to, you know, either economically driven cyber crime or in to groups like the Com that are just out there to cause mayhem. Right? So like we cant necessarily like -- it goes back to the whole like you must be this tall to ride problem. It's a pretty low bar at this point in time which means you've got folks that can just sort of sit at home and say, "You know what? I'm pissed off about this thing. I'm going to go try to break in to it." That's pretty easy to do at this point. So, you know, it's an interesting time because I do think, you know, lols motivated hacking, like chaotic threat actors, like, you know, the kind of you think about stuff even at the international relations level, you know, the cyber army of Ukraine when that kicked off and it's like, "Cool. Let's like crowd source a whole bunch of people on a telegram channel to go like mess up Russia." Interesting. Probably like illegal in a lot of ways, but given the conflict and given all of the things it's like yeah that's just we're just going to let that fly. You know, watching that play out is like that cat's out of the bag now. So if you've got like nation on nation disagreements all of a sudden you've got this entire corpus of people that can get kind of swept up in to that and basically put to work for the sake of the fight. You know, a lot of the -- a lot of the historical like title 15/title 10 assumptions we've had around cyber warfare I think are in the process of going out the window. And yeah. Like all of these different things again it's like everything's sort of moving around really quickly. I think the cool thing going back to what we were just talking about with like if you can dream it you can do it one of the things I've loved about this whole, you know, AI thing is seeing hackers, like seeing people that aren't platform builders that can build stuff that breaks other stuff, but they're not necessarily like a solution or a product, you know, builder in that sense. But they have such deep understanding of what the problems actually are that if you put, you know, the ability to code in their hands they can just go off and start to build things that might be a part of the solution in the future. And I've seen that hackathons. I've seen that through like different, you know, offensive AI conferences I'm part of and stuff like that. Like that particular trend to me is like the bright spot in all of this. But yeah. There's a lot of like pretty crazy that's sort of bubbling up at this point in time. And I don't see it getting any less crazy just because there's so much energy in the system at this point in time. Like international conflict plus all this capability plus all these different reasons to do it plus I'm not sure if AI's going to take my job or not. Blah, blah, blah, blah. You've got like a whole bunch of like heat under the pot that I think creates some pretty unpredictable actions as a byproduct of that.

Sherrod DeGrippo: I'm really I feel like anxiously awaiting what the shape of the future is going to be.

Casey Ellis: I think just about everyone's in that part right now. But yeah. I agree.

Sherrod DeGrippo: And as I think I am discovering I am trying to have fun with it. I -- you know, I think security professionals if you have a security personality which it is a controversial hot take, but I do believe that there is something inborn. I do believe that there is a psychological profile of people who are in infosec. If you have that profile you are prone at times to maudlin, to the malaise, to the ennui, to being bummed out.

Casey Ellis: Yep.

Sherrod DeGrippo: To go even deeper on that, I think that stress and anxiety has a rebound effect of depression. So like if you're constantly in firefighting and incident response mode once things kind of calm down a lot of those people go in to a deep depression. And if you're not careful it can really eat you up.

Casey Ellis: Yeah. Adrenaline is super useful, but it's a bad diet. And I think the same goes for cortisol. And we're all kind of junkies for that if we've been around this space for long enough. So yeah. I think that's -- honestly it's one of the things I've really enjoyed about watching your whole like let's make the internet fun thing because I've always said this. Like I take the problems that I get involved in solving like really seriously and really personally. But I also believe like if you can't -- if there can't at least be some sort of sense of gallows humor, especially if you've like stared all the way in to the abyss and had it blink back which is the position that a lot of us that have been around for a while now find ourselves in, like you've got to be able to laugh about stuff. You've got to be able to take yourself seriously, but not too seriously. I actually think that that's a really important -- I mean I just enjoy being like that more than not anyway. Right? But I actually think it is a really important resilience strategy.

Sherrod DeGrippo: Yeah. And like for me I think I take the work super seriously. I take the threat landscape super seriously. But I try not to take myself too seriously. I try to kind of what I am calling whimsy maxing. I try to have a sense of levity about it because ultimately a lot of what we do is truly absurd in security. There are people whose jobs are to like break in to things and wreck things and make the world worse. Our job is to just stop them from doing their job. It's a weird place. It's a weird place.

Casey Ellis: Yeah. I mean I fully agree. Like my -- some of my favorite people in the world are cyber security entrepreneurs. You know, and it's partly because I just I love inventing stuff and helping people build things and growing and all that kind of -- like that's something that I just get a lot of joy from and do pretty well at. But the other side of it is that like, you know, these are people that can like look some pretty dark stuff in the face and kind of stare at it until it blinks first and then decide, "Okay. I'm going to do something about that." Let's go, you know, have -- like let's go like deliberately engage the sense of optimism around the fact that there might be solutions for stuff. Go pursue that. Then bring people around that can have fun along the way. They're awesome because like we're all a bit nuts. Right? It's like oh no. We said some really dark -- and that is a part of like the job. And I think people outside of it don't necessarily grasp, you know, how dark it can get sometimes. But like someone's got to do it so there's that and that's mission and purpose and the cortisol and the adrenaline stuff we were just talking about before. But then in the middle of that there's opportunities to actually like make things better and like deliberately engage optimism and humor and just -- and, you know, staying up until 3 AM at the Mandalay, you know, every August. Like all that kind of stuff is just all a really fun part of, I guess, the community. And really important to, you know, see it continue to be resilient as we go forward because going back to what we said before we're just going to need more of this. Like this is not going away. And I love that because I love working on these problems. I love the people I get to do it with. You know, these are some of the things that I think actually make that possible.

Sherrod DeGrippo: I agree. I think shout out to eye candy at 3AM. I think --

Casey Ellis: If you know, you know.

Sherrod DeGrippo: If you know, you know [laughs]. What's funny about eye candy to me is that you're probably not getting a drink. It's not coming. Like whatever you ordered is not coming. So it's not exactly one of those places where --

Casey Ellis: When it comes it comes from the person that goes over to the like the little mini mall thing.

Sherrod DeGrippo: Yeah because like I brought these back. Yeah. They're not -- the service there. But I think what you're saying too is that ultimately community is so important and having the support of people who are in that same fight with you and are experiencing the same bewilderment. I joke frequently. Is it a joke? Is it true? I don't know. I joke frequently that I have the AI psychosis. I don't feel that I'm being like tricked by an AI chat bot. I feel like I am entering a psychological space of like wow this is a lot. Like this is big and it is almost too big to behold in some ways.

Casey Ellis: Yeah. I mean the community thing like that's something that I actually get. Like I've always been huge on that. The like Bugcrowd is like literally, you know, a gigantic community that we're trying to put to work. So like I've definitely got some biases in this area. But the whole idea of like community as like the thing that, you know, one can go fast, but like many can go far, like that whole kind of management and leadership principle I think community's like the thing that ultimately powers that when you're doing the kind of stuff that we do because like yeah you get to share the dark stuff and like the gallows humor. It's the same thing with doing startups. Like having other founders around you that are going through the same like really difficult set of things that like most other people don't actually understand because they don't do this. Like that's not their fault, but to be able to have your peers together to be able to just have that support network I think is critical. But then the other side of it is that like everyone's smarter than, you know, the sum of the parts, I think. Like the opportunities to actually, oh, I hadn't thought of that. Or "Oh, You've just challenged my worldview around a particular problem in a way that I probably wouldn't have gotten to myself, but because I'm in community and we're talking about this or having like a robust 3AM eye candy conversation or whatever it might be it's like I actually learn and grow from that and hopefully the other people do as well." You can't do that on your own. And yeah. Like AI is definitely, you know -- they -- like a lot of this stuff's public now, but like in terms of like the early days of training these models up they would have, you know, basically mandatory breaks from models for that exact reason that you just called out, this whole idea of like I've like tripped over down the, you know -- the Alice and Wonderland hole. And I actually need to reset, you know, what my sense of reality is. Like the internet's been like that the entire time. I think AI's a particular like -- it's a version of that that has a lot more gravity to it than I think anything we've sort of dealt with on the internet before save maybe social media. Yeah. So community is like an antidote to that and I think it's the thing that takes us all forward. At the same time it's like yeah we're playing with this stuff and actually digging in to it and seeing how it can help us, seeing how we can use it, seeing how like it grows. Like what is the shape of the future? That's another good one. Like no individual person I think is going to figure that out. Like everyone's going to have their own thesis and then you kind of bump those thesises off each other and all of a sudden you come up with something that's a little bit more accurate to which way the future actually goes.

Sherrod DeGrippo: I think too something I've been thinking about a lot is that I want to preserve humanity. I want to preserve our humanness. And computers can't have fun. We can have fun. We can care about things. We can have emotional responses to things. But ultimately creativity, innovation, new thoughts, new directions, all of those things are going to come from humans. You can't, you know, say, "Oh, we've trained on everything that's been published in the past" and think you're going to come up with something new. And so I really want to encourage that in people that are listening and people that I meet that like we have uniquely human characteristics and those are evermore in desperate need.

Casey Ellis: Yes. Yeah. Yeah. 100%. Like we're going to end up with this layer of beige right across everything. And I think it's really important to acknowledge that, you know, just in terms of how things accelerate. Like the role that AI plays in like humans interacting with each other, with the world, like those are all things that are going to happen. But it doesn't mean that as the human you become a part of that. Like we should be staying on the wire, not in the wire. In that sense. I love the fact that like there's almost an antithetical like element to security research. Everyone's like, "Oh. We can use AI to like make all the security problems go away." It's like well, the bad guys are still people. And ostensibly we're here doing what we do because of them. They're not about to pack up and go home. And if we make everything that they're using to be successful today impossible for them it's not like they're going to stop innovating and applying creativity offense. So it's like that's kind of the opposing force that we're here to basically balance out. Creativity's like a core component to that. And, you know, like you said, you can't replace it. You can accelerate it with AI for sure. You know, computers are great at pretending to have fun or creating some sort of counterfeit version of fun, but -- and that's fine every now and then I think. But, you know, choosing consciously not to like fully get sucked in to that wire I think is a really -- it's a really important thing. It's something that I like think about a lot and actually try to be really deliberate with because I can definitely go down a core hole and like, you know, all of a sudden it's 5AM and I'm completely detached from reality. Like that is a thing that happens from time to time.

Sherrod DeGrippo: Me too.

Casey Ellis: So it's like all right. What are we going to do about that?

Sherrod DeGrippo: I want -- I just want everyone to understand Casey's experiencing it. I am also experiencing it. You are not alone. We are falling down in to AI never ending pit on occasion at 5AM. And I would say one of the great things that I'm trying to do to combat that is be super conscious about where I want to employ connection and where I don't. So I'm thinking about like putting together, I don't know, like a party. Do I want to immediately go to Chat GPT and start planning a party or do I want to send -- [inaudible 00:49:43] Yeah. Like or do I want to send unhinged texts to my friends and be like, "What if we had a party?" And everyone had to dress as their favorite -- like where are your opportunities to have human connection that will fulfill you and fill you up and motivate you, empower you, and give you the courage to face another day? And where do you just need utilitarian immediacy?

Casey Ellis: Yeah. So Dan Miessler has a really fun way of framing this. No robots in the gym. Right? So like the idea that like if you're a factory worker then, you know, your job is to like move the thing around and whatever you can use from a technology standpoint to reduce the cost of doing that and to make yourself more efficient is a good idea. On the other hand if you go to the gym like the whole reason that you're doing that is because you want the resistance. You want like your own kind of personal interaction with weights or whatever it is that you're doing. And to get a robot in to do that for you would completely miss the point. So like this idea that like is this a -- you know, is this like factory work or is this me going to the gym? Kind of applying that kind of mental model to it I think is a really fun thing. I found that with writing. Yeah. I definitely had a period a little while back where I was leaning on AI I think in hindsight a little bit too heavily to help me with idea creation and getting things together and all that kind of stuff. Like it's super useful for that, but the thing that was a tell was like when I went to write on my own it was hard. It's like what? Hang on. What happened? I'm good at this. Like and what had happened was there was like a degree of atrophy that had kicked in. Like oh man. Okay. That's not good. So I kind of pulled back from that. And same with party planning. Like Chat GPT. Like how to party good. I think the unhinged text version is probably going to net out to a better party at the end of the day anyway. So it's like all right. I'm deliberately engaging in that kind of process just to like set some markers up and create some boundaries and do all that kind of stuff. And still take advantage of all that because it's powerful and it's super useful, but like using it for what it's good at and then maintaining your engagement with the things that give you joy and that you're good at I think that sort of separation is a really it's a good thing to think about and not something that people are talking about enough right now I think.

Sherrod DeGrippo: Yeah. I think about it a lot. Like using that party example again like I'm happy to let it do the labor of like making me a grocery list or me saying, "Okay. I'm going to have 30 people at my house. How much food do I need to get?" Sure. But what crazy things are we doing? How wild can we make it? What weird things should I ask people to bring? That's a group chat conversation with my human friends.

Casey Ellis: Yep. Agreed. Agreed.

Sherrod DeGrippo: So let me --

Casey Ellis: So I feel like we solved that. That's good.

Sherrod DeGrippo: We solved it. Oh. We're making progress. The humans against the machines. We're going to win. What's your favorite sci fi movie?

Casey Ellis: Oh. "Children of Men" which is --

Sherrod DeGrippo: Oh no. That's your favorite? Are you okay?

Casey Ellis: I had to think about that, and I really caught myself saying it, but just as a -- it's dark and all that kind of stuff, but it's just such a beautifully constructed film. And I kind of appreciate that. Like there's a bunch in the mix, but I do love that one. Probably "Matrix" would be the other one which is like age appropriate and all that other stuff, but yeah. I still remember the feeling of sitting in a cinema like skipping school to go and watch it back in the day in Australia and it still hits me kind of the same.

Sherrod DeGrippo: I am a huge Kubrick fan and I always have been and "2001" has just been I think about it all the time. I'm doing -- spoiler alert. I'll be giving the keynote at RVAsec at the beginning of June and I'm going to heavily kind of make some parallels between where we are with "2001" and reality today. Tell me -- we have a lot of questions that came in. I want to ask one of these before we have to wrap up. This is from a former guest on this podcast, Greg Lesnewich. For those of you listening, go check out the episode "Between Two Gregs." It's a DPRK focused expertise episode. It's real fun. He asks -- yeah. Bringing on two DPRK experts is very wild, especially asking them all these cryptocurrency questions and they're like, "Yeah. We just we don't do that." And I'm like, "But shouldn't you know about cryptocurrency?" Like, "Yeah. We probably should, but we don't." And I'm like okay. So Greg, great friend of mine, asks for Casey "What do you wish that the future of threat intelligence could be? What do you think would be kind of the ultimate form in the future that we could have?"

Casey Ellis: Yeah. I think as much sharing and as much transparency as possible just as a default kind of design state. Right? Like I've always been big on this idea. You know, Kirchoff's principle and cryptography. Like the enemy knows the system. So if you're keeping things secret like that secrecy is inherently fragile and when it fails it fails catastrophically at some point in the future. Like the antithesis and the antidote to that, the anti fragile version of that is transparency and openness. In CI that's really hard to do sometimes because sometimes you've got to keep stuff, you know, under your hat. But I think trying to get to a point where there's as much sharing, and kind of goes back to the community stuff we're talking about as well, like there's group think that can be applied to defense and to counter operations, to all that kind of stuff. I think that's a Utopian kind of picture of things, but definitely something that I believe in I think is really important. I think threat informed design is going to get more important. Just this idea that like we can't get around to fixing all the vulnerabilities that we've got and we need to just assume that a bad guy's going to be successful so how do we design around that instead of just assuming that we can keep them out 100% of the time. You know, using threat intelligence to actually inform that, to have it more tightly integrated with like design, architecture, build, engineering, like all that kind of stuff would -- is a Utopian version of mine. Or a Utopian outcome that I quite like. Probably the other is -- and this is less of a Utopian ideal state, but you know I do think that there's a lot of policy and legislative shifting going on at the moment to enable, you know, things like hack back and disruption. I'm not necessarily a fan of that because it's messy, but we do seem to collectively be heading in that direction. Like Japan passed laws. Australia's looking at it. A bunch of EU countries are looking at it. The White House is saying stuff about it. You know, we are going to get to a position where it's like all right. We're actually going to take the fight back to the bad guys from a threat response standpoint. You know, there's a part of me that's terrified of that, but a part of me that really likes it because I do think we've been sort of sitting on our hands in terms of being able to actually deal with a lot of this stuff and in a lot of ways it has been very reactive. I think it becoming more proactive in the future I'd love to see, you know, a productive version of that, I guess.

Sherrod DeGrippo: It will be interesting I think if there is one -- when one policy maker, whether that's a nation or an organization or what -- when one policy maker goes I think the others are going to come very quickly behind.

Casey Ellis: Yeah. I mean Japan broke rank on that 12 months ago, 15 months ago, and it's like you think about their geography and you think about some of the stuff that's slated to happen next year. The timing kind of makes sense. I think that definitely triggered a whole bunch of policy making in other parts of the world. Like there's been a version of this, like a letters of mark in Congress for a couple of years now and there's like waves of that happening. There's work on this type of thing happening inside the White House. Like it's heading in that direction, I think.

Sherrod DeGrippo: Final question.

Casey Ellis: Shoot.

Sherrod DeGrippo: What still gives you optimism?

Casey Ellis: People. Honestly people.

Sherrod DeGrippo: Humans.

Casey Ellis: Humans. Yeah.

Sherrod DeGrippo: Come on, humans.

Casey Ellis: You know, I love technology. I love criminal creativity. I love like peering in to some of the, you know -- the dark edges of the stuff that we were talking about. Like I enjoy like intellectually and I enjoy kind of at like an outcome level, all that stuff. But I think the thing that I always come back to that makes me smile and makes me optimistic is just the fact that I get to do this stuff with incredible people that are all like a little bit unhinged and all, you know, super motivated and all like completely imperfect. But like wonderful. You know? I think that's -- that makes me optimistic. And even looking at the next generation that's coming through and the opportunity for our generation to actually help them with some of the rough edges that they're going to experience. But at the same time getting to learn from the things that they see that we don't because like we're not like native to the technology environment they're growing up in. Like it's all community. It's all people. You know, I love that. I think computers on their own would be kind of lonely and boring at the end of the day so the fact that we get to sprinkle like awesome humans on top of all this stuff and do it all together I think that's something that I love about it and something that definitely gives me hope.

Sherrod DeGrippo: I love that. I agree. I really -- one of the things about this new AI enabled future is that I hope it does have a return to how people feel, where intuition comes from, these very unique things of warmth and humor and hunger and feelings and being able to kind of wrap ourselves around that instead of like cold hard silicon. Like --

Casey Ellis: Yeah. I think that there is -- there's an opportunity in all of this to just be a lot more deliberate. Do you know what I mean? Like I do feel like there's almost like an analog kind of renaissance coming at some point in the future where everyone's like, "Oh my god. We've been sucked all the way in to this thing and it's kind of annoying so like let's not rebel and burn the whole thing down, but like just be deliberate about disengaging and connecting with each other." And, you know, doing things that feel good and that make other people happy and all that kind of stuff. I don't feel like we're quite there yet. I feel like we're still in the like the vortex part of it all. But I do see a point in time coming where that becomes like something that folk are a lot more deliberate about and I like that idea.

Sherrod DeGrippo: I like it too. I encourage everyone to be intentional. Set your intentions before you start anything. Casey.

Casey Ellis: Also a recipe for a good vuln disclosure or bug bounty program going right back to the start. So.

Sherrod DeGrippo: Just set your intentions for -- set your intentions. Okay. That's a good tip. Casey, this is fantastic. Thank you so much for coming on "The Microsoft Threat Intelligence Podcast" and helping us figure out kind of what is strange and important and what we're doing and where the industry is going. Really appreciate talking to you.

Casey Ellis: It's been a really fun chat, Sherrod. Thanks for having me on.