AI Changing Security Awareness Training

Innovative Ways To Build A Security Culture 

Topics: 

innovative ways to build a security culture, Best ways to create a security culture, how to use ai to protect from phishing, how to use ai for cyber security awareness, how to use ai to improve cyber security, How young leaders help culture, New approach to build a security culture, new tips on how to create a security culture, how to train on using ai securely, best ways to train on phishing attack, new tips on how to create a security culture, Ways to create a security culture, what it means to build security culture, best ways to spot a phishing email, innovative ways to build security cultures,

Benjamin Netter, Security expert, Hacker, Investor & Entrepreneur..joins us today. Benjamin is the Founder of RIOT. Located online at Tryriot.com (link in show notes)  founded in Jan 2020 a next generation unique platform to building a security culture. 

Benjamin/RIOT evolved into customized educational content that grow a cybersecurity culture supporting over 100K employees globally. 

Riot’s main interface is a chatbot called Albert, which is available on Slack, Microsoft Teams and the web. Its cybersecurity courses are interactive, with content that dynamically changes depending on each employee’s cybersecurity knowledge.

[00:00:00] It's always in the news. Cyber criminals attacking great organizations, wreaking havoc on the trust of their brand. We socialize cybersecurity for you to raise awareness. Interviewing leaders who built and protect great brands. We help talented people enter into this incredible field, and we share our research at Blockbuster True Cybercrime Stories.

This is Cybercrime Junkies, and now the show.

Welcome everybody to Cyber Crime Junkies. Today we're gonna talk about innovative ways to build a security culture In the studio today is Benjamin Netter. Very cool dude. Security expert hacker. Investor, entrepreneur. He joins us today. [00:01:00] He's the founder of RIOT at TRYRIOT.com there's a link in the show notes.

I was founded back in 2020 and it's a next generation unique platform for building a security culture. It's really cool. We're gonna hear about it today, but it has a chat bot name. Albert who's really cool and keeps asking questions and providing information, it's really, really cool. So this education platform's like served by being used right now by over a hundred thousand users and it's, it's, it's a really, really innovative way of doing it.

So, Ben, welcome to the show, my friend. Hey David. Thanks for having me. No, I appreciate it. So you are over in France right now in Paris? Yes, Southern Paris. In Paris. All right. You know the view, the view here in central, in the Midwest of the United States, it's like the same, like, it's pretty much the same as [00:02:00] Paris.

Like people from all over the world travel to to the Central Plains. You know, we, we have like tourist spots and tourists and stuff. Yeah. That's very cool. I've done my fair share of road trips in the us I know you have. So I kinda love this part of the us That's fantastic. So tell us a little bit about your background real quick, just for the people that may not have heard of you and hopefully they will after today.

What did, what did you like? Where'd you grow up? Tell, well just walk us through generally. Of course. Yeah, sure. I grew up in Paris spent most of my high school, high school years coding. So, ah, I would say I'm still a coder. I've been coding for 20 years. I don't code on a daily basis now at Dry it.

I do everything but coding. Well, you're the founder background. Yeah. You're running a Yeah. You're running a company now, so it's not like you can like be cracking code and designing. Yeah. So, yeah. Can do everything. Well, just a little, I don't wanna go too far down a rabbit hole, but [00:03:00] what was like the first coding language you learned?

Php. Okay. And then, and then what did you develop after that? What'd you learn after that? Or was that your main language? I learned JavaScript later on, and especially not, not Js Ah, so I did 40 10 years of php, 10 years of not js. Interesting, interesting. My, my d my, yeah, my daughter is learning the code right now and so she's starting with Python, so I always want to ask people like how they got started.

So she loves, it's a good option. I think it's a good option. Excellent. And it's good that kids learn it. Yeah, absolutely. Yeah. It's, it's, it's, it's definitely a skill. Many, many don't have. So so fast forward through your high school years, you're a coder and you you used to dabble around on some sites, right?

Yeah. So what, what were my first, actually, my, my first success was in 20, when I was 19, I created a Facebook app that half a. French people used. [00:04:00] So that's, that's where my first success. So yeah, it last for like two days. Two weeks or something like this. For two weeks I had I think eight, around 8 million page views on my Facebook ad.

Yeah. What was the ad about? Can I ask? So it was answering questions on your friends and they receive a notification saying, Hey David answered questions, a question on you. And your friends would be like, huh, I want to see that. And you would've to answer question and its them to see the replies.

Exactly. So it draw. So did you, yeah. So when you say you created it, was it, did you create it so that it sent the notification to all of the friends that you did the poll about? Mm-hmm. Yeah, yeah, yeah, yeah. It was like completely viral for two weeks and after two weeks, Facebook reached out and say you're not supposed to do that.

And so we're cutting you out. So it died overnight. Not gonna make any. Yeah. Yeah. Not gonna make any comment. Not surprised, right? Like, no, [00:05:00] not surprised. As opposed to saying, this was really good. You drew a lot of attention to the platform. Maybe we can, you know, congratulations. Here's 500 bucks. Here's a here's, here's a reward.

They're like, you're not supposed to do that. Yeah. No, no. Yeah, you're not supposed to do that. I mean, for two weeks I was rich. I mean, I was making, I think 300 euros per day or something like this. Holy cow. Outta advertising. Yeah. Wow. That's phenomenal. As a 19 year old kid, it was not bad, but no.

Well, and I think you discovered the power of, you know, tapping it on the keyboard coding Yeah. Tapping on the keyboard with creativity can, can, can make people some money. So. Exactly. So What else happened when you were a kid? And you know what I'm asking about? There was, there was a cool, you were, you were pretty, you were had a, from what I understand, you had a pretty normal childhood by all regular standards, right?

Like, you'd play sports, you had friends, you did [00:06:00] things right? Yeah, yeah. On top of coding and hacking around. So yeah, I, I actually started hacking, you know, my, my carry hiking started when I was 12, probably. And I was so basically I was, you know, this kid on the, on the computer with the internet access and trying to see what I can do on other computers.

And so I was being around, around with Trojans at the, at the, at the time it was Trojan Horses, you know Sending chosen and alsos. And then people would click and you would try to go into the computer and that's it. I mean, I didn't do much except that, I mean, I was trying to see how things were working on the internet and so, so that's interesting.

I show you how my career started. I keep Couri started. Yeah. So let me ask you this. So when you first discovered them, was it on the dark web? Did you I. And a couple online friends or something get on the dark web, get the malware? Or was it just you, you happened [00:07:00] on it some other way? I was just curious.

I, I mean, there was no dark web at the time and I was, I was spending most of my day on on website. Like one that, that, that I went on was called Cool Paradise. Yeah, cool Paradise. It was tutorials Cool paradise. Yep. Remember it's a French website where you had tutorials on how to hack people.

So that, that's actually when I got interested into hacking. And you were 12 years old at the time. Yeah, I mean, I wasn't do doing much. I mean was. Just trying to hack around, you know nothing in mind in particular. Well, what, what, what those of us that aren't experienced hackers are always amazed is.

When we te talk and get the opportunity to speak with people like you that are really changing the landscape we're always amazed cuz you guys always downplay it. It's like, oh, we were just, we located Trojans, we were just playing with our buddies. I would just like, throw out a Trojan and then control their, [00:08:00] their entire computer or whatever.

Like it was, it wasn't much, it was just learning. I'm like, that's pretty powerful right there. And you were, you were a kid. You were a kid, so it's pretty impressive. That's pretty impressive. So I discovered recently that we were called the script kitties. I didn't know script kitties. That that's how you called it.

Yeah. That that is what, that is what it was. There's, we've had several, we've got a lot of true crime stories on this, on this podcast about it. We had like the boy mafia boy, the boy who broke the internet, a couple other script, kitty stories, but they always go on to do some phenomenal things. So okay, so a Trojan, for those that may not be super technical, walk us through kind of what it was.

It was code, malicious code, right? You would send it over to another person. They would click on something, right? Or go to a site or something, and then you would be able to control their. Yeah, yeah. Well walk us through it. [00:09:00] So downloading, downloading the file would open a port on your computer. Ah, and so that's how I started.

So basically, you know, you send the email and there was no spam filtering at the time. So you send an email saying, Hey, can you take a look at what's attached to this email? Person would click the, the file and that's it. I mean, he didn't do much and he would reply, yeah, something wrong, something wrong.

I can't open the file. And I'm like, oh, too bad. And and then you have a port that's opened on, on your computer. And I remember that what I found the hard at the time was finding the IP address because you know, when you send an email, you don't get the IP address from that. So you need to find a clever way to get the other person's IP address.

And do you put that in the code? Yeah. And you have to put that in the codes so that way when they open it up, you know, you're opening up a port through that on that IP address. No. So what what I remember is that I was spending most of my time on msn. I don't know. I don't, I don't. In the US you had different ways of communicating, but we, I was spending my time on msn.

Yeah. Back [00:10:00] then. So this is like early two thousands, right. Kind of Exactly, yeah. Issue. Yeah. So the AOL chat, MSN chat, things like that, that's how everybody communicated. Yeah, exactly. Yeah. And when you send a file to someone on MSN Messenger, you get the connection is direct. So there you have the IP address.

Okay. So that's how I got it. That's how I was finding a p address. But what, what I discovered after is that you, you have tools that you can scan the entire web and I mean dps and detect open ports and you can just scan all ips find computers that you don't know about any, anything about and and use the, the port to enter into the webcam or the file system, whatever.

Yeah. One of the top 10 ways why there's so many more data breaches today. Right. It's so much more easier for. Those that wanna hack or those that wanna be threat actors like hacking for bad intent. Right. Like it, there's so many more tools to be able to just [00:11:00] find the open ports, find the vulnerabilities, it's, there's so much information out there.

So you don't have to do the hard work. Right. Exactly. But back then, as a kid, you were doing the hard work, right? Yeah. He had more time though. Yeah, exactly. He had more time when you were a kid, right? I had a lot of time looking at it. I had a lot of time. Yeah. Yeah. Yeah. My friends that are really, really good at golf, I always like the first question.

I was like, what did you do when you were like 10 years old? They're like, why I would you spend all day on the golf course? I'm like, that's why you're really good. You had like four open days in a row. Nobody has that right now as we get older. That's cool. So, so, okay, so then you're on Cool Paradise. This like kind of, it, it was a French base, but it was like a hacker forum.

It was like a interesting way to like find vulnerabilities, learn things, play around anything significant happen when you were through your time with Cool paradise back then. Yeah. So basically I was, [00:12:00] so I was doing this using this tool to scan IP addresses and to find the ports. And I was trying to get into computers and open the webcam and stuff like this.

I mean, early days of the, the, the internet. And one day I enter into a computer and I have a message that says you got spotted. That was a hot pot. The, the F B I has been warned. And so that, that's pretty much when I stopped. I mean I was 12, 12 years old, imagining that the f FBI would enter by the window and and arrest me.

Oh, yeah. What went through your mind when you, when you first saw that? I mean, were you. You were at home alone and that's it. It's not worth it. Right? I thought it's over. Yeah. And my parents gonna know. I know that they're gonna, they're gonna take the computer. Yeah. Right. All access will be gone. Yeah, exactly.

I don't want that. Oh, so did they ever call you, did they ever contact you or what happened? Never. Nothing happened. I mean, oh, thank God. I was just a kid in the room, so, right. What would they do? Yeah, [00:13:00] absolutely. I wasn't, I wasn't doing much. Yeah. It, it stopped my career in acting until three years ago.

But yeah. Absolutely. So walk us through the, the impetus, the reason why you created Tri Riot. What, what you were, you were, what was the role? You, you were working somewhere in our prior conversations. You had explained you were working somewhere, there was some type of incident. You don't need to tell the name of the company or anything like that, but you were working somewhere.

There was some incident and you saw kind of the damage, the devastation that can happen and that kind of inspired you. What? Walk us through that. Yeah, so. Yeah, the, I, I'll have to say the name of the company, but oh. Basically I, RightRight is my second company. I founded a, a first one called Selber. That group pretty well as well.

I mean, we had 150 employees when I left for right. Okay. Basically we were doing loans for small businesses Okay. Across Europe. And we lend to this date, I think we lend about a [00:14:00] billion dollars worth of loans. To your company? Company. And this was for, I I'm sorry. Was this for like small business loans?

Was this for Yeah. Okay. Yeah. Yeah. The average loan was half a million. Okay. And then it would be for pretty much four years loan with good interest rate. And we would provide fast decisioning. So basically you would get an answer in two days. Oh, that's really to your bank. It's usually about three months.

So that's what we were offering at the time. That's great. I mean, the company still exist, but yeah, and not there anymore. You were one of the founders there. I went. Yeah. We we were three founders. Wow. I was, I was 24 at the time, so I I met this guy who had a, a background in finance who founded a company before Success, very successful company in finance.

And he approached me saying, Hey, I'm looking for a cto. Is that you? And so we chat and I like the guy. And we decided to start at the time the company was called Lend. And we changed the name along the way, but that's another [00:15:00] story. But yeah, we started Lenix and six months later another co-founder joined, so we're now three co-founders.

Very cool, very cool. So you guys were doing this throughout Europe and it was Mex, it was based in Mexico, you said? No, it was based in Paris and we were, we had five different offices in Italy, Spain Germany, and Netherlands. Oh, okay. I'm sorry. For some reason I, I I, I thought Mexico and that's why I was asking cuz it seemed off.

Right? Because it, it seems like, it, like, seems, seems I never to Mexico. Yeah. Okay. Got it. That's, that's great. So then, okay, so you guys are daily operations are going on. You're the cto. What happens next? I, we were, so we created this platform that was hundred of millions of euros worth of loans every year.

And as the cto I was pretty sure a hacker would find a clever way to hijack the money. And I was very careful with protecting the platform. Mm-hmm. And we were spending a lot of money on and and pen testing and so [00:16:00] on, as you would imagine. And so what happened is one day an employee in 2019, an employee end up clicking the wrong email and turning it password.

And so that's, that's how I discovered the hard way that we were not investing in humans. And that's I mean to me it's the biggest weaknesses today in company in company. Sorry. And so when this simply clicked enter its password, I mean the attack spread and then I mean we had some.

Issues, obviously. And I looked at from there I looked at better ways to train my team and the idea I had is maybe I should try being the shoes of a hacker, sending an email, and I, as I decided to send an email to the whole team teaming down and see who's clicking, entering their password on it.

And the first time I did that the CFO was the first person to click and entered his password. Wow. So that's, that's how I decided to work on Riot. So that it was, initially, it was a side project mm-hmm. By 2019. And then when I did the [00:17:00] first attack, 20% of the employees ended up clicking, entering the password.

Mm-hmm. And I was telling the story around to my CTO, friends and they were all asking to try it. So I was like, Hmm, maybe this is, maybe this is not a site project. Maybe, maybe this is a product or even a company. So, so yeah, that's how I started. Interesting. So you've got this finance organization, you're one of the founders, you are the cto.

You're bolstering security, you've got, you know, firewalls in place. Other detection means, I assume, and then you said you were doing pen testing, right? So, so you were protecting the infrastructure. Right. But, but when the humans let people in around that infrastructure, it, it has the same, same result, doesn't it?

Exactly, and it's even easier. I mean, it's very hard to actually protect. [00:18:00] We, we were 110 employees at the time, so it's very hard to protect 110 employees versus protecting your platform. Mm-hmm. Exactly. So what what was the email about, if you don't mind? Like, I mean, Today they're probably even more sophisticated.

I don't even think that they're that sophisticated. It's more about being persuasive, right? Identifying who the target is and making, crafting that message with a sense of urgency and a call to action that makes people wanna act. Right? They almost go into like amygdala hijack, cuz it's, they're emotional and then they put the information in.

But was it something like germane to the business that just got them to act? You mean the one that the first employee clicked or the one I watched? Yeah. No, no, no. The first one that, that they clicked, that, that caused the incident. I remember it was an email from someone in you with a pdf PDF attached to [00:19:00] it.

It would open the pdf and the PDF would say there's something wrong, wrong with this file. Click here and you click and you end up on a phishing page. So it's I mean, it's, it's not bad for a phishing attack. It's, it's not bad because it comes from someone, you know, probably got phished as well.

Mm-hmm. So you, someone, I mean, you know, the, the usual tip that you give on phishing email is always look at the sender. Right? And in that case, it wasn't true. I mean, the sender was legit, so, right. You opened the pdf, clicked enter its password on the, on the phishing page. And what happened is that Probably a few seconds later, an email was sent to all these contacts spreading the attack the same way.

So an email was sent exactly the same way including your pdf. Wow. So it, it so how did that make you feel? Like, where were you, if you don't mind me digging into this just a little for the listeners. What, where were you when you found out about this? [00:20:00] I was, I was in at the office. And he was at the office too.

So I got the email because I was part of the contact list, you know, and I got the email. I, I thought, Hmm, okay, so Mark got act and I was, I ran to to him and, and say, Hey what happened? I want to know. And from there, I mean, 10 minutes later the password was changed and the, we sent a message to all these contacts saying, Hey, don't click the, the last email.

And that's it. It was over at this point. Okay, well good. And then other things might have happened later, but that, that's, that's not really germane. The point is, is that this really kind of made you realize the importance of protecting against social engineering. Exactly. Exactly. Yeah. So what so walk us through how you, how you crafted, and how you created riot.

So basically I, I decided to wake up. I mean, I had an inch that it would be interesting product. Mm-hmm. And so I woke up every morning, two hours earlier. And I worked as a on, on desk [00:21:00] before going to the office and during the weekends. And when I launched my first attack got the CFO Act I decided to apply Toor.

The incubator in a, in a mountain view I mean, you know, YC is pretty sector. You get I think 1% of people who apply get, get in. And so, you know, they were, for the first time ever, they were doing interviews in Paris and I thought it's probably a good audience to try out my new idea on. And I was pretty sure I was never gonna get in.

But it was probably a good way to get feedbacks on my on the product, you know? Oh, absolutely. So, so you applied to the incubator over in Mountain View, California and it's very selective, and then you and they were actually doing interviews and things over in Paris, like Yeah. They, they were doing, yeah, it was fortuitous.

That's fantastic. They were doing the interviews in Paris. Oh, that's great. That's great. And did you go to that interview like, like, like 200 meters from my place. So pretty close to [00:22:00] my place. Wow. Walking distance. Wow. That's, yeah. That's fantastic. What It's like all the stars aligned for you there. So did you go, did you go on the interview?

Did you, how mm-hmm. What happened? I go on the interview, it's like a 10 minutes interview with three partners from yc. They ask you a bunch of questions on your product, what you're, what you're doing, what are you trying to solve the team, basically me. And and the next day they call you and they say yes or no, basically, or they send you an email saying yes or no.

And, and they said, and they called me. They said All right, your end. I was surprised because I didn't, it was not part of the plan. I mean, I had this you know, I had this successful company on the side. It was not part of the plan to get into yc, right? But the next day I had I sent an, I mean, when I, I, I got the, the call I sent a text message to my partners in my first company.

We grabbed coffee. I said, yeah, why is, is a child childhood dream? So, I'm gonna leave the company and work on [00:23:00] Riot from now on. Wow. That's f wow. Congratulations. That was must have been so exciting. It was. I mean, after I, I mean, I worked in finance for six years and I mean, it was time, I think.

Yeah. And this was 2019? 2020, exactly. Yeah. I started, I started, so I left my company on end of December, 2019. Started right on in January, 2020. I started in San Francisco, so I was in San Francisco at the time. Oh, you were in San Francisco. So Covid the pandemic was prime time then, wasn't it? Exactly. I mean YC is three months long.

And you know, you prepare the whole YC batch is preparing for demo, what they call demo day is You pitch you pitch in front of 3000 disease basically. And you end up getting money for your company. And demo day got canceled because of the, because of COVID. Wow. And did they do it remotely eventually?

Like how [00:24:00] did they, because you, you've been very successful in, in, in raising money. Your first series the funding has, has, has been excellent. What, what. Well, walk us through kind of what, how, how did the pandemic affect it? What, what, what happened next? I mean they moved demo day to so initially demo day is in person event.

So basically it's in in San Francisco you have this big gathering. And probably three weeks before demo day, they sent us a message saying, Hey, COVID seems to be. How do you call it? It seems to be more impactful than, than we imagined. Maybe we should move to to video interviews instead of in-person meeting with 3000 people.

And so it's probably a prudent they moved into probably a prudent move back then. Exactly. Yeah. So they, they decided we would do the same, but. On Zoom and a week later they send a, I mean, Trump closed the border saying, yeah, so this is real. And an hour later we get a message [00:25:00] from YC saying, Hey Europeans, you have to go home now.

Otherwise you'll be stuck in the us. Wow. So I booked a plane ticket got up, got back home, but basically I had I mean, VCs reached out prior to the mode. And I scheduled a six calls with VCs and I ended up raising 2.5 million. Wow. Fantastic. We love it. And it's gone up from there.

Like you've had, you've had great, great success there now, today, yeah. Riot has a chatbot Albert, who I've. Seen and, and it's really cool. It also works with other platforms, right? Like communication platforms like Slack, Microsoft Teams things like that. Right, exactly. Yeah. So basically we started as this phishing simulation tool.

But what we discovered is when we send an attack on a company, basically most companies, they get. Insane results, like 20% of their team clicking, entering the password. Correct. And then you have another problem. I mean, now you know that your [00:26:00] team is not prepared for cyber attacks and you're you're facing a new problem.

How do I train? I don't know. If you're a thousand people company, it means that you have to train 200 employees for cyber attacks. And so that's when we created Albert. And so basically it's I call it a cybersecurity companion. You plug it on Slack or Microsoft Teams and it talks to your employees about their, their security does their, I mean, we created a catalog of 20 courses that covers the basics of cybersecurity.

That's great. And does it, does it, how, how does it work? Like, like how does, you know, if somebody's going through their day and they're communicating on Slack or teams how does Albert inter. Interface with them? Like are there scenarios or if they and is it, is it targeting the main ones who click in the phishing simulation originally or is it everybody in the organization at first?

So both. [00:27:00] So basically you would define a program that your, the whole team has to follow and usually. The program is split in three parts. The parts the very important topics probably three courses top. By the way, each, each courses is like five minutes long, so it's pretty easy to do the three courses.

Usually employees, they do it on their first day. So Albert would welcome them in the company saying, Hey David, welcome to the company. You know, cybersecurity is very important here. I'm gonna tell you more about your security so that we keep the company safe. And and, and Albert is like this friendly looking, gray-haired, like grandpa figure, like pretty, pretty nice.

Like the interface is really welcoming to people. Exactly. We're trying to adapt a ton of voice that's I mean friendly to the employees. And I mean, some employees, they don't, they don't know that Albert is, is a boss. Some of them thinks they think it's a real person. Yeah, so we've been trying very hard to imitate someone in your team.

And I [00:28:00] mean, the content of the course is also very adapted to the employee. You know, we're trying to get that on you and adapt the content. And that's, that's what's powerful about text is that it's very easy to manipulate, especially now that we have ai I mean, you can manipulate the text.

So it, it can re resonates to employees and that's something that we've been working very hard compared to your typical cybersecurity awareness program where it's very one size, you know, one size fit, all fits all. Video, cartoon video. Albert is adapting the content to each employees. So if somebody is doing certain types of tasks or they're in a certain type of department, right, it can kind of tailor the speech, the patterns, some, some of the things that it would train on based on that.

Mm-hmm. Exactly. I mean, we go even beyond that. I mean, we go I'm gonna give you a very simple example, but on the password, please do. Course, for example we're fetching the last known password. Password to [00:29:00] accurate. So I would fetch your password, David. I would get it from data breaches automatically, and I would put, put it in front of you saying, Hey David, you remember that password that you used 10 years ago?

Please stop using it. Because hackers, I have the same tools that we do and we found it in like half a second, so it's over now. So you would be able to, so, wow, that's interesting. So you're telling me, so Albert pops on your. Pops on your Slack channel or your teams channel and is like, Hey David, you got this password.

You know it was password one from like 10 years ago. It's probably time to not make sure that you go in to your MySpace account and those other accounts that you haven't looked at for a long time and change those things because they can, they can be they can be manipulated and exploited. That's interesting, Ben.

That's really cool. [00:30:00] So I mean, you probably, David, you probably work in cybersecurity, so probably you don't have the same passwords everywhere. No, pretty much, I pretty, I have pretty decent hygiene, otherwise I wouldn't be doing this. But, but a lot of people, but a lot of very smart people though. Like, don't, don't get me wrong, like people aren't idiots for, for, for not doing this.

It's just habit. It's just the world has changed in the last few years, let alone the last 10, 15 years when we created these accounts. Right? And so You know, the, not just the complexity, but more the, the routine of changing them and, and, and making them dynamic is really key. So and I mean, it's also very different from just showing you databases you appear on, you know, I would say, Hey David, you've been in five different data breaches.

Yeah. Even if I told you your password or your password linked in the LinkedIn data breach, You would be like, Hmm, okay. But if [00:31:00] I put it in front of you, it's a different scenario. I mean, well, that's why, that's what impresses me. Yeah. That's what I really, that's what I'm, I'm so intrigued by because that is much more powerful.

Well, you know, we provide security awareness. Is a public service across the US and when we're doing this, we always talk about, you know, have I been phoned? You can we, you know, we, we do a live demo, put somebody's credentials in there and then like show people, look, you've been in three or four breaches or leaks.

Right. And some of them are organizations or platforms they didn't even know cuz they were data brokers. Right. So their data had been sold to somebody that was sold to somebody who got breached. Right. And it's still, your credentials are still out there. This is actually in the middle of their workday in their communications channel going, Hey, this right here was breached, so you're actually showing them in person.

That's really good. That's really good. So let me, can [00:32:00] I ask you a little bit about ai? Because I don't know if mm-hmm. I don't know if people are aware, but kind of a big thing right now, like it's kind of everywhere in the news, and I swear if I see one more post about like, top five things to do with ai, I'm gonna like just delete the whole platform.

Like it's, it's so overblown. Some of it is just, You know, some, some, some of it is, is I don't, yeah. I mean, the whole responsible use of AI is really important. It's a, it's an important discussion. Also remaining authentic despite a ai, like letting AI just do your work for you. I, I, you know, a lot of people are starting to have issue with that, right?

Because then it's all the same kind of garbage that everybody's just kind of sending pre-packaged, but, How are you and how is Riot? And for listeners, it's try riot.com. We have a link in the show notes. Outstanding. We [00:33:00] encourage everybody to check it out. How are you guys leveraging ai? Can you just kind of share some examples without giving anything proprietary way?

For sure. Yeah, of course. Yeah, no I mean we've been very early adopters of OpenAI. So the company making Chad g pt the reason is pretty simple is that OpenAI went through yc and the YC community is very strong. So I've seen early demos of Chad g pt and I was excited about what we could make with that in the context of the cybersecurity companion that we made.

And We're, we've been trying to integrate AI everywhere on the platform since then. The first thing that we did is phishing simulated simulation, genetic email. So basically you can very easily type genetic an email targeting David. And announcing that his next payroll will be sent to a new bank account or something like this, and it would generate automatically an email.

And I mean, those tools will be used by hackers too, so absolutely, that's something that you have to be [00:34:00] aware of. But I think the most advanced used use case we've had with ai we created A, a, a special course on the program where you, we put you in the shoes of a hacker and you're trying to hack a fictional character that we called Linda.

And so Albert would teach you techniques that hacker use to convince people to give. I don't know, a credit card number or something like that. So that's the scenario. So you're put in, in front of Linda and Albert is coaching you to use those techniques to get Linda's credit card from the, from the shoes sitting in the, sitting in the chair of the hacker.

So they kinda walk you through how they attack as well. Exactly. So you're, you, so you have this fictional character and you have to you send out a message saying, Hey Linda, congratulations. Great. You want a trip to the Maldives or something like this? And I mean, you know, it's like role [00:35:00] playing game where you're the hacker now and you have to convince this character to give you the credit card numbers.

And so, I mean, something that I. I, I think AI will have, make a big difference as in teaching. Because absolutely you can play those games where you, you're put in the shoes of a hacker and it would teach you and something that has never been done before. You would never be able to do that before.

And to replicate a fake human that you can act. Yeah, absolutely. Yeah. We've, we've been, we are actually leveraging it in many different ways. Even in, in, in, in our role where we're able to use things that can attend meetings when humans can't attend every meeting. And not only capture the meeting notes, but give some business intelligence from that meeting.

Like, Hey, are we aware that, you know, this group talked. X percent compared to this group, this group only asked questions or was only able [00:36:00] to decipher this type of data. We really wanna be able to train everybody to get all five things of data in our conversations and not to talk as much, ask more questions.

Right. And, and it allows you to kind of leverage and do it more massively. Really interesting. Really interesting. Exactly. And, and at scale. Yeah. So that's something that's new. I mean, absolutely. It's brand new. Yeah. Yeah, yeah. Even for hackers, you know, it'll make a big difference. I mean, the attacks that can be created with ai they have, they are years ahead of any attacks that you see today.

I mean I don't know. Have you heard this story about this mother in Arizona who got a phone call from her daughter who was supposedly kidnapped. You've heard this one. Oh, of course. Yeah, yeah, yeah. I mean, she, she got this frantic phone call and she swore that it was her daughter's voice because they had captured her daughter's voice.

On some TikTok or [00:37:00] something. Right? And then through ai, they replicated it, changed the words, which pretty easy. There's a million platforms, there's several platforms out there that allow you to do that. And then played it back to the mom to get the mom to pay money for a ransom or something like that.

Really intense. Exactly. Intense. It was all over the news. Yeah, pretty common. I mean, we've been exploring, we have an episode on Deepfake and it's, you know, when AI couples with deepfake it's, it's just going to get worse. You know, the FBI here in the US had a, had an alert last summer about cautioning businesses for deepfake because so many, even though the pandemic isn't as intense or.

You know, people are back out in person much more today than they were a couple years ago. There's still quite a bit, we still all discovered the power of scale by being able to be virtual, right? Like, you don't need to fly to Minnesota for a meeting. You can attend one in Minnesota in the morning, one in Kansas City in the [00:38:00] afternoon, et cetera, right?

Without having to go anywhere. But what what the FBI was cautioning on is during hiring practices. People were using deep fake to get jobs and they had, using stolen credentials, they would get hired and work remotely. And the problem was, is then they didn't even have to hack the company. Right?

They were given the credentials to the company, and then these threat actors were able to access everything. And it was so common that the FBI actually even sent an alert about it last, last July. Wow. That's crazy. Yeah, it is crazy. And so you would get access to the data of the company? Yeah.

Because? Because they hired you? Yeah. Because they hired you because over a Zoom or a WebEx, they interviewed this person who wasn't really the person. Right, and they showed some of the differences and you're like, it's barely spot able. Like some of it was really good, like some of the lip syncing was off, and we all know in time that'll get [00:39:00] better, right?

As, as the deep fake technology advances all that will get even better. Right. So pretty scary stuff. It's pretty, it's pretty, it's like the wild west. Yeah. And we are just, we're living in the wild West. There's new things coming from, from everywhere. One other thing I wanted to ask you is, what are your thoughts on how AI will allow people to advance in their spearfishing meaning, And I think you, you, you did just touch on this, but to me spearfishing has always been more effective than general fishing, right?

You send out a blast of 20,000 some generic language, and while it's not that I. Persuasive, you'll still get a small percentage of that 20,000. They'll still click, you'll still run the exploit, but spearfishing much more effective. Right? We're targeting one company. We have some proprietary, some interesting, relevant information for that company or for that person.

And it looks very real. It looks it's much more effective. [00:40:00] And my thought is AI will allow people to scrape that and launch those at scale. I mean, is are exactly, are you seeing, are you, are you seeing that by, by, by some of the social engineering groups? It's part of the work we're doing. We're explaining ways to do it at scale internally, just for train training purposes.

And I agree with you. I mean, it's it's a point in time where you probably have a ton of data on anyone right now on the internet because of data breaches, because people have been sharing too much on social networks. Mm-hmm. You can you can scale the open source intelligence part and mm-hmm.

From there you can use open AI or any natural language models to to generate attacks that are specifically targeted for this person. But at scale, I mean, for every, any person. Right. And I mean, another thing that we're seeing right now is, It's not gonna be over. Probably the attack of the future is not gonna be over email.

It's probably gonna be over a different [00:41:00] format over Slack, a WhatsApp message, a message on Facebook Messenger or, or something like this. And I, I would imagine in the year we would see your text where you get a WhatsApp message from your boss with voice message from him, with the same voice of your boss asking you to do something.

And it's obviously not your boss. I would imagine this is, this will become much more common in the second part of the year. Yeah. Interesting. And that'll be, that'll be something definitely to, to, to watch for. I mean, the one of the. More recent Uber breaches involve like multifactor authentication, fatigue.

Right. Where they got the employee. Yeah. You know, they, they, they bought or located stolen credentials. Password is email. Right. Tried to log in. Oh, there's multifactor authentication. So it kept sending a notice to the employee. They just kept doing it. They, apparently they hadn't, Said it so that after a certain number of attempts, it would stop, but it just kept doing [00:42:00] it over and over and over.

And then they went to WhatsApp and said, Hey, this is it. We're trying to do some, some, some work. Can you please just approve that and approve it? Yeah. Yeah. And the employee was like, fine, you've been pinging me forever. Boom. Right. And then, and then they launched. And so that, you know, I, I, I can see that going to different platforms, right?

And, and you could, you could pretty easily determine what organization, what platform an organization is using, right? If they're a Microsoft shop, they're using teams, right? Whether they're using Slack could be obtained or, or, or figured out. Fair, fairly easy. And then you can launch the attacks through that.

So that's really interesting. Exactly. So, so let me ask you this then. How is Try Riot going to, how is Riot going to adapt to that? What kind of trainings are you gonna do? Like, what's next If you, if you see this coming, I'm sure that something like that would be in the works for you guys. Yeah, I mean, we tried [00:43:00] simulating attacks over SMS and it's much harder than we thought because we need to get the approval of the.

The take home companies. And that's something that we are not, we were not able to do yet. But and we've been exploring phishing attacks attacks over phone, phone calls. Yep. And yeah, this, this, this is, this will be, I think it's still very hard to do in real time, so bit a bit hard but I think we'll be able to do it by the end of the year and we'll be able to simulate a scenario over a phone call.

And That's something I'm very interested about because I really think, I mean, emails will still be big, but it's going, the format is gonna change, so, yeah. Okay. So, oh, that's so interesting. And, and let me ask you this, so the, the smishing, the actual. Reaching out by text. That can be more of a challenge because there's like the anti CAN Spam Act and like in the US there's rules about you're not allowed to text people without their permission.

People do it all the [00:44:00] time. We get, we get rogue texts all the time, robo calls, all that stuff. Anyway, but the point is it is illegal, so that can be kind of blocked. So, You, you would just need consent first, which kind of gets in the way of just like, well, we're trying to train these people. Can you just uniformly give us consent, like as their employer or something?

But but so the, the vishing sounds really good. I mean, that if you were able to develop something like that that's, that's really critical. What about and maybe they're a little bit less common, but like, u SB drops, things like that, those were so common back in the day where you know, you would, you would put a script that would just be an alert on the U s B, let employers drop them in common areas.

With some label on them that's appealing, that make people want, want to do it. They would go plug it into their pc and then all of a sudden it's like, you shouldn't have done that. We have a policy [00:45:00] against this. Right. This could have been a remote access, Trojan, malware, ransomware, whatever. Any thought to that or is that, is that tactic less common today?

I think it's to me it's an attack of the past. I don't think I, I don't see that growing. I mean, most computers, they don't even have a USB port anymore. Well, and it's my laptop. People aren't, yeah. And people aren't really in the office all together at the same time. Exactly. Right. So, yeah. Okay. I was just curious.

Thanks for that. No, no, but that's true. It's a good question because our competitors, they do it. So we've been, we've been we've been challenging the idea for the past few years. But I've been avoiding that. I think I think hackers, they prefer to attack companies that are far away from their home.

So I don't see them going to a parking, dropping USB keys. Right, exactly. It's more, it's more, it's not something that's, we've been, we've been at the beginning of Riot, we were focusing on small and medium-sized businesses. [00:46:00] I think this might be an attack targeting enterprise companies. Yeah. But I, I don't see, I don't see that happening to smaller companies.

Absolutely. So just before we wrap up and Ben, this, I hope this is not the last time we talk, cuz I, you, you are, you, you and Riot are really at the cutting edge of, of, of, of this. And so we're excited to watch your progression and your, and your meteoric rise. So We hope that we get to, to, to follow your arc and, and, and touch base maybe later on this year and see how things have, have even advanced further.

What so what is what, what, what is next for, for, for Riot? I mean, what are, what are some of your kind of mission critical priorities? I think Alberta is gonna be a, a bigger part of the company now. I want Albert to be able to answer questions for that the employees might have. Questions like, I found a USB key.

What should I do? You know, some, some more. You know what, today [00:47:00] it's mostly Albert talking to the employee. I want the the, the employee to be able to ask questions when something happened in their life, you know? So the SB key is a good good, good option. You know, I got this USB key, what should I do?

Can I plug it into my computer? And I want those answers to be con contextualized for the company. So based on the rules that the, the, the security team decided. So that's something that will be, I mean, most, 80% of our work right now is using ai. I mean, we're, most of the features we're working on right now involve at some point ai.

It'll be a to, to us. It'll be a big game. It's a game changer for the whole industry. Sure. Yeah. And it allows you to customize things at scale, right? Like you're able to Exactly. To make it real suitable for an organization. And then, and then you can scale that across many organizations. That's phenomenal.

And you, you know, there's a shortage, there's a shortage of talents in cybersecurity. Yes, we are. [00:48:00] We are quite aware of that. Right. And, and so this allows, so maybe the next, yeah, yeah. The next hire may be a virtual assistant or a virtual agent. Right. Helping you. Yeah. On the next episode of this show, we'll have an avatar here.

It'll be Albert. He'll just be here asking questions. No, you'll, you'll still be here in in 30 years. They said no. That's the plan. You're not gonna be replaced. Albert. Albert is not gonna replace you. I know. Don't worry about it. Yeah. I'm not very replaceable. That's, that's awesome. Hey Benjamin Netter try riot.com.

Please check it out. Thank you so much for taking time with us today. We encourage everybody to check it out. Thank David. It's really, really cool. We will talk again soon, my friend. Thank you so much. Great to see you, David. Great to, to see you. Enjoy Paris. Thank you. Bye-bye. Thank you my friend.

See you. Bye.

Hey. Well, that's a wrap. Thank you for listening. Our next episode [00:49:00] starts right now. Please be sure to subscribe to our YouTube channel. It's free, and download the podcast episodes available everywhere you get podcasts. To support our show and get exclusive pre-release episodes and bonus content, please subscribe to Cybercrime Junkies Prime.

Link the description and show notes, and thanks for being a cyber crime junkie.