#93 Matt Holland: Zero Day
Matthew Holland, founder and CEO of Field Effect Security and a leading cybersecurity authority, discusses the state of cybersecurity, attacker mindsets, and defending against threats. He shares insights from his intelligence agency background and advises businesses on navigating the complex cyber landscape.
Deep Dive Analysis
16 Topic Outline
Introduction to Matthew Holland and Cybersecurity Background
Early Career at an Intelligence Agency
Transition to Private Sector and Founding Linchpin Security
Lessons Learned from Growing and Selling Linchpin Security
Motivation for Starting Field Effect Security
The Current State and Pillars of the Cybersecurity Industry
The Attacker's Mindset and Exploitation Process
Challenges and Nuances of Mobile Operating System Security
Understanding Ransomware: Mechanics, Impact, and Prevention
Critique of Cybersecurity Vendor Sales Strategies and Jargon
Key Questions to Ask Cybersecurity Vendors
Discussion on Huawei and National Security Concerns
Reflections on Edward Snowden's Actions and Impact
Recruiting and Empowering Talent in the Private Sector
Scaling a Company and the Importance of Execution
Final Advice on Cybersecurity Preparedness for Businesses
8 Key Concepts
Offensive Cybersecurity
This pillar encompasses traditional hacking, ransomware, and intelligence agency operations. It exists largely because humans are generally poor at writing secure software and is driven by economic incentives.
Defensive Cybersecurity
This pillar focuses on protecting against cyberattacks, offering solutions like antivirus, anti-spyware, firewalls, and endpoint detection. The industry often presents these as fragmented, requiring businesses to cobble together multiple, often ineffective, solutions.
Faux Cybersecurity
This refers to activities like election interference or organized social media influence campaigns that are often categorized under cybersecurity but are not directly related to traditional computer security or network defense.
Zero-day Exploit
A vulnerability in software that is unknown to the vendor and the public, allowing attackers to exploit it before any patch or fix is available. These are highly valuable to attackers as they can bypass existing defenses.
One-click vs. Zero-click Attack
A one-click attack requires user interaction, such as clicking a malicious link, to compromise a device. A zero-click attack can exploit a device without any user action, making it extremely stealthy and dangerous.
Sandbox Escape
A technique used by attackers to break out of a restricted execution environment (a sandbox) where an application is designed to run safely. This allows them to gain broader access to the underlying operating system.
Privilege Escalation
The process by which an attacker gains higher-level access permissions on a computer system. This often involves moving from a standard user account to an administrative or even kernel-level access, effectively taking full control of the system.
Ransomware
A type of malware that encrypts a victim's data or locks them out of their systems, demanding a ransom (often in cryptocurrency) for decryption or restoration of access. It can also involve exfiltrating data to further extort the victim.
9 Questions Answered
He left because he perceived a ceiling on his growth and the group's vision, feeling that arbitrary limitations were placed on innovation, which was not an environment where he could continue to grow.
Linchpin made a splash by releasing a tool called 'Den Whip Atsiv' (Vista pooned in reverse) that demonstrated how to load an unsigned driver on Windows Vista, circumventing its mandatory driver signing feature, which Microsoft had heavily promoted as a security silver bullet.
Attackers initially profile online services, email addresses, and social media presence, then typically launch social engineering campaigns (like phishing emails) or brute-force passwords for basic email setups to gain initial access, then escalate privileges and potentially redirect finances.
An attacker might send an email with a malicious link, exploiting the web browser to gain code execution. This is followed by a sandbox escape to break out of the browser's restricted environment and then a privilege escalation to achieve kernel-level execution, effectively taking full control of the operating system.
While Android's fragmentation makes mass attacks harder, individual vendors often customize the OS and may miss critical security fixes from the main Android branch, making targeted attacks against specific Android versions more successful. iOS, having a uniform OS across devices, allows a single vulnerability to affect all devices.
Ransomware typically has a very basic attack profile, making it relatively easy to identify and block with sophisticated on-host (endpoint) security solutions and proper cybersecurity tradecraft, though network-only monitoring solutions are insufficient.
Businesses should ask, 'How are you protecting my company?' and 'What happens when something goes wrong?' They should look for clear, straightforward answers that explain the actual protection mechanisms and incident response, rather than vague jargon like 'next generation,' 'seamless,' 'AI,' or 'machine learning.'
He agrees with banning Huawei from critical infrastructure due to documented ties to the Chinese government, past use of leaked intellectual property, and a fundamental lack of trust. He argues that the rapid pace of software development makes it impossible to reliably vet their code for backdoors or vulnerabilities.
His main criticism is not just the exposure of potentially illegal surveillance but the mass release of legitimate, legal intelligence-gathering programs and techniques. This action damaged trust in agencies working to keep countries safe and exposed people's names, setting back critical operations.
24 Actionable Insights
1. Proactively Secure Your Company
If your company lacks a cybersecurity vendor or assistance, immediately seek one, as every company, regardless of size, is a target for attackers.
2. Prioritize Preventative Cybersecurity
It is significantly easier and cheaper to implement preventative cybersecurity measures and harden your systems against attacks than to react to a breach, a reality that businesses must accept.
3. Demand Holistic Cybersecurity Solutions
Seek a comprehensive cybersecurity solution that protects your data across all potential attack vectors, including endpoint, network, cloud, and IoT components, designed to adapt to future threats.
4. Don’t Fear Seeking Cybersecurity Help
When facing cybersecurity challenges, do not be afraid to ask for help from experts or vendors, as it’s crucial for protection.
5. Ensure Adequate Security Protections
Implement adequate security protections to avoid significant fines and legal obligations for reporting compromises in customer data, especially if it’s shown your company wasn’t taking the problem seriously.
6. Remove Barriers for High Performers
As a leader, remove bureaucratic barriers and quickly provide employees with the tools they need to excel, empowering them to produce amazing results.
7. Unleash Employee Potential
Empower employees by clearly stating goals and problems, providing necessary resources, and allowing them autonomy to solve issues, fostering an environment where they can unleash their full potential.
8. Align Team with Clear Company Goals
Ensure everyone in the company is aligned and moving in the same direction by being straightforward, frank, and honest about internal assessments and clearly communicating company goals to all employees.
9. Foster Team-Centric Entrepreneurship
Entrepreneurs should emphasize that success is a collective effort, not solely about their individual journey, by expressing appreciation for team members and reinforcing that ‘we’re all in this together’.
10. Cultivate Decisive, Confident Leadership
Develop the ability to make confident decisions and avoid paralysis by filtering out noise and focusing on what truly matters, which improves over time with practice.
11. Prioritize Aggressive Execution
In challenging times, prioritize aggressive execution over caution to gain a competitive advantage, understanding that turning great ideas into reality requires focused and effective implementation.
12. Share Knowledge Within Your Team
When you learn something new, share it with your colleagues to foster a strong team environment and mutual education.
13. Implement Multi-Factor Authentication
Use multi-factor authentication for email setups to prevent brute-force password attacks, which attackers use to gain access, profile your routine, and potentially execute financial redirection scams.
14. Limit Public Digital Footprint
Be aware that attackers profile targets by probing online services, identifying easily accessible email addresses on websites, and analyzing social media presence, so limit publicly available information.
15. Seek Problem-Solving Cybersecurity Partners
When choosing a cybersecurity vendor, look for partners who prioritize identifying and fixing your specific problems and helping you improve over time, rather than just selling a generic software solution.
16. Choose User-Friendly Cyber Solutions
Select cybersecurity systems designed for users without technical expertise, ensuring the solution works effectively even if the user doesn’t have a deep interest or background in cybersecurity.
17. Demand Guided Cybersecurity Action
Opt for cybersecurity solutions that provide clear, concise, and guided instructions on specific actions to take when an issue arises, rather than expecting users to research and implement complex technical fixes themselves.
18. Beware Cybersecurity Buzzwords
When evaluating cybersecurity vendors, be wary of buzzwords like ’next generation,’ ‘seamless,’ ‘AI,’ or ‘machine learning,’ as these are often red flags indicating sales jargon rather than substantive solutions.
19. Avoid Bundled Cybersecurity Overload
Do not fall for vendors pushing a multitude of disparate cybersecurity solutions as a single necessary package, as they often don’t work well together and are not all essential.
20. Choose Iterative, Future-Proof Solutions
Prioritize cybersecurity solutions that are iterative and engineered to handle future threats without relying on marketing buzzwords, as these indicate a more robust and adaptable defense.
21. Beware Cybersecurity Black Box
Be aware that the cybersecurity industry often operates as a ‘black box,’ where businesses may not fully understand what they are buying, which can be exploited by vendors.
22. Embrace Solving Hard Problems
Find enjoyment in tackling difficult problems, as this can be a strong motivator for entrepreneurial ventures and personal growth.
23. Pursue Impactful Entrepreneurship
When considering new ventures, choose to tackle significant, world-changing problems rather than simpler ones, as the effort required might be similar but the potential impact far greater.
24. Acknowledge Partner’s Support
Recognize and appreciate the crucial role your partner plays in your success, especially as a workaholic, as their support can be a significant factor in achieving your goals.
6 Key Quotes
Everybody is a target at this point. Your company is not small enough to be off an attacker's radar. I have seen five-person companies. Actually, I've seen two-person companies attacked and hit.
Matthew Holland
The current state of the cybersecurity industry, to say it's a hard problem is an understatement. It is an unethical shit show, I would say.
Matthew Holland
The only true working cybersecurity solution is one that looks at it from where's your data. How are you going to be attacked across the board?
Matthew Holland
If somebody uses the word next generation, seamless, we'll stop everything. Yeah. AI, we've got machine learning, any of that, if any of that comes up, big red flags.
Matthew Holland
It's much, much easier and cheaper to be preventative and to harden your system and be ready for attacks.
Matthew Holland
A little part of me will die if he's pardoned.
Matthew Holland