4 Takeaways I Got From Planet Cyber Sec 2025, Part 1
Planet cybersec on February 26, 2025 was a great time. https://planetcybersec.com/022625-conference/
On the way to Planet Cyber Sec I took a few Zoom calls from Per Scholas. When I got to the venue, I grabbed my name tag.
I met a few new people who work in government, Freddy and Patty. Freddy does training, and Patty is at the Secret Service. It was very nice to meet them, meet some more new people, and see some familiar faces.
There were a lot of speakers, but I wasn’t able to see all of them because I was also waving the flag for ISSA LA. I set up the table and introduced a few people to ISSA.
I was able to attend a panel for Law Enforcement, and I got to hear from people from government agencies like CISA, the FBI, and DCIS.
One new phrase I learned was "Left of Boom," which means the period of time before a significant event, like an explosion or a cyber attack where proactive measures can be taken to prevent it from happening next time. It basically refers to the actions taken left on the timeline before the "boom" occurs.
After the big bad boom happens, the FBI gets involved. They are not incident response company doing digital forensics, but they are trying to figure out who did what and why. They are not trying to protect a business the way an employee would.
Takeaway 1: Social Engineering Is Still A Thing
Social engineering will try to make you act with urgency to click a link, or an email bomb.
Microsoft Quick Assist is a built-in Windows feature that lets you remotely connect to another computer, which threat actors can take advantage of.
This isn’t exactly new… but it keeps happening. FBI cyber cases are rarely purely technical. Many of them at some level involve social engineering.
Takeaway 2: Social Media Is An Attack Vector
On the CISA side, the Presidential Election of 2024 was a biggest priority, especially if it hits a lot of critical infrastructure, like anything affecting voting.
Election misinformation is another thing CISA tracks.
Depending on your age, “social media” could mean anything from Facebook to TikTok. People talk about crypto on Discord or WhatsApp, then a new member provides an email or phone number, now criminals can target that person with crypto threats. FBI has found cryptocurrency that was lost or stolen because someone was involved in one of these groups.
Like advertisers, criminals are trying to build a high value target profile of you. Okay, this guy likes crypto, he is in these groups, he bought this wallet… then they can try to social engineer you to disclose your private keys or passwords out of urgency to try and steal your bitcoin.
It is often easier to hack a human than a machine.
Takeaway 3: Protect Your “Cyber Ecosystem”
Just like we subscribe to Disney or Hulu, cybercriminals sell subscriptions to malware, called Malware-as-a-Service or MaaS.
Some threat actors are not super tech-savvy: they just go to a guy who sells MaaS, they buy it, and they use it for things like credential harvesting.
So how do you investigate a cyber compromise? It is hard to find out quickly. The FBI might try targeting the MaaS vendors, but what if the bad guy is in Kuwait, or Russia, or somewhere outside jurisdiction? Well, the FBI could try to repatriate the money, or make the bad guy’s name public, or work with the Treasury to make life harder for the threat actor or their family.
Operation Endgame was one successful operation that was mentioned.
Takeaway 4: AI Can Be Used For Offense or Defense
Artificial Intelligence only needs 15 or 30 seconds of your voice to clone your voice. It can be used for a lot of nefarious activity.
AI will lead to opportunities, and also threats.
What if a criminal is distributing purely AI driven child porn? No laws are ready for that.
What about elderly loved ones? An FBI agent’s mom is older, she thinks Tom Selleck is her friend on Facebook. She even sends him gift cards, and even though everyone tells her “that is not Tom Selleck,” she doesn’t listen. It could be a person, or an AI agent that was trained to respond like Tom Sellect, either way it could be a dangerous threat.
Q&A from audience:
Could we say to management that 95% of problems are clicking on bad links in email?
Well it is low effort high reward. There are levels of sophistication to it to create false sense of urgency. People get spam or phishing emails, and Gen AI can improve those phishing emails from Amazon or Walmart or wherever.
Solution: Companies need training on avoiding this for employees. Always go to a known source. Google it first, do not just click on a link in the email.
What about advertising?
The unsubscribe button does little for you if it is not a legit company, a spam company could see that as verifying an interaction.
What about phone calls? Could someone call you and try to get you to talk and clone your voice?
Well that is definitely something to look out for.
What is the best piece of legislation or statute that would make your job easier?
Here in US, creating and selling malware for profit is not a crime. FBI could find extremely productive malware company, and that company has zero liability. They can say “its for education” and they are covered.
My question was about the cyber ecosystem, which an ironic statement - your computer, your phone, pretty much all technology is artificial, but it is now a part of our natural human ecosystem.
If you are a victim of a cyber incident, get in touch with government authorities like DCIS or FBI or CISA.
IC3.gov is a central place for reporting cyber-related crime. https://www.ic3.gov/
This website is part of the FFKC, financial fraud kill chain, and it automates the process of investigating crimes.
