Richard LaTulip: 0:00

It was my own cloak of anonymity and believability that was the the deciding factor oftentimes of whether I went home at night or not. Everything was coupled with with drinking. And so there were plenty of opportunities that I talk about again in my book about always having to be in role and always having to be successful of the communication and not making errors, especially when when drinking.

Joshua Schmidt: 0:31

All right, welcome back to the audit. Today we're joined by Richard Latoula. He's a field CISO for Recorded Future. And he also just wrote a book called Operation Cater Chaos. We'd like to have him on today, talk about his experience as a um a former Secret Service agent and operative. So we are going to kick it over to Richard. Love to hear more about you. Richard, give us a little background on yourself, and thanks for joining us today.

Richard LaTulip: 0:56

Yeah, no, thank you for the introduction and thank you for inviting me to be on the audit. It's uh great to be here coming from you from Nevada. As you mentioned, Field SISO is my current current role for Recorded Future, but we rewind the clock and go back in time. It was 1995 when I joined the United States government, 1998 when I switched over to the United States Secret Service. And uh whenever I speak in terms of groups and guests, I kind of have that little briefing of you think of the Secret Service and you think of the President of the United States, you think of maybe in the line of fire, you think of someone running alongside of a limo. And then you say, well, cybersecurity, where does that fit in and why? You know, where did you get into that? And so I think for me, when I look back at my career, I kind of sit there and say, it's interesting. I saw almost immediately, in terms of investigations, a huge role that the computer played in helping to facilitate crime. And so uh we had started this program for computer forensics, and I wanted to get involved because everything at that moment in time, it was kind of that perfect storm, was aligning itself with these underground, the underground economy, the birth of it. Not that it didn't exist before that. I think really law enforcement didn't really uh, let's say we were behind on the times, if you will, in terms of what was going on online.

Eric Brown: 2:15

And the Secret Service also does other things than guard the president or uh or or work with cyber, there's uh a money laundering or a counterfeit piece to it, too, isn't there?

Richard LaTulip: 2:29

Yeah, I mean, so if you think about, and and this is really going back in time when we start talking about the creation of the Secret Service, it's I think a lot of people know it now, but just in case, just to refresh minds or or or memories, if you will, President Lincoln was approached by the Secretary of Treasury, and the things that he identified was there was no standardized currency, and a lot of the currency that was being created was pretty much counterfeit. It was fake, it was worthless. And so Lincoln said, hey, create a bill that if you get passed, I will sign, that basically created the Department of Treasury and the first, let's say, federally funded law enforcement arm of it called the United States Secret Service. The day he signed it, he went to Ford Theater and unfortunately got shot. At that moment in time, what they say is that a U.S. Marshal was there. He wasn't necessarily standing next to the president when this when this all went went down, but he was there and present because it was no really formal protection arm of the Secret Service. We were really created to protect the financial infrastructure of the United States.

Joshua Schmidt: 3:33

We spoke a little bit before this podcast. You spent three years working undercover, meeting uh international cyber criminals in places like Thailand, Dubai, and um what does that actually look like working undercover, you know, investigating uh clandestine cybersecurity, the various actors?

Richard LaTulip: 3:52

Yeah, I mean, so the the the birth, if you will, was Operation Firewall. And that case really kind of brought a spotlight, not just from say a law enforcement perspective, but uh internationally. It the headlines, if you remember at that time, you know, it was it was happening quite a bit and quite often. And Congress was worried, along with the credit card industry and the financial infrastructure, right? The industry was worried about what was going on and the path that it was taken, right? And so all of a sudden, with the spotlight shining and the opportunity for funds to be invested into this type of work, they were popping up all over the place, right? So, operation, you can name it, right? There were so many different operations, not just with the Secret Service, but with the FBI and the U.S. Postal Inspection Services, they were coming all over the place. And so that was kind of uh of the goal. And so what I had seen at that time were a lot of individuals who were going behind the computer and they would go into these forums and they would try to start relationships with people who were online. I worked in a very unique district. So being that the case originated for me in San Diego through the arrest of a local informant who had just recently came back from Senjin, China, where he met a threat actor by the name of Slim Beatty. There were others there as well, but he was the most prolific. He came back, and when he came back, I ended up arresting him. I chronicalized a lot of this in the book that I that I had written. And so he came back, we arrested him, of course, and then he divulged all this information. Being in San Diego, we are so close to the border, and the political, let's say, atmosphere at that time was really focused on the border. What was going on there, the amount of drugs that were coming in the United States, and being able to stem that flow. And so the Secret Service was okay, well, we have this case that has an opportunity to go international. And they said, well, here's the deal. We don't want to, and this was a phrase that was often used, fanoulin, which stood for first name unknown, last name unknown, and then aliases. So we didn't want to indict a person by their alias. We didn't want to indict the person by fanoulinuo either, and be able to say, okay, well, we've got this anonymous person that's lurking out there that uses some pseudo name. So they said, look, we we want, if you're going to do this, real bodies. We want to be able to ensure we indict that person that's actually hands-on keyboard that's doing the crime that we're accusing them of. And so they put kind of a little bit of a, and they gave me a runway to do this, right? Because then I started now briefing my supervisors of, hey, we got a guy who just came back from Shenzhen, China, who met with these people, and we have an opportunity. We need to take the digital world and move it to the real world. We'll start online with these interactions, but we're going to pivot as soon as we can to a place we can operate. And when we do that, we're going to meet with these people face to face. And now we're going to be able to put you behind the keyboard.

Nick Mellem: 6:56

Uh, I wanted to piggy off that question a little bit because uh at IT out Labs, we know we're into social engineering. It's something we enjoy to talk about and and talk externally about too with clients. Um, I'm curious how that might tie into what work you're doing is specifically maybe around training that they're giving you guys before you go out, right? I'm a you you're good technically, but now you might go be going to meet somebody face to face. Are you are are you is the training looking in the mirror in the morning, like I'm ready to go, like this is it? Or is it, are you going to a training school for six months, you know, for undercover work? What does that look like?

Richard LaTulip: 7:31

Typically in the Secret Service, persons that said, I want to do undercover work, they just go, okay, well, let's do it. That mostly entailed uh something local and mostly entailed something that at that time, which was going on, being behind a computer. And so if you can imagine, I'm gonna go undercover, which people would say they would do, and all you end up doing is putting on a shirt of a local delivery company and delivering counterfeit currency to whomever it was. And if someone answered the door and signed for that packet of illegal goods, you would then execute a search warrant. That would be the extent of your undercover operation, right? It'd be very short-lived. This is now long-term, so you would think there would be some long-term kind of preparation for it. But, you know, I guess I would say, where did my preparation came from? Four years of being in college, of drinking, playing drinking games, socializing, meeting new people, and expanding your own social background, coming to San Diego, same thing of you know, meeting unique people, unique characters. I was single a lot during this time when I was in San Diego. And so I would go to bars, I would meet all different types, right? From your bankers and lawyers to the persons that sometimes were very free of sharing information that they currently had drugs in their possession, and they would even offer it something. And so that was kind of the training ground for me. I didn't have, and I say this in the very beginning of my book, because when we start talking about tactics or we start talking about what it is that you did, your techniques, I was learning from a white page. I was doing it on my own. I was writing the words as they were happening. I was coming up with the strategies and I was using those. Some of the strategies work, some of them didn't. I think I talk about telling jokes to people who culture, like culturally, I didn't necessarily understand everything. And so when I would tell these jokes, I would learn very quickly whether they landed or they didn't. And you'd look by the the the face on the person and you'd say, Yeah, well, that's probably a cultural American joke.

Nick Mellem: 9:29

So you really were pioneering the path uh of this practice and and learning on the job, uh, trial by fire. I I like the comment you were making about funding because I think for me, when I especially when I think about the Secret Service, you might think of, you know, like James Bond. He's got Q. He's going into the room there, and he's got all kinds of crazy toys and gadgets you'd never think about, cars that shoot rocket, you know, whatever it is. So to hear you talk about that uh was really interesting. But I had similar situations. I was in spent time in the Marine Corps and we deployed overseas to say uh Afghanistan, uh the Marja region. And, you know, we'd get there and we had uh some Beretta pistols, and sometimes you'd better opt just throwing them at somebody versus actually pulling the trigger. We might not, we didn't have gunner harnesses and our turrets or things like that. But there was the army down the street and they had a bunch of those things. We may or may not have tactically acquired some gunners' harnesses, but that's a story for another day. But it just goes to show that people might think you're going to a war, or in your case, you know, fighting the war far beyond the borders, yeah, you might not be as you, you know, you're mentally prepared, but physically we don't might not have all the tools that you would assume that you would.

Eric Brown: 10:39

And Richard, just to to pivot a little bit and weave in the work that you're currently doing at Recorded Future and the Secret Service background as well. At IT Autolabs, we're involved a lot on the defensive side, the blue team, if you will, or purple team, where we're helping organizations become more secure, understand their security posture, and put measures in place to keep the threat actors out. And sometimes we have customers that are involved with um materials that nation-state actors are interested in. And we don't often get a look behind the curtain as to what's going on behind the scenes with those nation-state actors. We we hear a lot that they're highly organized, they have great help desk systems. And we in the case of Rance of Moyer, for instance, um, but can you give a peek behind the curtain of what these organizations look like, um, how they're picking their targets, either directly or through distributed services? We know phishing is a big vector, so maybe just wherever you want to take it, but it would be really interesting to hear more about that. And then Jen, with her work at CISA, I know has been on the cleanup side and the information sharing side with a lot of that information too.

Richard LaTulip: 12:12

Yeah, I mean, I think they so just to go on the the line of nation state and and maybe separate the financially motivated threat actor versus the nation state, right? The financially motivated threat actor, they're concerned about money, they're concerned about a profit, they're they're concerned about a low bar or a low barrier to entry. And therefore, they will, if you have the right defenses, pivot to weaker targets, right? And so they're very apt to go where the money is and to focus on those types of outcomes, and they're driven by that. Some of these ransomware as a service groups, if you will, right, when you start looking at them particularly, yes, they become very sophisticated in terms of recruitment and requirements. They make people theoretically apply to become part of their team. They make them take tests, they hold them accountable for quotas. You can get fired. They have like this HR system that's built into it. And so there's performance expectations from these ransomware as a service. Now, when I was doing a lot of things that I was doing with the Secret Service, one of the interesting things was you saw threat actors who were financially motivated, but some also were very patriotic. And there were a lot of Russian-speaking cyber threat actors at the time that would offer their services. Some were, of course, not offered, some were actually recruited based on their skill sets identified by the United States government through the attempts of collaboration, of making sure that we can stem the flow of this problem that was going on. But now when you turn the tables and you look at the nation states, and say you start saying, okay, well, we'll take away from that person who's self-providing or self-self-giving to their, right? The nation states' goals are completely different. So the amount of technology that a company that needs to protect their intellectual property, it the game changes. Because the goal is what it is that you hold within your systems. There, and there are no ROIs, there are no quotas. I mean, ultimately, you want to say the ROI. The ROI is getting to the intellectual property that's being held by that corporation. And so this is where, if you think about SolarWinds, you know, why do you know SolarWinds was an intelligence operation by a nation state? It's because of the complexity that they went to do what they ended up doing and the goals. That cold that beacon that was at everyone's servers that was going out and beaconing to the world to the CNC servers saying I'm available was on many companies' servers. So if a threat actor who was financially motivated, they could have very easily pivoted and use those beacons to target God knows how many financial institutions and to be able to compromise their networks. But that wasn't the goal. The goal was to get into to get into what they considered the the ROI, and that was the email systems, that was the intelligence that was derived from it. And and that changes the game. So when I talk to clients, I talk to them that your game is a never-ending game because, quite frankly, they have no timetables. You bring together the team that you need to be successful, and then you separate. So you need someone from whatever the other group is that has a special skill set that can be applicable to the challenge that they need to overcome. You go out and get that chess piece and you bring it into your fold, and then you attack those systems until the success is achieved. If you need another person, you bring them in. Once you've got it, and once you've cracked the code, so to speak, you send the guy back off on his way, and he goes back to his team and continues to work.

Joshua Schmidt: 15:46

What strategies have you seen be effective against threat actors that are operating in these nation-state groups or these large organizations that are very thoughtful and very diligent and very organized on how they operate?

Richard LaTulip: 16:00

So part of the work at Recorded Future is really twofold. Bringing awareness, but bringing intelligence to the forefront of the conversation. When you start thinking of enterprise networks, there are must-have types of say layered defenses. Your firewalls, your sims, your XDR solutions, your CASBES, right? So protecting your environment and looking at it from that that that angle. You sometimes, and this isn't often, but this, well, maybe it's more often than it should be. They look at getting a feed from an organization. CISA could be a great example. I have a feed from SISA in which I have quote unquote intelligence. Really, you have a feed. You don't have intelligence because it's not tailored for your organization. It's not necessarily suited for your organization. It can create a lot of noise to your organization. So a recorded future, you know, we're bringing that intelligence that's the most relevant to your organization, and it's the most actionable intelligence to your organization, and it's timely. Those are really the components you need to have intelligence to be able to protect your organization from the threats that you face on a regular basis. The understanding, I mentioned attack surface. We have a component where we look at the attack surface, we call it attack surface intelligence. And part of that idea is that we know that forgotten infrastructure that's connected to production or connected to your to your actual core network can become a vulnerability. We've even gone further than that, incorporating AI into our into our opportunities, connecting to as much equipment, if you will, whatever the vertical is, whatever the technology is, to connect to that layer on intelligence, use AI, and then create this autonomous threat response tool that will be a force multiplier for organizations to be able to say, we're going to be looking at the telemetry that's coming into your Cindersor. We're going to be making sure that all that telemetry is bolted on with intelligence. We're going to be looking at those threats in real time. We're going to be making sure that the most relevant are being alerted on and brought to your team. Sometimes your teams are very lean, but this technology and this opportunity that's what we're coming to the market with is really it's it's a little bit of a game changer because you're talking about 24-7 by 365, at least having some type of eyes always on the most critical alerts that your organization faces. So there is where I think you can gain an edge or an opportunity to be able to better protect your organization because quite frankly, the layered techniques work, right? But you also need to know where to apply the most of your resources. You do it tactically, you do it strategically, and then that will equal success in the end.

Jen Lotze: 18:53

I really liked uh what you said there about like strategically and tactically uh really doing those things to provide uh that extra layer of protection and always having those eyes on. But I think a lot of also what we do in cybersecurity is we get to talk about the human side of it's your work uh undercover, you know, you're probably a human expert, but oftentimes, at least in my experience, uh, I would always focus so heavily on the technical controls, right? Like all the things that I could control within an environment. Can I patch it? Can I keep it up to date? Do I have the right tools? Um, but then, you know, really living in that world of cybersecurity, seeing those attacks happening, uh, that human element is so important. And so thinking also about like when I was at CISA and also what I get to do here is you know, getting into organizations, helping them assess exactly where they are, right? So often they don't know where they're out, or they do this assessment and they do an audit and they just put it on the shelf. It just sits there to just check the box. But you know, going in and talking to their all of their all of their staff, right? Everyone gets training on cybersecurity. Those are the best ways to tell us what's going on, you know, like doing the tabletop exercise, doing those assessments. Uh, and I think that's the hardest part too, because it's such a wide uh attack vector with staff within an organization and other vendor partners who are connected to you. So uh I think you're totally, totally right.

Richard LaTulip: 20:24

No, I mean you you've touched on a couple of areas that I think are are great points. The people who you employ are your greatest assets, but at the same time can become your greatest weaknesses. You know, that's why you see scattered spiders, for example, as a threat actor group that targets the human. Uh, if you can hack the human mind to get them to do something that they may not otherwise do, you are at an advantage. You can win the game, you can get the prize, so to speak. And so making sure we educate and continually educate and continually remind. Just yesterday I was talking to a group of individuals, and the first thing I kept reminding them was when you have an incident within your organization, why is it so important when you do a tabletop exercise to bring in all aspects, right? The holistic view to include HR. Why? Social media is so prevalent in today's, let's say, world, and the people wanting to get whatever it is that's occurring in their world on, say, uh the social network to be the first, if you will. Uh, think of the MGM network uh intrusion where people were taking screenshots, they were screenshotting the the uh uh the slot machines and they were posting on social media. We hope those weren't employees, but HR's role or responsibility when you have some type of incident within your organization is to remind your employees you have an NDA. Don't do this, don't do that, right? Stay off social media, don't comment, don't speak to media. So these are things I think where the tabletops can help, and the consistent education can help to better to. Make our employees better in terms of responding to the potential threats.

Nick Mellem: 22:04

Yeah, the tabletops I think have really become one of Jen's favorite things to do. She's become a master at running tabletops for organizations and often talks about, you know, exactly what you guys are getting into, bringing everybody to the table from the janitor, HR, et cetera. Everybody's got a piece to play.

Jen Lotze: 22:19

Yeah, I think that that's the best part of the work that we get to do, right? Is we get to include everyone because I think for so long, and all of us working in IT and cybersecurity, get to see that IT is no longer in the basement. Like cybersecurity, unfortunately, but also to IT's advantage, is everyone's lift. Like everyone has to keep us secure, just like you said. Our people are our greatest strength and also our biggest vulnerability for an attack surface. So I think the more that we just start talking about it, uh, I was with a super mature organization yesterday uh with great technical controls, but hasn't really talked through uh types of um attacks and how they would technically respond. And our technical friends don't really often think about the communication aspect of how do you then convey what's happening within the hands on the keyboard to the rest of the organization or out publicly. And so I think that's where uh like talking to each other and bringing people into the fold is a really also cost-effective solution to like like just talking about things is good too. You don't always need that like super epic, expensive tool.

Eric Brown: 23:29

The clickfix campaign, that's one that's been really pervasive, and we've seen it both in phishing tests where phishing tests to replicate the clickfix um uh targeted attack, as well as the real life attacks that we're seeing from threat actors in the companies that that we work with. I was just wondering from a recorded future standpoint what you're seeing around this particular um vulnerability.

Richard LaTulip: 24:04

Yeah, let me let me let me back up a little bit because I think you've covered a couple of things that are pretty interesting. Uh I'll start with the the first non-technical, we'll just say uh attack against the human. An individual went around a parking lot and put a note under piece uh on employees, right? So you think about the whole the parking lot, you put a note on the other, I know what you did, and if you don't want your wife to know, you'll pay me 10 bitcoins. And believe it or not, people paid the bitcoins. Not because this guy knew what you had or didn't have against them, but because people's mind, they already, oh crap, I'm doing something wrong, and I don't want my wife to to know about it and fast forward a little bit to now getting technical. The I love you campaign, right? Where you know people are just they want to be, I guess, uh they want to be wanted, they want to be connected. It's a human aspect of life. You just want to be connected, and as a result of that, I think you you then spin a different way. And I think this is another thing that was very interesting. So when I lived in Estonia, it it was it was when I think about it, I laugh a little bit about it, but nonetheless, it's a difference in culture, right? So when I lived in Estonia for a period of time, you know, I would go out and I would meet people and I would ask if they wanna want to meet again. And they would look at me and they say, Oh yeah, sure, why not? You know? And so uh I would ask for their telephone number, and they would refuse to give me their telephone number as it was too private. Instead, they wanted my my social media, my Facebook page. And at the time I was with the Secret Service, and so I was like, there's no way I'm going to give my my social. I don't even have social media. So I realized that if I wanted to meet people, I actually had to create a social media page. And so if you think about it, you think about it in terms of what I wanted and what I didn't want. What I wanted was 10 digits, if you think of it in that regard. Instead, what I got is people's entire life, right? Their history, their where they lived, the cars they drove, the families, the friends, the connected uh tissue, if you will. And so you think about that and you start looking at it from a different angle, and you start thinking about it in terms of the say, uh, why is it that there is a large population of Eastern speaking women living in North and South Dakota? And you start thinking about this, and well, where are our nuclear weapons sometimes based? They're based in certain areas of the country. And so people are put in these areas because why? Inevitably, there'll be single people that live in these regions. And when they live in those regions, then what are they likely to do? As Americans, we are one of the things that my wife reminds me of quite often, we talk and we talk and we talk. And as a matter of fact, we over-talk and we overshare, we're overhelpful, and and also we never shut up. And so, just like the cultural thing of Americans, I'm of that same venue, right? But what are they very good at in Eastern Europe? Is listening. They like to listen, they like to hear the things that you say. And so if I just put the right person in the right place and I just listen to what you have to say, or I ask the right question, depending on culture, you'll get the answers that you want, right? Not maybe the first iteration, but maybe the second or the third or the fourth. And eventually you start cobbling together all of this and it equals intelligence. It's very an interesting aspect. And you saw you move it on this click-to-fix, right? Social media campaigns, what do we know? We know that humans are very apt to take what they know and use it elsewhere. Example, passwords. If I am apt to go to work and use the complex nature of passwords, then I may be apt to take that and use it at my my home, right? Because I've memorized it from work. What else do we know about people? People are not keen to change much in the password that they know. Maybe I change one character, maybe I change two characters. And then we have these social media campaigns. I don't know if you've heard about the invisible body challenge. Oh, if I click on this and I'll be able to use my cell phone, I'll get to see people without clothing on. Well, you know how many people clicked on that? What do they click on? Malware. Did it really show people without clothes? No. But the fact is, is these types of campaigns are hitting on the core aspects of the mind and the culture. And so, of course, part of what I do when I go out and I speak to various persons at conferences or even internal groups is really just kind of talking about these things and reminding them that we need to be a little bit more cautious about what we do, not just online, but what we do at work. We need to also think about how we, you know, uh use passwords in point A and point B. Yeah.

Eric Brown: 28:43

And that that's Richard, where it starts to get where there's more work within the organization from an effort perspective, from a tooling perspective, from a knowledge perspective, where you you have the the NIST's guidance and they they changed it a couple of years ago to to have longer, more complex passwords, but not change them as frequently. And that gets you away from the spring 2026 to summer 2026, where to your point, right, people just want to make it easy to remember and get on about their work. And the the harder work then comes from the strategic side of knowing all of these things. How do we help an organization secure their data? And that's where we start taking some of the liberties away from the employees who are going to, we know they're going to click on things that they shouldn't click on. They're going to check their Gmail, hotmail, whatever from a corporate asset. And they may click on things that that are that came into their personal account, but they're doing it on a work computer and they're introducing risk to the organization. The organization has the responsibility to protect itself, its data, its constituents, what have you, by making it harder for employees to do those things. But employees don't necessarily want to have their freedoms restricted. And it's this balance in security around, well, how much are we going to ring fence so that you can't do these things? You can't use a password to log in. It has to be passwordless or, you know, whatever those things are to make it much harder for that threat actor to move laterally in the organization. And I think at some point it becomes that psychology of security rather than just the technology or the policies or the processes behind it. You know, those administrative controls, of course, help enforce what people can do. But I think that hard part really becomes the psychology of security.

Richard LaTulip: 30:56

Yeah, no, I mean, uh, policies get you pretty far, right? You pass your audits with ISO, you pass your, you know, SOC 2 with say 85% of it with policies, and they confirm that those controls are in place to make sure that you're doing the right thing. You know, but we have to, we, we all ultimately have to make sure that our employees and everyone within access, especially those that have access, you know, uh they understand the risks. And so education, education, education. Uh I would love to be able to put everyone in a box and turn off the network, but then the the business doesn't function. It doesn't survive. So we we have to accept risks, but we have to know the risks that we're expect uh we're accepting, and and we have to build proper controls around those risks. So I think it's imperative for organizations. You know, I looked at OSEG, if you're familiar with OSEG, the organized organizational effectiveness and making sure that we're breaking down the internal silos and we're making sure that we're communicating, you know, the the information security manager. This is where you can show value, in my opinion, right? You can change the narrative of being a cost center to a value add center by making sure that you're breaking down these silos, that you're talking to finance, you're talking to product, you're talking to engineer, you're understanding the most vital components of your business, and that you're you're ensuring that they're properly protected to the to the value of the organization. This can get the value you need, the support, right? Because now it's just not me yelling at you saying you've got to do X, Y, and Z, and then business looking at me and saying, all you do is say no, no, I can get people who are now advocates for me because they understand that I have the business's best interest at heart. And so you kind of amplify your message through your your collaboration. And I know it's easier sometimes said than done because everyone has a day job, everyone has a business that they need to accomplish, goals, right, if you will, uh KPIs and stuff like this. So it is challenging. Uh but I think that if if an organization is mature enough and they have the people, the the main role of your CISO should be as an ambassador, and that you become a political aspect in making sure that you understand all components and you become that trusted ally as opposed to sometimes what can happen, a little bit of an uh of an outsider. I even think about the Secret Service at times, right? You know, uh we had always conversations with staff, and those those conversations were about you know limits. Staff wanted to make the president or the protectee more exposed, and of course, Secret Service was wanting to make it less exposed. Uh but you can't get elected by sitting in a basement, and you can't you can't be successful if you're not having those conversations, just pressing the flesh. Businesses are very similar. You need to be online, you need to be present, you need to be advertising, you need to be communicating, you need to get sometimes unsolicited business emails, but we need to be judicious about how we respond and what links we click.

Jen Lotze: 33:52

I really, really liked how you put together the cultural components around cybersecurity and just security in general, because I think culture is the hardest thing to change, right? Like you can oftentimes try to find ways to get money to get the things that you need, but that culture is, I think, so, so hard. And I think you also hit on something about, you know, if we are making more complex passwords at work, hopefully we're seeing people do that at home. And I think if we train our staff and our teams to be more secure at home, then hopefully they're going to bring that to work as well. So uh I think you hit it spot on and just really not forgetting about the culture and helping people understand, like, okay, maybe I am saying no, but here's something that we can do that might still do what you need uh in a secure way, and helping them understand why. Right? Like it's amazing to see how many people don't realize the People's Republic of China and Tic Tac and where data lives. And when you tell them, they're like, oh, I love that. But you know, that education piece, building the culture, helping them understand the why. So I really loved how you put that. Thank you.

Richard LaTulip: 35:01

Yeah, I have a whole presentation on the threat that emanates from China. It's not just, by the way, cybersecurity. It it extends to a very geopolitical, it extends into a very calculated methodology. I don't think we have enough time to go into it, but I have a whole presentation built on the multiple aspects of the Chinese geopolitical threat.

Jen Lotze: 35:24

We could talk about China for days.

Nick Mellem: 35:27

Josh, I think we need to get uh episode two um on the books because it clearly there's a lot left here. Um maybe rounding things out unless anybody else has anything. We've got to get into the book. We've got to talk about the book for a little bit. Uh, Richard, would you mind introducing the book, Carter Chaos? You know, what inspiration was behind that?

Richard LaTulip: 35:47

So Operation Carter Chaos was a book that I decided to write, right? So this is this is the book, Operation Carter Chaos. It's be it's been published by CRC Press and it's available now. You can go to a variety of websites to get it. Amazon is one of them, but there are many, especially if you live abroad. There'd be root ledge, would be one of them that you should go to. But the point being is it's available, you can purchase it now. The motivation behind writing this is ultimately to tell the story of a complexity, right? The complexity was, in my mind at least, of a person living two lives and then being able to live that for an extended period of time, throwing in there a variety of, say, uh an organization that wasn't quite ready to do a long-term operation in the way in which we were doing it, and the complexities that arose as a result of it. You know, a great example can be this. Whereas I would be working online and I'm supposed to be a say a buyer, a power buyer of credit card data. And so I'm buying in large bulk, mostly at times, anywhere from $2,000 to say even as much as $75,000 worth of product. And so I'm buying all this product. I'm creating relationships online with a variety of individuals, and occasionally things would come up, such as, hey, do you have a laptop you can give me? Do you have a cell phone you can give me? One person was even asking for Pirelli calendars. Well, there's a form you have to fill out within the government every time you expend confidential forms, or I'm sorry, money, funds is really what I meant to say. But you have to fill out this form every time you expend something. And so if I was going to buy you even as much as a Pirelli calendar, it has to, based on the form's boxes, equal something of contraband. What was the contraband you got? So if you were a normal person that was online, I'll buy you your Pirelli calendar. It costs me zero. It doesn't matter. My guys are out there working anyhow. But for the government, I was trading. So I'm like, well, can you get me credit card numbers for this? Because I need something to write on my form. And so extend that to computers. The expectation is that I would bring you a good computer or a laptop. The government allowed me, really, my supervisors locally, allowed me to buy the cheapest laptop that was available. Now, if you can imagine, now I have to travel to places like Macau and meet with cyber criminals and hand them their gift. Well, the look of disappointment on their faces, followed by comments of why so cheap or why such crap, you know, puts you into a unique position that you don't, you know, how do you want to, you know, then go forward from that. Now I had a plan because I was prepared for the the problem that I knew I would encounter. And I'd, hey man, business is first. You know, you get whatever's left over, and that's what's left over. No one wanted to buy it, and there you go. Um, it that was my answer to the solution, but I shouldn't be put into that position where I'm answering that question. And so those were some of the ways in which the questioning from you know, internally of what you would what I was trying to accomplish, I would pitch to my organization five days of operating on on on say camera, so to speak, and those five days would be dedicated to the rapport building of whomever that target was. Only to be told two days into the operation that we're calling it, because quite frankly, we've achieved all of our results. This happened consistently, and so here I am now, always cutting holidays short. I mean, I think one of my chapters is is entitled, How Many Times Can My Grandpa Get Sick. That was the the the way in which I would have to tell people, like, oh, a family member got sick, or someone got arrested, or something you know, there was always a problem that was happening, you know, at the most inconvenient times. And so those were some of the challenges. And I wanted to chronicalize this because I think that, you know, when I when I watch movies, my wife always yells at me because I'm running and for her. She doesn't even like watching certain types of movies with me anymore because I'm like, that would never happen. This is not like that's not the real world, right? Um, but no one talked about the report writing, no one talked about the human side. You see the the sexy side of undercover work and the glamour that comes with it, and you just assume that that's how it is, how glamorous it is. And you think about all you get is support from leadership, and you get unlimited funding and you get unlimited opportunities, and you get, you know, but they but I wanted to make sure that despite these challenges or despite what was happening, say behind closed doors, that there were people that were still there, and there were people who supported me within the Secret Service as well that were still fighting the good fight, if you will, to make sure that the operations happened as they should have, and to make sure that that we were being successful and that I was being able to be, you know, where I needed to be when I needed to be. You know, but there was a lot of of other forces that were consistently challenging me and making the role more more complicated and therefore making it more dangerous to me. If you can imagine being in places like Macau or Fukat Thailand, uh, you know, with limited US resources and uh the availability, I had no real support. It's if the trouble was to occur, it was by my own two fists that I was getting out. There was nothing to fall back on. I didn't have what movies highlight, a safe house I can run to. I didn't have a a group of agents standing behind the door with MP5s waiting to break through it to save me. It was my own cloak of anonymity and believability that was the deciding factor oftentimes of whether I went home at night or not. And also you have to remember, too, is everything was coupled with with drinking, you know, everything was coupled with you know some type of activity. And so there were plenty of opportunities that I talk about again in my book about always having to be in role and always having to be successful of the communication and not making errors, especially when when drinking. And so I credit again my time at Indiana University, uh, where you know I trained in drinking bar games and other types of activities. So you had no idea what you were getting ready for then. No one can predict the future at that moment.

Nick Mellem: 42:33

Right. Well, it sounds like your stories from Thailand are a little cooler than mine, but uh I'm excited to uh I'm excited to read it, and uh you would probably have to do some sort of book club and uh come back and discuss discuss the book and and everything we got into there.

Joshua Schmidt: 42:48

All right. Well, thanks for joining us today. Uh we'd be happy to take a look at your book, Richard. We can't wait to read it. Uh, you've been listening to the audit presented by IT Audit Labs today. Our guest was Richard LaTulip, author of Operation Card of Chaos. You can check it out on Amazon. You've also been joined by Jen Lotsi, Nick Mellum, and Eric Brown of IT Audit Labs. Thanks for joining us. Please uh leave uh Richard a review for his book, but also take the time to maybe leave us a review, like and share, subscribe to our podcast as well. We also have SIP Cyber uh coming out every Wednesday with Jen Lotse, her own SIP uh little cyber sips, quick little tidbits and tips around cybersecurity. You can check that out on the ITAuditlabs.com. Please uh check us out in the next one, and thanks again for joining us. See you soon. Thank you.

Eric Brown: 43:35

You have been listening to the audit presented by IT Audit Labs. We are experts at assessing risk and compliance while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, or all our security control assessments rank the level of maturity relative to the size of. Your organization. Thanks to our devoted listeners and followers, as well as our producer, Joshua J. Schmidt, and our audio video editor, Cameron Hill. You can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials, and subscribing to this podcast on Apple, Spotify, or wherever you source your security content.