Ep. 212: “How to Talk to a Cybercriminal”

“What the Hack?” is DeleteMe’s true cybercrime podcast hosted by Beau Friedlander

Beau Friedlander: There’s a criminal marketplace online, thriving, global, and terrifyingly efficient. You just need the secret knock.

Kurtis Minder: You can transfer seemingly unlimited amounts of capital across international borders anonymously.

Beau Friedlander: We’re talking about people who could have started the next Amazon or eBay and they didn’t, ’cause they’re making a lot more money and they’re barely doing any work at all.

Kurtis Minder: For some of the ransomware actors, hundreds of millions of dollars a year.

Beau Friedlander: Whether or not you know it, you are elbow to elbow with criminals all day long. Maybe not in person, but for sure online.

Kurtis Minder: My team have been chasing these bad guys around the internet trying to go wherever they go, and they always get new and innovative techniques to try to evade us.

Beau Friedlander: Step right up to your current and everlasting nightmare. I’m Beau Friedlander, and this is What the Hack, the podcast that asks, in a world where your data is everywhere, how do you stay safe online?

---

Introduction to a Cybercriminal Whisperer

Beau Friedlander: Kurtis Minder is the co-founder and CEO of GroupSense, where he leads a group of world-class analysts and technologists in the cybersecurity intelligence world. He has been profiled in The New Yorker for his work as a ransomware negotiator. He is the Cybercriminal Whisperer. His new book is Cyber Recon: My Life in Cyber Espionage and Ransomware Negotiation, just published by Wiley. Kurtis Minder, welcome to the show.

Kurtis Minder: Thank you, Beau. I appreciate it.

Beau Friedlander: Oh, you’re good. I’m really psyched to have you here. Now, you mentioned much later on in your book, but I wanted to start there, about being at a coffee shop and eating some Polyface Farm eggs. So that’s some very basic OSINT for me. It tells me where you might be located. Where are you coming to us from today?

Kurtis Minder: Well, what I was writing about there was actually in Arlington, Virginia. But I currently live in Western Colorado.

Beau Friedlander: Oh, okay. I’m a big fan of Joel Salatin.

Kurtis Minder: Me too.

Beau Friedlander: It’s phenomenal. Like it’s amazing that you can be so technically adept digital world and yet the things that we like the best have dirt on them.

Kurtis Minder: Right. And you take it for granted what is necessary to get those things on our plate.

Beau Friedlander: Now you’ve built a whole career tracking cybercriminals, negotiating with ransomware gangs, chasing threats. Most of us never even see any of this. I guess what I really want to know is, why do you do it?

Kurtis Minder: It was in the early nineties. I was working at an internet company back then where people would dial into the internet. We would have people break into our systems on occasion. And this boss that I caught hacking in after he was fired, he was the one that showed me how to find this stuff. He showed me how to look at the logs and recognize, “That’s not normal. That’s somebody that’s not supposed to be there.” And so that’s how I detected him.

Beau Friedlander: So you’re working for a provider, you notice someone’s inside your network who really shouldn’t be there, and it turns out it’s your old boss.

Kurtis Minder: You know, in the early nineties it wasn’t quite as contentious as it is now. Laws for cybercrime weren’t as scary as they are now. I was, I think, 17 or something when this occurred. All I knew is that I don’t think he’s done any damage. Let me just get him out of here as quickly as possible, and hopefully that’s the end of it. That’s how that played out. But yeah, it was one of my very first times hunting someone down and then interacting with them in the process.

---

The Cybercriminal Marketplace

Beau Friedlander: Your book covers the whole universe of cybercrime and cybersecurity, from where criminals operate to how they operate to how you operate to help your clients, and finally what to do in the worst-case scenario. A lot of what happens when you do get got gets lumped under the same label of Darknet. In terms of origin, like how did they get the information or whatever. Some people say dark web, darknet, dark web. What’s the difference?

Kurtis Minder: Well, the technical definition, even though those are also evolving, if you stick to the original intent, a darknet is a general term for a network that is usually layered or sitting on top of the internet, but not directly accessible from the internet. The dark web would then be a component or a place on a darknet. So one is a component of the other. The dark web is often associated with Tor, but there are other ways to get to that as well. It’s fairly convoluted. I think what’s happening now with the nomenclature, just to confuse those who don’t live in this world, also congratulations for not living in this world, but the term dark web is becoming broader and broader, and it’s including basically anything where illicit transactions occur online, so that would include Telegram and some WhatsApp groups and things like that, so the media is starting to throw all of that under the dark web sort of category, right?

Beau Friedlander: Well, we’re going to get to that later, because I do think Telegram and those platforms are a little different, but the markets, let’s talk about the marketplace. The criminal marketplace. There’s credit card scams, there’s enterprise credential markets, there’s malware markets, there’s zero-day exploit markets…

Kurtis Minder: Weapons, drugs.

Beau Friedlander: Right. I mean, we forget about Silk Road, but it started there really with drugs and weapons. These marketplaces produce an average sales volume of hundreds of millions of dollars per year. Items for sale on the marketplaces are largely illicit goods. Drugs, weapons, and stolen corporate information and data. And the services run the gamut as well. Most people aren’t Tor users and they’re not on Telegram, right? So they’re just living their lives online, but you’re saying some of this stuff is starting to show up in more everyday places, like for instance, the Metaverse.

Kurtis Minder: Yeah, you know, that security research community in companies like GroupSense and my team have been chasing these bad guys around the internet, trying to go wherever they go, and they always get new and innovative techniques to try to evade us. They know that we’re doing this. GroupSense has something like 4,000 curated personas pretending to be bad guys, and our team speaks like 15 languages and they know all the hackers speaking those languages. And so we’re following these guys around and they just get more and more creative. If you think about how the dark web and Telegram markets, you know, how those function, they’re text on a screen, which means that you can scrape them. You can write code that just basically grabs them all and puts them in a database, which is one of the things that we’ve been doing since 2012. We were one of the early adopters of dark web scraping, and we’ve got a huge database that tracks all that stuff. But what if it wasn’t written down?

Beau Friedlander: So basically you’re scraping these forums because if someone’s selling stolen access or bragging about it, you want to be able to catch that early, right? It’s a smoke before the fire type thing.

Kurtis Minder: Yeah. But what if it was a conversation? How would you do that at scale? And how would you do that in an organized way? Well, I think the metaverse, while it’s not pervasive, we started to see evidence of the bad guys talking about metaverse spaces where they were doing transactions. In the metaverse space, I think it depends on which platform, but like for example I think in the Meta-based platform they call them dorms for some reason. You can have a private dorm where you have a password to get in, and once you get in, there’s a room full of people and it’s like a bazaar, it’s like a market. That changes the fundamental way we approach collection, because a lot of it’s spoken word. There are ways to get around the fact that it’s not written down; we have ways to do that, but if you think about the methods to gain access, it becomes more and more like a traditional espionage, human operation that the government might do or something like that to get access to those rooms.

Beau Friedlander: So there’s a secret knock, basically. I mean, you need to know either a specific URL or channel and you need to know it’s there, right? Can you walk me through the ways one gets to these dark web destinations without providing enough detail to sponsor new criminal activity? Like, just what are we talking about?

Kurtis Minder: It is very much almost a traditional espionage operation. It’s who you know and who you can convince to tell you things, and you pull on threads. We’ve got over a decade of doing this, so we’ve got a lot of threads to pull on at this point. We tend to get into some of the marketplaces relatively quickly, the new ones that spring up. I think in our case, being so tenured in this, let’s say for example the FBI sees a dark web marketplace. We’re already in sort of this private communications channel with some of the leaders of that particular marketplace, and we’re going, “Hey, where do we go now?” And they’re like, “We’re spinning up at this,” you know what I mean? So we follow them, and getting initial access to those things, today there’s a lot of researchers that keep databases of this. They’re not going to be on a website some place that you can click on. You have to know the address. If you’ve seen a, for example, a .onion address, they’re not human-readable. They’re long, complicated strings with “onion” at the end. So you have to know what that is to get there.

Beau Friedlander: Right, and just to spell it out, a .onion site is basically like a .com or a .org that you’d visit with the Tor browser, which was originally built to help people stay anonymous online—journalists, dissidents, that kind of thing, military. But of course, bad guys use it too.

Kurtis Minder: Yeah, I mean, you have to quite literally have someone tell you where to go and it could be a very complicated, long string of characters to go to. You can’t search for it on Google, right?

Beau Friedlander: There are marketplaces that have the look and feel of big operations like eBay, Amazon. You’re talking about people who work there who maybe don’t dress in a suit and tie, but they’re clocking in and going somewhere physical to work. Tell me a little bit about those marketplaces and how they operate.

Kurtis Minder: Yeah, I think the marketplaces, they’re certainly run like a business. And to your point, if you were to send a screenshot of one of these to the average person, they would think it was an Amazon competitor or eBay competitor. The way that it’s run, they have escrow services, they have ratings for the buyers and sellers. Some of them, yeah, are literally sitting in an office and there’s employees and there’s middle management, and there’s water cooler conversation. That also rings true for the ransomware gangs. It’s an organized operation that’s running these.

Beau Friedlander: Okay, and so your job is to stop all of these marketplaces or monitor the ones that can affect your clients? I’m just trying to get an understanding of the threatscape and your place in it.

Kurt Minder: That’s a great question. Certainly if the use case is primarily cybersecurity, they all affect all of our clients, because they’re all doing the same illicit stuff and selling illicit goods and access to networks and things like that that would be interesting to our clients, but there are markets that are more specialized for different use cases. We’ve also infiltrated those for our clients. For example, you have large pharmaceuticals as clients, and we specifically infiltrated dark web markets and Telegram channels that are focused on counterfeit drug sales. That’s 100% what they’re focused on. We did something similar for one of our high-tech manufacturers, and it was intellectual property forums in China. Right? They’re just forums in China that sell stolen circuit boards and stuff off the assembly line, so from a practician standpoint, we’re literally looking for whatever risk that the customer is interested and then we’ll go find where that illicit activity is occurring.

---

How the Underworld Thrives

Beau Friedlander: So we’ve got a rough map of this cyber underworld and an understanding of where the risks lie for each client, following the trail wherever it leads. But I’m still wondering, how did this whole thing become such a well-oiled machine in the first place? What allowed this criminal economy to take root and thrive the way it has?

Kurtis Minder: Well, I think to answer that you really need to understand how that came about. So the way that that came about, the way that it gets weaponized is you’ve got tools like Tor, to your point, was a military application and an open-source project that had good intentions, just like the internet.

Beau Friedlander: Right, exactly. It kind of slipped away from us, but…

Kurtis Minder: Yeah, exactly, and so the anonymity that that affords people allows you to do things and not get caught. That’s number one. Number two is, around 2010, 2012, something like that, where cryptocurrency really started to take off. Now you can transfer seemingly unlimited amounts of capital across international borders anonymously. Not untraceable, but anonymously, right? So those two things, and then if you couple that with a nation-state that doesn’t have an extradition policy to the countries where most of the crime is being perpetrated, you basically got a free-for-all. And that’s what causes this whole environment to exist.

Beau Friedlander: And this environment is…I do want to stress it’s like cops and robbers, it just happens to be online. And it includes the police busting people and then flipping them to get them to be informants or get them to be assets in various jobs. But the problem is, they’ll catch somebody or pretend they’ve caught somebody, or they’ll catch and release and then make that person look like they’re burned when they’re not burned so that people are like, “Oh, I don’t want to do business with Bob anymore because Bob got busted and he’s now probably an asset of the FBI.”

Kurtis Minder: Right. That’s what happened to LockBit, right?

Beau Friedlander: That is what happened to LockBit.

Kurtis Minder: So LockBit, it’s really one guy, Dmitri, that runs the whole thing. It’s a ransomware-as-a-service platform. You alluded to earlier in these marketplaces, you can literally buy access to platforms to commit crimes. LockBit built one of those. They share the revenue from the ransomware attacks. Dmitri was one of the faster rising stars of the ransomware gangs. He was very vocal on the forums and had made quite a name for himself fairly quickly.

Beau Friedlander: So any criminal can get online, in this case LockBit, and say, “I’d like to target company X, Y, Z.” And what did LockBit do to facilitate that?

Kurtis Minder: There’s also a marketplace where they buy the access to the victim first. So they can go to these initial access broker markets, and every day there’s a menu of companies that have been compromised and you just buy the access and then you go to LockBit.

Beau Friedlander: So it’s not one-stop shopping. You’re actually at a marketplace where…it’s a bazaar, like you were saying earlier.

Kurtis Minder: It’s like a bazaar. So you go buy the access first, and then you go to LockBit or some ransomware-as-a-service platform, and you plug their software into that access and it deploys the ransomware, exfiltrates the data, locks the files, and creates the ransom note. It does everything automatically, so you don’t really have to be sophisticated. You have to know how to use Tor a little bit, but that’s about it.

Beau Friedlander: Okay, now you’ve just described someone who has firearms who had to go buy ammunition or something like that.

Kurtis Minder: Right.

Beau Friedlander: And the PSYOPs that happened to LockBit, like what happened? He got arrested and then…they did a catch and release but they made him look dirty?

Kurtis Minder: Well, so he didn’t get arrested, he got indicted and then they took over his sites and what they did was they made it look like he flipped, or they at least alluded to that he flipped to the authorities. We don’t know if that actually happened, but what happens to LockBit when that happens, to your point about PSYOPs, is nobody wants to work with him anymore. And so people stopped using that platform for a very long time.

Beau Friedlander: They did pop up again, but he couldn’t get the business he once had?

Kurt Minder: No, and I think… It’s been a while since I’ve looked at him since he’s on the sanctions list now. We don’t really get to interact with him anymore because he’s on the U.S. sanctions list, but the victims that he would put up on his shame site were victims of other ransomware actors, so he was trying to perpetrate as if he’s got customers that he doesn’t really have. Until very recently, I think that was the case.

Beau Friedlander: So you’ve got a global marketplace for cybercrime, ransomware-as-a-service; you can spin up a Shopify site, and entire criminal networks getting ghosted just because someone might have flipped, and now they’ve started using AI to make it all faster, smarter, and a whole lot harder to stop. We’ll get into that right after the break.

---

AI and the Future of Cybercrime

Beau Friedlander: All right, so we’ve talked about how organized and scalable all of this has become, but now we’ve got AI in the mix. What’s that actually changing? How are the bad guys using it to get smarter, faster, and harder to stop?

Kurtis Minder: Primarily, I would say that AI is being used for synthetic content primarily, right? So it’s making emails look more real, making web pages look more authentic, sometimes assisting with the language in interacting with a client or a victim. Where I think I believe it’s evolved over the last couple years is every time…take ransomware for example. Every time they do one of these attacks, the first thing they do is they take a copy of as much of the client data as they can. We’ve had cases where they’ve taken 400 terabytes. That’s a lot of data to comb through, right? As part of the ransomware extortion, one, they’ve locked the files and they’ve interrupted your operations, but two, they’re threatening to release or sell this very proprietary data that they’ve taken. In the past, it was very difficult for them, and our strategy sometimes was to simply call their bluff, because for them to find a document to prove their point in 400 terabytes is pretty difficult. It’s much less difficult for them now with AI. They can create an LLM that looks for certain document profiles, it goes through large data sets, pulls out the files, shows the example excerpts from those files that they can just throw into a chat and go, “I know this about your business, and unless you want everybody else to know about it…” And they do the same thing with email boxes. So they can rebuild threads that look very authentic and then loop in an employee and trick them into doing something. They usually use board-level people, so they’re getting smarter about it. The second part of that is, you don’t need to keep every email and every text message you’ve ever sent.

Beau Friedlander: You don’t?

Kurtis Minder: I know. People think, “Well, storage is cheap. I’ll just keep every Google message.” The problem with that is, Beau, I’m a really nice guy. I think I’m a good person, but if you had the last 20 years of my emails, I’m sure you could find an email that makes me look like an asshole out of context. Right? So just get rid of that stuff. Get rid of those extra data artifacts that you don’t need, and-

Beau Friedlander: Can’t I just get rid of those emails?

Kurtis Minder: Yeah right.

Beau Friedlander: Delete.

Kurtis Minder: I think there’s probably an app for that. AI will do it I’m sure.

Beau Friedlander: I’m sure. “Look for any instance of me being a bad guy or just having a bad night, I didn’t sleep well,” or whatever. Yeah, no, it’s true. I think that’s true for all of us. But if you’re the CEO of a company, you don’t have to end up on the jumbotron at a Coldplay concert to have trouble. You don’t need to be on the jumbotron. All you need to have, to your point, is 20 years of emails sitting on your Gmail account to have a problem.

Kurtis Minder: And use bad password hygiene, to not use MFA, like basic cyber hygiene things. And one of the things I get asked a lot is, “Kurtis, there’s so much to this cybersecurity stuff. Do we all have to become cybersecurity experts?” And my answer is no, just like you don’t have to become a doctor to know how not to die. So, because we do a lot of ransomware response work and just response work in general, we distilled down to the best of our ability how the bad guys are successful, and if you really dial it down to the core ways the bad guys get in, and keep in mind, they’re running a business. So they want to get access to your system as cheaply and efficiently as possible, and unfortunately, we make it easy for them. People are still reusing passwords. They’re not turning on MFA, and so forth. These very basic cyber hygiene things that anybody can do and make a huge impact, not just on themselves, but basically the community and society.

Beau Friedlander: And if criminals are so good at the business of crime, why don’t they just start legitimate businesses? Because they do seem quick competent.

Kurtis Minder: Well, I think this is pretty profitable. I think we’re underestimating how much money they make and how little work they actually do. I tell my clients when we have a ransomware victim, it’s like, “Hey, this attack that happened to you is the most important thing in the world to you, but not to LockBit.” Right?

Beau Friedlander: And what kind of money are we talking about?

Kurtis Minder: For some of the ransomware actors, hundreds of millions of dollars a year. I forget what they estimated LockBit; I think it was like 400 or 600 million that they thought he had done in the last couple years. So it’s a lot.

Beau Friedlander: And what do we think the entire range of cybercrime activity out there is netting a year? Do we have a number on that?

Kurtis Minder: You know, I’m hesitant to say, because I’ve seen a bunch of quotes around that, and the numbers, they literally, some of them go into the trillions. I can tell you just my sample size, I can confidently say that it’s in the hundreds of billions, maybe on the low end based on my sample size. And that’s per year. I believe firmly that it’s a national security concern for the United States.

Beau Friedlander: Well, 100%. It affects our GDP as well. I mean, it’s just extremely important for businesses to understand what the threat is and how it can affect them, but also the government, because they are equally vulnerable. I was really struck by one story in your book about a not-for-profit that was hit by ransomware and one of your negotiators got in there and they were like, “We want $2 million, pinky to the corner of the mouth million.” And the fact was, they hadn’t done their homework, so they didn’t know how much money they could get out of this particular not-for-profit, which in this case was doing really good work for people, children I think who had cancer.

Kurt Minder: Yep, exactly.

Beau Friedlander: Now, your negotiator said when they were asked, “Well, how much can you give us?” He said, “Nothing. How about zero? Zero is the number,” and they came back and said, “Well, we need at least $5000.”

Kurt Minder: Yeah, right. Exactly.

Beau Friedlander: So they agreed on $5000, which was the cost of the…

Kurt Minder: The initial access, right? So what we were talking about earlier, they went to a marketplace and bought the hacked access of that non-profit for $5000. That’s our theory. “Our cost of goods is $5000. You pay us back, we’ll let you go.” And yeah, it’s just another illustration of how this is sort of run like a business.

---

Turning Data into Intelligence

Beau Friedlander: Presumably you’re protecting an organization or company, in your case sometimes even a municipality or a government agency, and you’re assessing threatscape, right? For every individual who works there, which is why you have a VIP product, because if they can get to a VIP, they’ve done their whole job with one fell swoop.

Kurtis Minder: Right.

Beau Friedlander: Now, you write that the intelligence work you do is about outcomes, not data. I want to understand that, because I think it’s super important for people to understand that the same guy who said, “I see you in my system. If you leave, we’re good,” or who said, “Look, you’re not getting the $2 million, but I’ll give you five grand if that’s what it cost you to get in here in the first place through your initial access broker.” Talk to me about outcomes. When do you make the hop from data to intelligence work?

Kurtis Minder: The outcomes thing is almost a religion at GroupSense, and it’s probably my fault. I probably took it further than it needed to go, but it drives much of our product developments. We throw stuff out that’s like, hey look, unless we can repeatedly and reliably drive an outcome from the thing you’re building, we’re not going to do it. And so it’s really helped us focus as a company. That whole outcomes discussion is really a comment on the overall cybersecurity industry. The way that tech companies and cybersecurity companies included are sort of subsidized, usually venture capital money, it causes them to build products in a specific way, which is get big quick. Good dashboards, fancy alerts, stuff like that, but they often don’t drive outcomes. If you’re a CISO and you’ve got a dark web solution, and the dark web solution tells you that someone is advertising access to your network, like an initial access broker, and you don’t have a next step to validate that or stop that, to change that, to stop that, you can’t get samples of the stolen access, that’s a really crappy product. Right?

Beau Friedlander: Yeah, that just means that you get to watch the slow roll of your own destruction.

Kurtis Minder: Mm-hmm. The reason why we have a platform and it does create what we call advisories and makes the leap from just data to intelligence, which is data that is enriched in context with recommended steps. That’s intelligence, right? So intelligence is when you take data, you enrich it with context, so your client’s contextual situation, and make recommended steps or automatically take those recommended steps. We’ll often just make a recommendation, and that’s really when you jump from just data to intelligence.

Beau Friedlander: The difference between data and intelligence is quite simple, because one is dumb. One is stupid. If you’re not in the room, it’s meaningless.

Kurtis Minder: It requires a lot of additional work from the customer, right?

Beau Friedlander: Data does, yeah. I almost sort of think that for the majority of people, the data by itself is an empty cipher because it’s not actionable. There’s nothing they can do with that data. Intelligence is not just what it is and how it works, but what to do now.

Kurtis Minder: Right. And how it’s applicable to your use case, your organization. Why do we even care? Here’s why we care. Here’s why it’s important, and here’s what we need to do about it. That’s intelligence.

Beau Friedlander: So, that’s how big organizations do it, but what if you’re not a Fortune 500 company or a government agency? What if you’re just you? What can the rest of us actually do to stay safe in a world like this? That’s coming up after the break.

---

Personal and Operational Security (OPSEC)

Beau Friedlander: I’m curious because it sounds to me like you’re in the business of as much as possible seeing trouble coming and warding it off before anything bad happens or seeing the thunderstorm on the horizon and going inside before you get wet, but there’s a part of this where… I always think of cybersecurity as several layers of Swiss cheese, and I didn’t make it up. Deviant Olaf made it up, or I think he did. It was just something I’ve heard in my cybersecurity circles where one layer, you can still see through it. Two layers, you can’t see as well. Three layers, it becomes opaque. So one layer like are you really at this point in your life swattable?

Kurtis Minder: Oh, I’m sure. I don’t want to take it for granted.

Beau Friedlander: I don’t want to tempt anybody to try, but the thing is, I know there’s two layers of this, right? If someone wants to come at me: come at me, bro. If someone wants to come at me, whatever. I’m locked tight. You can get at me. I’ll feel it, but you’re not going to get anything, and that’s sort of the end of the story, and the local police here know me as well for the same reason. I’ve said there’s a chance someone’s going to say someone is screaming in my basement. Give me a call first. I live in a town of 5,000, so it’s simple. Now, where it starts to matter is if you are the CEO of a large company. It starts to matter if you’re the CISO of a large company. How do you protect?

Kurt Minder: Well, I think the first step for any of this is education, but we can always do a lot better job of that, making them understand the why so they adjust their behavior.

Beau Friedlander: So let’s run through them. One is using a password manager, or do you not do that?

Kurtis Minder: I do recommend using a password manager, and if you want to get into the basket-eggs thing, I’m happy to, but I believe that there’s less risk in using a password manager than reusing passwords or attempting to make up your own passwords.

Beau Friedlander: Thousand percent agree. Second one is multiple-factor authentication. Now, are you weighing yourself and doing a retina scan and a fingerprint and then saying the rhyme that you learned in third grade, or what do you do?

Kurtis Minder: Yeah, you should balance it with usability, sure. I think by now we all know that SMS is probably the least secure way to do that. So wherever possible, using an application or a token is good. And if you can use biometrics, that’s even better. So just basically it has to be something that you know and something that you are or something that you have. The combination of any one of those two will greatly increase your security.

Beau Friedlander: And just staying up to date, so making sure that if you’re using a site or a service that allows for single sign-on, it’s not a bad thing. It actually makes your life more convenient and more secure at the same time. What else? Let’s see if we can think of one more. We’ve got MFA, we’ve got password managers. Is there another one we could throw in there?

Kurtis Minder: Obviously encryption at rest and encryption in transit. Just use a VPN. Use your built-in Apple or Microsoft encryption on your devices. That’s easy. That’s an easy one. Talk about OPSEC, and that’s just more behavioral stuff. Don’t have a conference call in the lobby of the hotel with two earbuds yelling customer names. Things like that. It’s just common sense stuff that I think some of which we lost after COVID or we forgot that we’re not in an office anymore, and it can cause damage, right?

Beau Friedlander: Well, you bring that up, and it’s kind of why I brought up Polyface farms in the beginning of this interview.

Kurt Minder: I love how you said OPSEC.

Beau Friedlander: Because it was. Well, it was in your OPSEC chapter. I think it was, and what you were illustrating that you knew something about someone else because their colleague had been at the same cafe basically screaming through a megaphone.

Kurtis Minder: Yeah, doing a sales call basically. It’s a weirdly small world, and I think that people take for granted; they don’t believe that the people around them are going to understand what they’re saying or know the people that they’re talking about or know the companies that they’re talking about or the products that they’re talking about, but they will. The other thing I dig into, because I’m about to go to DEFCON and Black Hat where I’m going to do a book signing. Every year, we stay off-strip because of OPSEC primarily. Do you want to stay in a venue with 40,000 hackers? No thanks. Right? No thanks.

Beau Friedlander: I’m going to DEFCON too, and I’m not walking through that space without my phone off and my Faraday bag on.

Kurtis Minder: Right, exactly. And so we usually stay in a fairly nice house off-strip, and we Uber in, and we have a rule: there is no talking in ride-shares. It’s not your mobile office. Those people understand what you’re saying. And they’re recording it, by the way.

Beau Friedlander: That’s great OPSEC. You don’t even know that some of those drivers might be getting a vig on the other side from someone else who paid them to record conversations.

Kurtis Minder: We validated with a couple drivers one year that they were getting paid by law enforcement to take notes.

Beau Friedlander: Phenomenal. Now, you know, as DEFCON likes to point out, yes, there are criminals at DEFCON, but there’s also criminals at your local store and at the post office and everywhere else, but there is a higher concentration at DEFCON. Let’s be real. Now, we’re talking about OPSEC. So take us on a quick spin of OPSEC for someone who just wants to understand the basic idea.

Kurtis Minder: Just like in the commercial space where, if the bad guys have information about the company that they shouldn’t have or data about the company that they shouldn’t have, it makes it easier for them to attack that entity. Same with you as a human being. And so operational security comes out of the military. It’s something that they teach in the intelligence schools and for the boots on the ground folks in the military to keep the bad guys from learning things they shouldn’t know. That’s really the premise. And so it’s all behavioral, and sometimes people don’t think about these things. It’s not malicious. They’re not stupid, it’s just why would you think about it? For example, I used to do this exercise. When I lived in D.C., I didn’t own a car. I had a ridiculous number of motorcycles, but I didn’t own a car, and I would walk everywhere, and one of the games I would play while I was walking, I walked from Arlington to downtown to go to dinner and walked back. It was probably 10 miles. I would do that all the time, and I would look in the car windows of the parallel parked cars, and I would keep track of how many documents that I could read from the sidewalk, and it was a lot. Think about that. That’s Washington D.C., so what kind of documents do you think those are, Beau? Right?

Beau Friedlander: They’re terrifying.

Kurtis Minder: So that’s what little things like that you can learn, and like I said, the longest chapter in my book is on OPSEC, and I’m actually working with the publisher to finalize an agreement to do another book all on OPSEC.

Beau Friedlander: So OPSEC is key. You can have all the whiz-bang in the world to protect you; at the end of the day, a lot of people are going to be their own worst enemy.

Kurtis Minder: The work-from-home culture that sort of emerged after Covid is part of the problem in that when we all worked in the same office and there are just cubicles between us, for the most part, there weren’t a lot of secrets. We all signed the same confidentiality agreements. If you live in a multi-tenant place or you’re in a hotel room, the walls are pretty thin, so at the time when I was living in D.C., I lived in an apartment in D.C., and I could hear everything my neighbor said. That means they could hear everything I said. And I’m working from home and I’m doing espionage work. You’ve got to be very careful about that stuff.

Beau Friedlander: Well, there’s also the other problem with working from home, especially if you’re in the C-suite is that no longer does your OPSEC mean just physical penetration testing at an office with staff and people who are there to keep people out with scanning devices to make sure people aren’t getting on elevators. Now it’s just your help. Now, is your house as secure as an office building? No it is not, and so when you leave for dinner, are you putting your computer turned off in a safe that’s locked?

Kurtis Minder: Like you would in a hotel room? No.

Beau Friedlander: Maybe even a safe with a faraday cage in it? No you’re not, and so how do you handle… This is the big point, and I think GroupSense is brilliant for this because I bet you help your clients understand this better, but brand protection in a world like this where your job is to keep CEOs and other VIPs from letting the cat out of the bag or otherwise committing an own goal on themselves with the competition.

---

A Civic Duty

Beau Friedlander: We’ve talked a lot about nation-states, ransomware gangs, marketplaces full of stolen data, but at the end of the day, a lot of this stuff comes down to individual choices. Not just what companies do, but what each of us do or doesn’t do online, and I know this is something that you care a lot about.

Kurtis Minder: I firmly believe that good cyber behavior and hygiene is a civic duty and that every single cyber incident, no matter how unimportant you think you are, has an impact on everyone around you. Everything’s connected. So if you do three or four of the things to protect yourself, you’re also protecting everyone else, and that’s a bit of a soap box I’ve been on for a long time.

Beau Friedlander: Well, Kurtis Minder, thank you so much for joining us on What The Hack. I appreciate you coming to join us. The book is called Cyber Recon: My Life in Cyber Espionage and Ransomware Negotiation. It’s published by Wiley and you can get it wherever books are published. Kurtis, thanks again.

Kurtis Minder: It’s a real pleasure. It’s fun.

Beau Friedlander: Okay, so it’s time for our Tinfoil Swan, your paranoid takeaway to keep you safe on and offline. Now, we often think of technology being our guardians. High-tech solutions don’t always work and they can’t do anything about the following things. Shred your mail. If you have, like I do still, some mail coming in that has health-related information or banking-related information, you shred it. Really simple. Any sensitive document, if you no longer need it, shred it. Remember that you are going to need to keep pay stubs for a certain period of time in case you want to get a loan, and the same goes for your tax returns. You probably don’t want to shred those, but keep them in a safe. It’s one of the easiest things you can do and the most overlooked habits we all have, leaving stuff around that can get you got. Now, the other thing that you can do is keep sensitive documents out of public view in your own house. That counts, which means get a safe. That’s what I do. I have two, or there’s three safes in my house, but keep your sensitive stuff out of the way, and that includes passports, bills, statements of what’s happened with your medical care, all of that. Another thing that you might want to do, which my partner does regularly, religiously, is opt out of junk mail. It’s good for the environment and it’s good for you too, because the more that you remove yourself from these email lists and mailing lists, the less you will show up on data broker sites. So that’s the Tinfoil Swan. Stay safe out there and thanks for listening. What the Hack is brought to you by DeleteMe. DeleteMe makes it quick and easy and safe to remove your personal data online and was recently named the number one pick by New York Times Wirecutter for personal information removal. You can learn more if you go to joindeleteme.com/wth. That’s joindeleteme.com/wth. Stay safe out there.

Learn More:

• Read about how to keep yourself safe from cybercriminals in 2026
• Learn how cybercriminals operate so you can better protect yourself online
• Discover the tools cybercriminals are using for fraud and scams