At SpyCloud, we obsess over making identity intelligence actionable by turning stolen darknet data into a powerful defense mechanism against identity-based cyber threats. Behind the scenes, we’ve assembled a team that rallies behind this mission to disrupt cybercrime, and whose internal engine is fueled by curiosity, innovation, and the desire to help some of the most vulnerable to make the internet safer for all.
Some of these team members – Duncan Edwards, Senior Investigator, and Tyson McAllister, Director of Investigations – recently sat down with Jason Lancaster, our Senior VP of Sales Engineering and Investigations, following his recent recognition as Industry Innovator of the Year by the Tech Ascension Awards. They discussed why they do what they do, how the SpyCloud Investigations solution and our mission have grown into what they are today, and how they define success when it comes to disrupting cybercrime.
“I’m driven by the injustice and the responsibility that I have to defend the least among us – the poor and the downtrodden. The victims that we look at, they have no ability to defend themselves really against these groups. Hell, the companies that have huge teams can barely do this.”
– Jason Lancaster
Here’s their conversation.
The winding path from defense to offense
DUNCAN: Jason, so obviously you didn’t just snap your fingers and you became all knowing in this space. What was your path to get here? How did you get involved in cybercrime investigations?
JASON: I started my career in cybersecurity as a solutions architect, building networks with firewalls and VPNs. Then I moved on to intrusion prevention systems, red teaming.
Following that, I worked as a defender at a Fortune 500 company, and that was really my foray into this. From there, things sort of evolved based on a series of events.
In 2003, I joined TippingPoint Technologies, and we developed intrusion prevention systems, working to provide those sorts of solutions to customers. We were dealing with the problems that came up, fighting off the attacks as defenders – “defenders” being the key term here.
The threat landscape was constantly evolving. This was during the rise of what we call “script kiddies.” You didn’t have to be some elite hacker anymore to hack into some website to deface it or breach a site and steal the database backend of some company, you could just go and download a tool, point it at a company, run it. Basically anyone with very little technical understanding could do this. And then the motivation of actors really came into play. We saw a rise of ideological-motivated actors. It was a constant thing, and there was just a fury of activity.
“At some point, I got tired of being a defender and wanted to go on the offensive. You know, I wanted to take the fight to the actors. And that was really the transition for me.”
TippingPoint was actually acquired by 3Com in 2005, and in 2009 HP bought 3Com. Ted [Ross] was there. Alen [Puzic] and Dave [Endler] had been at TippingPoint along with Jen [Parker-Snider], Damon [Fleury], who have all been involved with the growth at SpyCloud.
One of the big things that we dealt with, in addition to website defacements and those sorts of things, was DDoS attacks.
In 2011, the hacktivist threat actor group Anonymous started attacking companies using DDoS and website defacements in a larger organized fashion. In 2012, there was an attack called OpNewSon (Operation NewSon) that targeted 43 different companies, including HP and many others.
Leveraging OSINT and HUMINT, our team actually embedded ourselves in some of these groups, essentially running an intelligence operation to better understand what they were doing.
When they targeted HP, we were already positioned in these groups, and we were able to stand up a working group amongst all of these companies to help us coordinate defensive measures and mitigate the attacks.
DUNCAN: Were you one of the first enterprises to create an offensive task force like that, outside of law enforcement, or were other organizations already doing something similar?
JASON: We were certainly at the leading edge of a lot of the offensive momentum at the time. Most people were still in a defensive position.
Around that time, I left HP’s Enterprise Security Product Group with Ted [Ross] and started HP Security Research.
There my team published research on state cyber capabilities – including Iran, Syria, and North Korea. With OpNewSon sitting in their communications channels, we could see in real-time the companies that they were deciding to target, the tools they would use, and the time that they were going to do it. We built a working group of all of those victim companies and fed them that intelligence in real-time.
As a company was targeted, they would see specific network telemetry. We gave them visibility and intelligence ahead of anything happening so they were prepared, and they would share that mitigation with all the other companies.
As the actors moved through each of those targets, their attacks became less effective. And we were able to basically mitigate and shut down the impact of their operation. It was very rewarding.
This was the spark that led to what the team and I do today – in leveraging rich intelligence and a deep understanding of criminal TTPs to more comprehensively investigate cybercrimes for organizations and law enforcement agencies.
Understanding threat actor motivation – ideological, state-sponsored, or financial
TYSON: Your initial work sounds like it was more ideological in nature, is that an accurate description?
JASON: What we would do is look at a particular attack or threat actor and work on understanding their motivation, because it would inform how they would operate and allow us to classify them accordingly.
The more common case we see is financial motivation, which is more representative of threat actors that we’re dealing with now, where – whether it’s business email compromise (BEC) or phishing, or ransomware – much of it is generally financially motivated.
The other angle is when actors are state-sponsored, and have their national ideological interests that drive what they do.
Connecting that to our current day work at SpyCloud – some actors are motivated by monetizing stolen data and that’s where we are able to make a difference – the data enters an ecosystem where we can recover it and use it to prevent further damage.
And so the motivation of a bad actor informs us as to not just why they’re doing it, but the why they’re doing it tells us how they’re going to operate – what they’re going to do later or next.
The positive impact when curiosity fuels a mutual passion
Since joining SpyCloud a few months after its founding, Jason has created and led the Investigations team, bringing together a group of seasoned and passionate cybersecurity experts with vast public and private sector experience who share his commitment to SpyCloud’s mission to disrupt cybercrime.
When discussing why Duncan and Tyson both left their previous public sector roles, it was clear they both shared a commitment to mission-driven work and defending those least able to defend themselves. That unwavering desire to do good is at the core of the Investigations team.
A unified mission and defining victory in the face of constant threats
TYSON: What does “winning,” or the thresholds of winning, actually look like in this fight against cybercrime?
JASON: There’s a lot of focus on disruption of operations and raising the cost to the adversary.
I look at the amount of fraud that we see out of West Africa, Ghana, and Nigeria, for example. The average annual income in Nigeria is something like a thousand dollars a year – something like eighty-five percent of their GDP comes from petroleum.
And something like a hundred percent of their petroleum industry is corrupt along with their government. So you have someone sitting there in squalor with no economic opportunities, and I could get a computer and plug it into this cable and there’s an opportunity to get money.
There’s underlying socioeconomic and geopolitical drivers to that activity. But they still make that decision. It’s complicated.
You look at the teenagers in the UK and the US who are wrapped up in the Com and Scattered Spider. It’s the Internet. It’s like a video game. It’s this virtual world. They’re still making these decisions.
And at that decision point, if they have more awareness of the impact and the consequences of their actions, then they’re less likely to go down this path of cybercrime.
“So raising the cost to the adversary – even for the truly evil actors – if they’re not financially motivated, and they’re just wreaking havoc across the Internet, every bump or stepping stone that we put in the way reduces the impact that they have. And in that way, we win.“
DUNCAN: Can you tell us why SpyCloud Investigations is such an important solution in that process?
JASON: I think that the biggest thing that we bring to bear with our SpyCloud Investigations solution is removing the veil of anonymity of the actors and the infrastructure. Because many of these actors act with impunity, and they think that they’re anonymous hiding behind some moniker.
There often is an ego element within the psychological component that we see prevalent with bad actors. Cybercrime activity has become gamified – there’s even leaderboards. That all fades away when they’re identified.
If we can link the infrastructure that they’re using to their campaigns, then we get more threat intelligence about their operations.
We can’t always do [threat actor] attribution, but if I can take one email address that was used in this one phishing campaign, and enumerate a thousand more, well now I have an order of magnitude, more defense against them that disrupts their operations.
“If I can identify who it is, then we can go after that individual. We can impose costs on them. Even if it doesn’t mean that they’re prosecuted and they’re imprisoned – if they can’t leave their country ever again, that’s a real cost. And their friend, or the one that’s up and coming, will look at that and see that, ‘Man, that’s maybe not the life that I want. Maybe there’s another way that I can use my skills.’”
TYSON: Taking that idea then of impacts, can you share an example of an investigative work that led to a meaningful disruption or impact?
JASON: Euroboss is an actor that we identified related to a number of schemes and pervasive phishing. He had a lot of domains that were impersonating other companies and that sort of thing to enable phishing activity.
Through our partnership with the World Economic Forum (WEF)’s Cybercrime Atlas Group we brought to bear a large number of resources – dozens of people from different companies – to work together and were able to identify Euroboss.
DUNCAN: So to switch gears a bit, Jason, with regards to the Investigations team, how do you create a team culture that can handle the emotional and psychological toll of doing this work?
JASON: I think there’s a few things here. One, there’s a common thread that runs throughout the whole investigations team where these dark elements are not new to them. And they all are offended by evil-doers and want to fight against it. And so that passion motivates all of us.
Everyone in the Investigations team at SpyCloud has a sense of mission. They all come from former federal law enforcement and military intelligence backgrounds. And what they find when they come to SpyCloud is the same sense of mission that they had previously – that drove their career. And we give them that in the private sector because we are making a real difference.
In many cases, I think we also give them a broader aperture. We give them more reach.
We set a tone of curiosity.
We’re able to define the leading edge of OSINT and investigative techniques, applying this idea of holistic identity to unmask cybercrime actors or identify fraudulent activity that goes beyond what we see in a lot of law enforcement and military and intelligence communities’ current capabilities and applying that to the corporate world to defend against all manners of attacks – it’s exciting to have the ability to contribute these things.
TYSON: How important is [community and law enforcement] collaboration for making a difference when it comes to better security outcomes?
JASON: We were involved very early in the WEF Cybercrime Atlas. As we built out the Atlas and brought in other like-minded people from a lot of different companies – many of which are are our customers at SpyCloud – it created a community of those people that are spending nights and weekends doing this research, developing new methodologies, hunting cybercrime actors, and while I’m very proud of what we’ve built and the work that we’re doing, we don’t know everything. We don’t always have all the different sources and tools and understanding of the context of a case.
Working with those other people in the confines of a specific, unified mission on a case that we’ve picked up allows us to learn from our peers and develop a better understanding of how context gains higher fidelity when you put all these pieces together. Atlas is just one of the community groups we participate in with our services and expertise.
I believe iron sharpens iron, and together we get better.
Why the cybercrime fight matters
TYSON: What motivates you to keep going even when it’s bad or not turning out the way you want it to?
JASON: I’m driven by the injustice and the responsibility that I have to defend the least among us – the poor and the downtrodden. The victims that we look at, they have no ability to defend themselves really against these groups. Hell, the companies that have huge teams can barely do this.
Prior to cybersecurity, I was a paramedic. And a firefighter. And I think the same thing drove me there. When the worst thing has happened in your life and you are helpless, and you call 911. They trained me and gave me the equipment and a team, and we could show up and make a difference and help someone in that time of need. And I think the same thing drives me here.
I don’t know if you’ve ever been a victim of a crime. Even small things, like in high school someone broke into my car and stole my CD player and my CDs. And I’m working for like, five dollars at a fast food restaurant to buy that stuff. That really hits.
We have this ecosystem where it’s easy for you to just go and get tools.
“Today, we’re dealing with malware-as-a-service, phishing-as-a-service. It’s all the stratified ecosystem that’s commoditized where if I just wanna go and target some vulnerable group and steal from them, it’s just right there at my fingertips.
And I’m able to help. I’m able to make a difference. It all counts. You know, a lot of times, we do get strung out and under-resourced and overworked and sometimes it does feel like we’re not winning, but it all counts.”
You take for instance a story our team was just discussing from back in 2021, a victim in Oregon – an elderly lady. She was a victim of PUA (Pandemic Unemployment Assistance) fraud.
An elderly woman that goes to file her income taxes expecting that she’s going to get a $3,000 return – and that’s how she’s gonna heat her home – only to find out that her tax return’s already been filed. And they’ve already paid out to some threat actor, some fraudulent person that impersonated them.
In the midst of COVID, you go thinking that you have this government assistance available to you, only to find out they’ve already paid you – but it wasn’t you.
Something like that – three thousand dollars, this elderly lady – that’s not going to be on federal law enforcement’s radar. But every one of those that we help, it all adds up and it all matters. It matters to them a lot. We’re not gonna win every one, but it all counts.
The impact of cybercrime disruption
Whether it’s high-profile takedowns or smaller fraudulent schemes, SpyCloud’s Investigations team isn’t defining success by any single big win, but rather the combined effect of all their work.
Every disruption has an impact. And that commitment to protecting those who can’t defend themselves isn’t just part of the job – it’s their driving purpose.
Learn more about our story or explore our solutions today
Keep reading
