BTS #53 - Exploring the Evolution of Zero Trust
In this episode, Paul Asadoorian and Chase Cunningham, also known as Dr. Zero Trust, delve into the current state and evolution of Zero Trust security. They discuss practical implementations, the importance of micro-segmentation, and how Zero Trust can help prevent lateral movement in networks. The conversation shifts to the implications of cyber warfare, the role of IoT devices, and the intersection of cyber and kinetic warfare. They also explore the frequency of breaches, their impact on the market, and the need for incentivizing cybersecurity improvements to enhance overall security posture.
Subscribe
Below the Surface Episode 53: Zero Trust Breaches with Dr. Zero Trust
Host: Paul Asadoorian
Guest: Chase Cunningham (Dr. Zero Trust)
Introduction
Paul Asadoorian: This week, Chase Cunningham joins me to discuss Zero Trust breaches and a lot more. Stay tuned—Below the Surface coming up next.
Welcome to Below the Surface. It’s episode number 53 being recorded on Wednesday, June 25th, 2025. I’m your host, Paul Asadoorian. Before we dig into our interview today, Below the Surface listeners can learn more about Eclypsium by visiting eclypsium.com/go. There you’ll find the ultimate guide to supply chain security, an on-demand webinar I presented called “Unraveling Digital Supply Chain Threats and Risk,” a paper on the relationship between ransomware and the supply chain, and a customer case study with DigitalOcean.
With me today is Chase Cunningham, AKA Dr. Zero Trust. Chase, welcome to Below the Surface.
Chase Cunningham: Hey, thanks for having me. Your setup is much more interesting than mine. I’m using the cheapest rented space I could find while I’m on the road right now.
Dr. Zero Trust’s Background and Career Journey
Chase explains his military background, transition to cybersecurity research, and how he earned the “Dr. Zero Trust” moniker.
Paul: Give us a little bit about your background and particularly how you got the moniker or nickname Dr. Zero Trust.
Chase: Sure, so I’m a retired Navy chief. I was a cryptologist for my career. Then I was at NSA for a while doing stuff there. Then I was lucky enough to get over to Forrester Research and take a bunch of their Zero Trust stuff that John Kindervag had kind of put in play theory-wise and make it practical. After that, I’ve been consulting on my own since then. I’ve managed to write 11 books. Number 12 comes out next month.
The Dr. Zero Trust thing actually started as a joke and it just turned into kind of a brand. Like everything else in my life, I’m perfectly okay stumbling into some form of success. So I wish I could say I actually thought about it, but it literally just came as a joke between some friends and then it turned into a thing.
Paul: Sometimes that’s the best way. Sometimes they get you in trouble, but sometimes that’s the best way.
Chase: Yeah, I mean, if you take yourself too seriously, what’s the point? Life’s no fun.
The Current State of Zero Trust
Discussion about Zero Trust evolution from concept to practical implementation, including government adoption and market maturity.
Paul: What’s the state of Zero Trust today? I feel like Zero Trust was one of those things that was born out of a BeyondCorp paper, was kind of one of the defining moments for it, and it’s still a category today, but I don’t hear it talked about as much. So give us the state of Zero Trust.
Chase: Well, I think we’ve jumped the shark on the market stupidity around Zero Trust. We hit peak dumb with that a few years ago, which is fine. Markets are markets and they were designed to build things up and get people interested.
I was on a call last night with the folks at the DoD office that have put a couple billion dollars into Zero Trust for the government, and it’s rolling along quite well. So I think the state of it is we’re past the point of concept and theory. We’ve got practical implementation. We’ve got money going. We’ve got organizations internationally that are doing it. I think we’re in a good spot overall.
There’s always doubters and haters and those types of things. And there’s always the conversation about “what’s next?” The truth of the matter is it’s a strategy, and you evolve your strategy over time. So what’s next is whatever you decide is next.
Practical Zero Trust Implementations
Paul: I feel like there are practical implementations that do work for Zero Trust that don’t get enough attention because people get hyper-focused on Zero Trust as a buzzword.
Chase: Yeah, we’re at a stage now where the infrastructure side has become pretty commonplace for Zero Trust. There are folks in gas and electric that are doing Zero Trust. There are folks overseas that are talking about Zero Trust for the oil industry and those types of things—Saudi Arabia, APAC’s got a bunch of initiatives.
Paul: Is that a lot of networking, like the networking side of Zero Trust and what we call micro-segmentation?
Chase: Yes, sir. That’s what we’re talking about—getting that down to the nuts and bolts and the infrastructure side. I think now we’re at the spot where we’re starting to see Zero Trust for users and BYOD, which is good. I’m hoping that it kills the whole phishing training thing because it’s entirely possible it will.
Zero Trust in Data Centers and Infrastructure
Paul and Chase discuss Zero Trust principles applied to data center infrastructure, particularly BMC (Baseboard Management Controller) security.
Paul: I think the data center is an interesting part. I spend a good amount of time looking at BMC, Baseboard Management Controllers, and the security around that. One of the things we were talking about last week was if you’ve got IT infrastructure—and this is becoming a thing because people are deploying data centers—my joke is like, you’ve got those empty racks from when you moved to the cloud, now you can fill them with AI data center stuff to train your models if you’re into that kind of thing.
But all server gear has that BMC component. You really need to lock it down. And I believe it ties into a Zero Trust principle. The BMCs don’t need to talk to each other, so you can limit your exposure. Like if an attacker compromises one BMC, even if they are on that network, they shouldn’t be able to compromise all the BMCs. That’s a Zero Trust design principle that I just described, right?
Chase: Yeah, that’s the whole thing about correct segmentation, isolation, and those types of things. I don’t have it with me, but I have a really good slide I’ve used in the past where it shows the Titanic, which was pretty small compared to today’s standards, but the Titanic was the “unsinkable” ship. Behind it, I’ve superimposed a modern cruise ship, and the modern cruise ship just dwarfs that thing.
The point to be made is modern cruise ships are pretty much unsinkable to a high degree, outside of catastrophic total failure, because they’re built for survivability. We learned from the Titanic that if you let compartments fill with water as it spreads, everybody goes down and you wind up with a crappy Leo DiCaprio movie.
The whole thing we’re moving to now is bigger infrastructure, massive compute, massive span and sprawl. If it’s done correctly, that thing sails along just fine. You’re never going to be no risk and you’re never going to be no hacks. But the whole thing is I can take it and I can deal with it and I can move on and recover.
Lateral Movement and Network Segmentation
Discussion about preventing lateral movement in networks, a core principle of Zero Trust architecture.
Paul: It’s really about stopping spread on the network and having proper compartmentalization, which I think historically we’ve looked at as high maintenance and high overhead, but that’s where the new technology and innovations are helping.
Chase: Totally. That’s where micro-segmentation as an approach to doing things was not even doable a few years ago, but now it’s pretty commoditized and there are some companies that do it really well. So I think anybody that’s still hemming and hawing about “oh, we can’t micro-segment,” you’re just not looking at the market because the technical capabilities are there.
Paul: Yeah, I can deal with a tree on fire in the forest. I can’t deal with a forest fire.
Chase: Because we also used to say, and this is kind of interesting when we’re in the context of ransomware, that when I was pen testing—we’d compromise one of their workstations in the corporate office, and from there, it was a free-for-all. Then we could spread and move laterally throughout the network.
My buddy John Strand always said the number one thing that you can do right now if you’re not doing it—this is a huge security improvement—is turn on the firewall for Windows or use your network to isolate your workstations from each other to prevent that lateral movement. Is that kind of what Zero Trust is enabling us to do more at scale with manageability?
Chase: Well, Zero Trust broad scope is the strategy side around the smart application of controls to remove trust relationships from inside systems, especially with default relationships, because that’s usually a real problem.
The ZTX, which is the framework I created at Forrester, breaks Zero Trust down into the components that you use to do Zero Trust. If you think about the market and the capabilities: if I take care of my network, great, I can segment my network. The next thing I should take care of is probably users. Okay, well how do I isolate and segment users? Then what do I do about my workloads in the cloud?
The whole goal is to evolve your overall approach to the problem in a Zero Trust approach and get it where it takes care of everything. You don’t do it right out of the bag. You do it over time. It takes requirements. I remind people all the time in workshops: you spent 30 years building this infrastructure and this network, it’s going to take you time to go Zero Trust. There’s no easy button.
Ransomware and Attack Evolution
Analysis of how Zero Trust helps limit ransomware damage and how attackers are adapting to improved enterprise defenses.
Paul: But I feel like you can, for ransomware and those style breaches, really limit the damage and the scope, which is something we’ve always talked about—limit the blast radius. It seems like this is the culmination of a lot of those different, very tactical individual recommendations, but in a larger strategy of Zero Trust.
Chase: Totally. Absolutely. You just nailed it. When I was Red Team, my favorite thing was printers. Nobody ever paid attention to printers, but man, printers are tucked in the network and they’re pretty smart and you can get all kinds of stuff. I made bank off of ripping people through their printers.
Paul: It’s great, but I feel like that’s where attackers are leaning towards now. I feel like we’re kind of on this cusp—maybe we’ve passed it in certain aspects—where attackers are like, “Wow, it’s kind of hard to compromise an enterprise network today,” maybe through phishing, maybe getting code execution on a Windows system.
It’s much harder than it was before. EDR has gotten better, Microsoft’s operating system technology has gotten better. I think defender teams in general have gotten better and they’ve raised the bar. But what attackers do shapes what you and I do on pen tests. We’re like, “Well, if that’s harder, what’s easier?” Going after a printer, an IoT device, a network appliance. It turns out if you read the latest breach reports, vulnerability exploitation is up, tied back to these appliances that I call the dusty corners that no one’s paying attention to.
Chase: Yeah, and I think it’s interesting too, because we’ve seen the trends indicate that the enterprises and the big governments have done a better job of becoming harder targets. We know this: if you’re the lion on the Serengeti, you go look for the slow gazelle. The slow gazelle is going to be your vendors, your third parties, your partners, your mom and pop shops, because they don’t have time for this stuff and they don’t know what they’re doing anyway.
That’s why if you look at MGM and some of these other big breaches that have happened, it wasn’t their corporate infrastructure that was targeted—it was their partners and vendors and third parties, and they worked their way forward from there.
Paul: And this is just what attackers are doing. But Zero Trust can help in this context because why should an attacker be able to pivot through these systems?
Chase: Correct. And why should somebody that’s doing admin work have access to things that they don’t need access to? Or the other side: if you create a policy that says we do multi-factor auth, well obviously if one of your users is getting bombed with a thousand requests an hour, that’s not a human doing it, so block that account.
I would rather have someone request an exemption and deal with that than them breaking my entire network because I allowed it to happen.
Cyber Warfare: Current State and Examples
Discussion of modern cyber warfare tactics, including examples from recent conflicts in Ukraine, Iran, and Israel.
Paul: You just wrote a book on breaches. How many books have you written?
Chase: So, 11, and number 12 comes out at the end of July right before Black Hat.
Paul: What have the books been about?
Chase: I did three comic books for kids on cyber with my partner Heather for the Singe series. Then I wrote two fiction books that are part of a series about AI and cyber warfare. I’ve written some non-fiction books about cyber warfare and contributed to a few more. I worked with General Tuhill on a book called “Riptide” that was about manipulating the GPS system.
Finally, the last one was the one I just published called “By the Breach,” where I basically put out a methodology that’s proven with data that says here’s a way to make money in the stock market when companies continually get breached, and it works.
Paul: Let’s talk about cyber warfare. It’s interesting how much of a storied history there is in the topic. When I read “Fifth Domain,” that book traces the cyber warfare conversation all the way back to Reagan’s administration here in the US. Where do you stand today? It’s interesting with the Iran conflict—I can actually have intelligent things to say about what’s happening in the world because I’m like, “Did you know about Stuxnet?” People are like, “No, what’s that?” Well, turns out the Iranian nuclear program has been in our crosshairs for a long time, and one of our takes at that was a computer virus.
Chase: I remind people all the time: what you’re seeing that’s been going on in Ukraine and in Iran and Israel is the future state of warfare and conflict, cyber side, and to some degree, kinetic conflict too. What’s really interesting to me is, if you look at what’s gone on with Iran and Israel recently, one of the first things that happened was a big disinformation campaign where they took over the TVs in Iran and started broadcasting stuff about “here’s how you can revolt and rise up.”
Then, the same day, they took down the Iranian crypto exchange, which was like a hundred million dollars worth of money. For Iran, a hundred million dollars worth of crypto money is significant. So it’s been this cascading sort of cyber attack thing. On top of that, you’ve got the use of drones, you’ve got the use of social media, and they’re hacking cameras back and forth between Iran and Israel to vector in on targets.
Paul: Did they take out their missile defense system in a cyber attack before the recent bombings?
Chase: I believe that they did some disruption, but I believe that they were able to keep things up manually because in the military, you’ve always got to have fallback. But the stuff that they were able to do where they were manipulating messaging was really interesting to see.
CCTV Cameras in Warfare
Paul: The CCTV camera thing is interesting. There was a BitSight report about exposed cameras on the Internet. One of the first things we did on the Internet once we learned how to Google dork was go find the exposed cameras. But they’re being used in warfare now.
Chase: I was reading a report this morning when the dogs woke me up at 4 a.m.—there was proof that Iran launched eight ballistic missiles and seven of them got hit by the Iron Dome, but one got through. Immediately, the area that it got through, all of a sudden these cameras went down and came back up and feeds weren’t going anywhere, so they were going to Iran. What they were doing was basically using those localized CCTV feeds to get a battle damage assessment of that one ballistic missile that got through.
It’s crazy because that’s on-the-ground footage that when I was military, we would have killed to have that type of information. Now you just log in and go look.
Paul: The camera systems—is it the same thing in this context of warfare, the same context of the cameras that we know and usually don’t love that are just riddled with vulnerabilities?
Chase: That’s Ring cameras and those types of things that are just out there and they’re misconfigured. Somebody buys them from Lowe’s or whatever the Israeli version of Lowe’s is, and then they just go plug it in and never change the default password or put a firewall on it. It’s out there talking to the internet, and if you know what you’re doing, it’s not hard to go find them.
They’re not smart devices, they’re stupid devices. Vulnerabilities on these cameras are not hard to come by either.
Drone Warfare and Security Implications
Extended discussion about drones as both attack vectors and security threats in modern warfare.
Paul: We do a lot of firmware hacking here at eclypsium. You get a camera and you look at the firmware and it’s like, wow, there are a lot of vulnerabilities. It’s really old software. There are no memory protections. It’s all the things that an attacker would love to see on a system that they can compromise. But being used strategically in cyber warfare is something we always theorized about, but now it’s happening in practice.
Chase: That’s the same thing with drones. Most drones are just little flying web servers. It’s not hard at all to pop a web server and get it to do God knows what you want. We’ve seen that in Ukraine—commercialization of drones where they’re using them for all kinds of different purposes. That, to me, is what the future state of warfare and conflict looks like. Cyber is the bridge between espionage and kinetic war. The longer you can walk across that bridge, the better off because your casualties are lower but your impact is exponentially higher.
Paul: When we talk about drones and cameras, the denial of service vulnerabilities and attacks come into play. Most of the time for denial of service vulnerabilities, we’re like, “Whatever. They can do other ways to perform a denial of service.” But when we talk about equipment that’s being used in warfare conflict, it has to be hardened against scenarios that we would normally not harden our gear for as consumers or even in the enterprise.
Chase: These types of drones and other embedded IoT, OT technologies—people are not giving them enough credit for the potential other avenues that they can be used for. That’s the thing that you and I get because we play in this space: anything you build, someone can use for a purpose beyond what it was intended.
But for the majority of the rest of the population, if they buy a web-enabled camera for their front door, for them, it’s a web-enabled camera for the front door. They never think about, “Oh, that’s a potential surveillance device.”
Drone Threats to Civilian Infrastructure
Paul: Mikko Hyppönen just made the move to an anti-drone company. He left WithSecure and is working for an anti-drone company now, which is super interesting.
Chase: Drones scare the hell out of me because there’s nothing to really do to keep those things out of the sky. I’ve been involved in some working groups here in DC where we’ve submitted mass casualty scenarios based on drones to congressional folks.
Paul: Because I think we think of it as just one drone. But what we’re actually seeing today is thousands of drones being deployed to areas.
Chase: There are agricultural drones right now that can carry 50 gallons of stuff that they spray on top of plants. That 50 gallons of stuff that you’re putting on top of plants is like 150, 200 pounds worth of weight. That could also just as easily be chemicals that you spray on people to do bad things.
These types of things have to be considered and people have to think outside the box. You have to be—maybe it’s a personality flaw I have—but you have to be malicious in your thinking a bit.
Paul: What do we do about the drone threat? How much is a drone threat outside of warfare?
Chase: Drone threats scare the hell out of me. That’s one reason why my family—I don’t go to sporting events. I don’t go to anywhere where there’s an uncovered roof on the place, because the paranoia in me for a mass casualty event and the fact that there are no controls to stop it other than maybe a lucky cop with a 12-gauge, scare the hell out of me.
What if there’s 250 of them? You combine that with the world that we face today where the FBI is reporting that there are sleeper cells here in the U.S. and there are militias and things like that. It just takes one person with bad intentions and enough time on their hands to do bad things. There are no controls for it. There is no real defense currently that stands. All you’re doing is really hoping that someone never decides to do this stuff. And hope is not a strategy.
Technical Challenges of Drone Defense
Paul: There was a company I interviewed a long time ago called RF Spotter. They used RF for physical security controls. They could tell the difference between a bird and a drone. I think you’ve got to get ahead of it. Once it flies over the stadium, it’s too late. But if you can get ahead of it, certainly that’s detectable.
Chase: The frequency issues that they use for control and for streaming actually typically run very similar frequencies to what people use for 5G and cell phones. So your only option is to jam the drone. But if you jam the drone, you jam everybody else’s phones and stuff. That’s a non-starter at a public event.
That’s real expensive. I mean, we jam stuff in the Navy all the time. We live and breathe on jamming people, but that’s when we had a giant radar and basically an unlimited power supply. Trying to do that at the Super Bowl with a hundred thousand people in attendance—watch what happens.
Paul: Because you’re going to jam everything. The frequencies in common are going to get jammed.
Chase: If you do that for people that are paying to see the event, you better be ready for the fallout. Most of these facilities would rather accept the risk of not doing that than the risk of “what if 20,000 people die because we have a mass casualty event?”
Then the other side of it is like if your defense is going to be counter RF or counter wavelength, what you also wind up doing—because it’s not like those jamming things stop at the actual drone—if you’re in an area that’s downtown, aircraft fly over you. You’re going to jam the aircraft? That’s not going to happen.
The Evolution of Cyber Warfare Beyond Traditional Conflict
Discussion about how cyber warfare serves as a bridge between espionage and kinetic warfare.
Paul: How else is cyber war—I feel like we don’t use the term cyber war so much anymore because the historical thinking was we’re not going to fight in the real world, we’re just going to do cyber war and cyber activities. But what really ended up happening is we’re just combining them. It’s another domain, right?
Chase: Yeah, it’s the fifth domain. That’s why Cyber Command was established. The cyber side—that’s why I say it’s the bridge between espionage and kinetic conflict. What we’re really getting at is the longer that I can extend the espionage/soft impact side of the equation, the better off we are. In a perfect world in combat, you win without ever firing a shot, and that’s what we’re trying to do.
That’s what we’re seeing with these cyber attacks where you’ve got massive misinformation, disinformation campaigns. You’ve got banks going down, you’ve got hospitals that are targeted, and the point is to cause enough chaos that the side that you’re in conflict with can’t keep up with everything else.
If you’re the defender, you’re the defending nation, you sit there going, “Wait a minute, priority-wise, my citizens are under attack from their banking system, from the healthcare system failing, etc. Do I write off my citizenship and say, ‘Look, we can’t deal with you right now because we’re potentially going to be attacked kinetically?'” And then the other side just keeps ratcheting up the heat.
This is the only space that I’ve been able to find in my research where in all of history, a nation state like North Korea that’s so poor it can’t feed its people can build a nuclear weapons program based off of Bitcoin mining. It’s crazy when you really think about it.
Paul: There was some saying that the North Koreans have gotten much better at cyber operations, right?
Chase: They run it all through China. Cyber warfare—I wrote my book on it a while ago and I wrote about deep fakes back when nobody was really talking about deep fakes. Now you’re seeing that stuff all over the place, and that combines into the realm of cyber warfare because you’re doing misinformation, disinformation, causing doubt.
There’s this perfect storm lining up and everybody’s looking at Iran and Israel and Ukraine and Russia right now and going, “Gosh, that’s crazy.” We’re not any different.
Propaganda and Information Warfare
Analysis of how propaganda and misinformation campaigns exploit human psychology and technology.
Paul: It’s kind of scary, right? Propaganda-wise, we’ll start there before we delve into our infrastructure. The propaganda is interesting. We saw that in the 2020 elections and we still see that on the internet today. How difficult is it today to figure out if something on the internet is real? The cybersecurity professional and hacker thinks, “Well, everything’s fake until I can validate it some way,” but not everyone thinks that way, which is why these propaganda campaigns on the internet are highly effective.
Chase: The algorithms feed that too. The goal of the algorithms in a lot of these social media channels is to keep you in an echo chamber, and that echo chamber just gets really, really loud. If you’re able to get stuff that looks valid and moves forward, then people make decisions based on it.
I read somewhere recently that there was a study done—I want to say it was by UC Berkeley—that the human attention span has now basically devolved to between 7 and 10 seconds. So if you can get someone to pay attention to something for 7 to 10 seconds, you have an opportunity to put an implant in front of them that they’ll act on.
Paul: Right, it’s crazy. My friend sent me something and it was these inflatable boats. But the inflatable boats looked like yachts. They had all these people on these huge inflatable yachts. My friend lives on a lake and he’s like, “I really want one of these.” I’m like, “I hate to burst your bubble, but that was AI. They’re not real, dude.” This is the problem we’re gonna have—differentiating the real from the fake, and this was just a benign example. But what if it’s not?
Chase: The skill that this stuff requires to be good at it is so low now. The democratization of technology is awesome. I want every person on the planet to benefit from it. However, every person on the planet also now has the opportunity to be a malicious actor. I would argue that they could probably operate at the level of a small nation state if they really felt like it.
Critical Infrastructure Vulnerabilities
Discussion about the vulnerability of critical infrastructure and the challenges of protecting it from nation-state attacks.
Paul: It’s also scary to think about our infrastructure. What is our critical infrastructure? What we’re seeing now is huge botnets being built based on commodity hardware thrown out there. To me, that’s a potential disruptor. There was one big ISP that had a massive outage and they didn’t tie it back to a threat actor, but I was like, “What if it was?” Because all of this gear is largely firmware-based and Swiss cheese, and our enemy nation states are embedding themselves in this technology and are going to use it at some point strategically.
Chase: I think what stands out to me is that there are nation states that are playing the long game. China has basically said by 2050, it plans to be the global superpower, which I would suggest it probably is close to that now. But ultimately, how do you get to be the global superpower? Well, sooner or later, you’ve got to do something to exert control across the ocean.
We’re lucky in the U.S. because we’re kind of a giant island, surrounded by either Pacific or Atlantic Ocean. But the ability for an organization at the level of China or Russia—not so much Russia anymore because Ukraine has basically bankrupted them, but more China—to reach across that border and do things that they need to do to degrade the infrastructure, the efficacy, the operations, the monetary side, the economic side of the U.S. is very, very real.
I go to Capitol Hill once a month and talk to people up there. Those folks up there are pretty obtuse to this reality. They’re just kind of dealing with what they can deal with right now. When your adversary is playing 3D chess and you’re chewing on the checkerboard, it ain’t a good thing.
Paul: I agree, we need to be more strategic and forward-thinking with our defense of our critical infrastructure. We have pockets of it, but we’re nowhere close to securing or making that more resilient in any capacity, which is kind of frightening.
Chase: It’s also maddening when you think about the fact that we’ve set up agencies and dumped billions of taxpayer dollars into fixing that specific problem, and we’re no better off now than we were 10 years ago when those agencies were established.
Paul: We’ve had some wins, but not on a national level to specifically address nation-state cyber threats. I think a great example is the FDA approval of medical devices, which is great. Josh Corman and company were instrumental in getting those bills passed. But we need that kind of control and the stick that that legislation has, but for all of our critical infrastructure, especially these super vulnerable devices that we just put willy-nilly on the internet.
Chase: What was the stat? There are two devices for every one person out there, three devices or something like that. The numbers just get really big, really fast. Control and large numbers don’t typically go well together.
Paul: Because we have the legacy problem too. A lot of it is legacy tech. Look at what most people would term critical infrastructure—power, water, sewer, gas—there’s so much technical debt to overcome.
Chase: Those things have been there since the sixties, seventies, fifties in some cases. You’re talking about COBOL and Fortran and old stuff.
The Breach Economy and Market Response
Chase discusses his research into how stock markets respond to data breaches and his methodology for profiting from these patterns.
Paul: Let’s talk about breaches. Breaches happen all the time. It’s kind of funny, Chase—one of my co-hosts, Jeff Mann, on my Paul’s Security Weekly podcast has his list of breaches every week, which is astonishing. I think some of that is reporting. Some of that is people have better observability of their own networks to determine if they’re breached. But also, if the breach was ransomware, you’re going to know you’re breached because your machine’s locked up. So we’ve got all these breaches to deal with. How do we get a handle on these breaches? And what was the gist of the book?
Chase: The book I wrote was called “By the Breach,” and the reason I wrote it was—I grew up on a farm—at a fundamental level, I have a problem with big people making big money off of everybody else, even though they’re the ones putting you in a place of failure.
So I did a bunch of analysis and looked at stock market stuff. I looked at impact, I looked at social sentiment, and then I basically came out with a calculation that says when a breach occurs—and you can look at the SEC 8K database, the Edgar database, to tell you when that happens—there’s a sweet spot where the stock will dip, and if you buy it at the dip, mathematically speaking, it will recover over time to a degree that’s higher than the dip anyway, so you’ll make money on the far end.
If you do that for the many, many breaches that we have, you can make a pretty significant chunk of change.
Paul: So where are you docking your yacht today, Chase?
Chase: Eventually, maybe you’ll get there. But it was funny because when I was doing the research for the book, I plotted everything out on some graphs and I looked at the graphs. I was like, “My math is wrong. Something in here doesn’t work because these are all so formulaic.” Then I redid everything and came back. I was like, “No, it’s just that clear.” Like it’s just predictable, and there you go. It doesn’t require a bunch of change.
It also shows that the market is kind of immune to the fear of breaches. It’s like, “Oh, you got breached. All right, momentary blip, come back.”
Paul: And I think we’ve all kind of known that. There have been others that have analyzed that data in smaller pockets, and it’s always been the thing like, yeah, when they’re breached, it takes a dip and then it comes back.
Chase: So why shouldn’t you buy that and make some money?
Paul: What are we doing wrong that that’s the norm now? Breaches are just the norm. I feel like there are certainly a lot of breaches today.
Chase: Well, there are more than before. The numbers indicate that it’s getting worse instead of better.
Policy Solutions: Tax Credits vs. Regulations
Discussion about alternative approaches to improving cybersecurity through incentives rather than penalties.
Chase: I think the stick thing has gotten so out of control that it’s almost pointless. I’ve worked with a group here in DC and we submitted a write-up to some folks on the Hill about a cyber tax credit. I think that probably speaks more to where people would be willing to go.
The whole idea there was you’ve got CISA—give CISA the authority it needs to scan the internet, which it doesn’t have today. If an organization can prove to you that they are compliant, that they are relatively secure, that they’ve done best practices, give them a tax credit at the end of the year, just like we do with LEED certified buildings and those types of things. I think if we did that, we would have a way better return on that investment because everybody loves tax credits.
Paul: Well, yeah, it’s how we tried to help the environment. Anytime you get a hot water heater or windows or whatever and it comes with the Energy Star certification, you get a tax credit at the end of the year to help improve the environment because there was no way we were solving that problem without some kind of incentivization program.
Chase: Totally. That’s exactly the method that we put together here—to say, “Look, if you’re a company and you give us your IP addresses and those types of things and we run a scan and we don’t find anything overt, great. We’ll give you the tax credit. Or if we do find things overt, we’ll give you 180 days to fix it. When you prove that it’s fixed, we’ll give you the tax credit.”
I think if we put that stuff in place, people would be more willing to move around to it. Honestly, that would enable the agencies that we have in place like CISA and others to have an avenue to actually be more directly impactful to the current state of the infrastructure. Because now CISA shows up if something bad happens, and they’re great people doing great work, but I would rather it be: scan, figure out what’s wrong, tell me how to fix it, give me a tax credit, and verify and validate.
Consumer-Level Incentive Programs
Paul: I love that. I’ve had similar ideas, Chase, on the consumer side, because we’ve got so much consumer gear exposed to the internet. Let’s even just talk about routers that are exposed to the internet. If you’ve got one of these routers, specifically the ones that are end of life, that aren’t getting any new patches or updates from the manufacturer, and many of those now have known vulnerabilities—and if it’s old enough and they don’t have a known vulnerability, I can tell you firsthand that finding firmware vulnerabilities is not all that difficult.
We could find and exploit these devices easily today with given technology. But what I love is the incentive program for consumers. I called this “Paul’s great incentive program to fix IoT security.” What you do is you give the ISP some money to run a program that says, “Hey, you can buy these new routers at a discount or it’s free for you. All you got to do is replace your router.” Or maybe the ISP goes out and replaces the router for you if you have non-technical people that don’t know how to do that but have this super vulnerable device hanging on the internet.
To me that positive incentive type program works best in my mind because I’ve been thinking about this problem since I wrote a book about routers in 2007. I can’t come up with a better solution than positive incentives for people.
Chase: Because the stick doesn’t work. Even if you look at the insurance boondoggle around it and you look at HIPAA and high trust and PII and whatever, that’s just the cost of doing business now. People literally budget for it. So who cares? Whereas if you come back and you say, at the national level, we have a tax credit for this thing, watch people rush to it. If you’re a mom and pop shop, if I give you a tax credit that improves your margins by 3%, that’s a grandkid going to college potentially.
Paul: How was the reception of that on the Hill?
Chase: Oh, they were all about it. They thought it was great. We wrote up like five or six things. Then we basically said, “Cool, can we get in front of one of the subcommittees and brief?” Then a bunch of other congressional shenanigans happened and then it falls by the wayside.
Paul: It’s hard, dude. Politics is hard.
Chase: It’s like, “Okay, well, whenever you guys are ready, let me know.” The folks that we talked to literally campaigned on making America more secure and safe, whatever. Myself and the group I was with were like, “You’re missing the forest for the trees.”
Personal Security Philosophy and Current Projects
Chase discusses his current work, podcast, and philosophy on cybersecurity as a fundamental human right.
Paul: You have a couple podcasts of your own. What are you working on? You said you’re independent, right?
Chase: Yeah, I’m just a contractor. I’ve got my podcast which is the Dr. Zero Trust show. It’s on Spotify. I do a lot of pro bono work helping folks set up infrastructure where I can. I recently did the old folks home that my dad’s at because lord knows they need it. They get scammed more than anybody else.
It sounds kind of hokey, but at my core, I think that there’s a fundamental human right that if we’re going to be online, we have the right to be safe and secure. So help where you can.
Paul: It is about safety, right? I think some of the best initiatives focus on the safety aspect. It’s hard to apply to cybersecurity though. We’ve talked about it for years on the show. We’ve talked about automobile safety as an example. We’ve talked about fire safety. We talked about safety in electronics with UL. My example is always like when you buy a TV, there’s some reasonable assurance that once you hang it on the wall in your home, it’s not going to catch fire. That’s not because of anything other than there are regulations that you have to pass to make sure that you’re reducing the chances that something’s going to malfunction and catch fire in the home.
Chase: None of this stuff, to be perfectly frank, typically is exceptionally difficult, and that’s probably something that people don’t understand. A rising tide in security does not lift all ships. It’s about taking care of you and yours and whatever that “you and yours” might be. But if I do things that are just a little bit better and a little bit safer than you down the street, I’ll be okay and you won’t because they’ll go for the easier target.
That is a mindset you can have here. I tell my kids when they go out—my daughters are 16 and 14—I tell them when they go out, they say back to me, “What do you want to be?” And they go, “Hard target.” All I mean for them is be aware, know what’s going on. Get your head out of your phone. I don’t want your earbuds in because you’re not listening to what’s going on around you. Just be a little bit better than the next easy target and life is okay.
The Human Element in Cybersecurity
Discussion about the importance of teamwork, awareness, and practical security measures over just technology solutions.
Paul: It’s interesting you say that, Chase. When I’ve talked to my pen tester friends about the hardest targets—you get people who’ve been doing pen testing for 20 years. We could talk all day long about the success that you’ve had as a penetration tester, the defenses that you’ve breached. Don’t get me wrong, that’s interesting, and we should talk about that so that we can learn from it, not make the same mistakes.
But I think the better question is: What to a pen tester is the hardest target that you’ve encountered in your 20-year career? And you ask multiple people that, and you’re like, “All right, what in common do those answers have?” I’ve done this not very scientifically, but the hardest organizations are the ones that work well together as a team. They’re hyper-aware and they’re able to do the OODA loop as an example of process really well.
It’s not really technology. A lot of it is teamwork and awareness about what you’re instilling in your family, which is a great lesson.
Chase: I think too, accepting that people are people, and this is where technology can do better than humans. We’re in a world now where I just don’t understand the logic of people spending big budget to try and train people out of not being hacked. Whereas I can put tech in front of you that will stop this. You want me to stop ransomware? Great. I’m going to basically turn off PowerShell because you don’t need it. There you go. I just killed ransomware for you.
If you’re going to be on the internet, I’m going to put browser isolation in front of you so you can’t click on shit that’ll get you infected. One of my really good friends who’s a SEAL team guy says the best stuff you do is the simplest. Gates, guards, dogs—that stuff works.
Closing Thoughts and Contact Information
The interview concludes with information about how to find Chase’s work and final reflections.
Paul: Absolutely. Lots of good lessons. A good closing note. Chase, thank you so much for chewing the fat with me today. It was a great discussion. I feel like we were just at a bar having drinks and talking about security.
Chase: I’m jealous because I don’t have a cigar. I had to watch you light yours.
Paul: I know, I get to smoke cigars on this show and in my studio. I’m lucky, I’m blessed.
Chase: I’m in a rental space. They’d be really pissed if I fired one up.
Paul: Well, awesome. Chase, how do people find your podcast?
Chase: Just go on Spotify and look for Dr. Zero Trust and I’ll be on there. If I can ever help you out online, I’m always on LinkedIn poking at the market every chance I get. So easy to find.
Paul: Awesome. Chase, thanks so much for appearing on Below the Surface. With that, we will conclude this episode. Thanks everyone for listening and watching. We’ll see you next time.
Key Takeaways
- Zero Trust Evolution: Zero Trust has moved from concept to practical implementation with significant government and enterprise adoption, particularly in infrastructure and micro-segmentation.
- Cyber Warfare Reality: Modern conflicts in Ukraine, Iran, and Israel demonstrate cyber warfare as the “fifth domain,” bridging espionage and kinetic warfare through attacks on infrastructure, propaganda campaigns, and surveillance.
- Attack Vector Evolution: As enterprise defenses improve, attackers are targeting “dusty corners”—IoT devices, printers, cameras, and vulnerable appliances that lack proper security.
- Drone Threats: Civilian and military drones represent a significant emerging threat with limited defensive options due to technical and regulatory constraints.
- Infrastructure Vulnerability: Critical infrastructure remains vulnerable to nation-state attacks, with insufficient progress despite billions in investment.
- Policy Solutions: Incentive-based approaches (like tax credits for cybersecurity compliance) may be more effective than punitive regulations.
- Breach Economics: Stock markets have become largely immune to breach impacts, creating predictable patterns that can be exploited for profit.
- Human Element: The most secure organizations combine technology with strong teamwork, awareness, and simple, practical security measures.
Episode Length: Approximately 51 minutes
Recording Date: June 25th, 2025
Next Episode: TBA
