Corporate Counterintelligence: Navigating Investigative Cycles and Unintended Consequences

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Music.

(00:15):
And we are live. Dave Holder.
Mr. Rambo. How are you, sir? I am doing well. Doing well. How are you?
It's good to see you, man. It's good to see you, too. Can you believe it's been
five weeks since we've last recorded an episode?
Well, I'd like to say no, the time flew, but I was painfully aware that we kept

(00:38):
posting, oh, it'll be next week.
So thanks for bearing with us, everyone. one. And I'll tell you what,
five weeks, I absolutely needed the downtime.
I mean, we've been hitting it really hard since January.
And, you know, we got finished with episode 10, big episode, great guest.
I've hit a milestone. And, you know, after that, I was, I just needed a little bit of time away.

(01:04):
And it was great. I got a chance to spend time with my, with my kids,
then had, you know, 4th of July.
So it was nice to take a little bit of time away and just look back on the 10
episodes that we had and then, you know, get that passion back to come back
and do this thing. So how about you?
Pretty similar story. July 4th rolled around and I got really lucky to have

(01:28):
family come into town and converge on us here in lovely Edgewater near Annapolis, Maryland.
And it was really fun. It's good to catch up.
I didn't know I needed this long of a break, but every time we came back to
record, you or I, one of us was like, I can't do it.
My brain is just, it's left my body somewhere and I need to go find it.

(01:53):
But yeah, good break. And in that meantime, I had been, of course,
still working and attending different professional associations.
And I'm staying involved in the conversation and a few kind of interesting things
have popped up recently.
So I'm really looking forward to bringing those into the studio and kind of

(02:17):
expanding those and seeing what the listener feedback is and questions.
It's also been a nice thing in the last few weeks to digest a lot of the comments
and questions that we're getting and touch base with people.
People kind of clarify what their question is and prepare for some answers.

(02:37):
So that was time well spent, I think, not to mention retooling.
You only have to tell us once that our sound quality sucks and it's like,
okay, well, pause, let's get that fixed.
Well, I took the time to go back and listen to some of the episodes and I couldn't

(02:57):
stand listening to myself.
It was so bad. So thanks to you. Thanks for the recommendations. Got a new setup.
Hopefully we fixed it. I would say sound quality is way better,
but you're still in Biloxi, Mississippi.
Well, my technology seems to arrive in Mississippi about 10 years later than
everybody else on the planet.

(03:19):
I'm just surprised you don't have to drive over the Florida border or something to get a signal.
I'm recording this at Starbucks. books.
No, but it's all good.
I mean, yes, the feedback was greatly appreciated and spent a little bit of

(03:40):
money, got some new kit and hopefully, hopefully it's, it's much,
it's a much better listening experience. We'll see.
Yeah, it will be for sure. So it was worth the effort. I worked on a donate
button and got all of the backend set up for that.
So we'll launch that as soon as it's ready.
So for those of you clamoring to donate to our podcast to offset production

(04:03):
costs, we want to make sure you have that opportunity.
That's pretty much all we'll say about that, but we'll let you know when that donate button hits.
Otherwise, we're here to talk about counterintelligence in corporate settings.
And those of you that have been with us, of course, you know that already.
We've talked mostly about the American or the US-based experience of counterintelligence

(04:26):
practitioners on the show.
As we progress the conversation, we're excited about bringing in practitioners
and leaders from around the world.
And I think we've got a topic that we chatted about earlier today in a working
group together that has relevance globally.
And I think we'll be great for getting that conversation started.

(04:48):
And that's the cultural applications of counterintelligence.
There's a lot of considerations if you want to do this kind of work elsewhere
in the world that are just simply different.
So we're looking forward to putting together some guests on those topics from
around the world and bringing those perspectives in.
Completely relevant. I mean, especially with huge multinational,

(05:09):
international corporations.
I mean, you know, in the past I've worked and I know you're doing it now with
teams from Asia, the Middle East, Europe. And so each one has their own cultural aspects.
It was a fascinating topic that we discussed today, and I can't wait to dive
into it. I know it's not today's topic, but a really cool topic.

(05:32):
You have a super cool topic today that I can't wait for you to launch into.
So please, man, tell us about it.
I remember saying we need to neutralize a threat.
After I left the Army and I was in my first job in a corporate headquarters
office in Reston, Virginia, for Leidos, a multibillion-dollar defense contractor,

(05:57):
and you could have heard a pin drop in that conference room.
Everybody looked at me like I had a horn growing out of my head.
And sorry for all those Army people.
You know what I mean by horn. Anyway.
You know, in my brain, words have meaning, but I'm kind of persnickety about the word.

(06:21):
I think about the definition and not so much the perception that might come
or the connotations that might come along with it.
So they forced my hand and made me say anything other than neutralize.
But this is our show, Ryan. Ryan, we're going to say neutralize.
How do you neutralize a threat, also known as getting a risk off the table,
without all of those unintended consequences that can rise up and sometimes

(06:45):
even hurt the credibility of the team in spite of a good investigation?
We've got a lot of little stories and vignettes and questions and subtopics.
So that's what we're here to talk about today. I hope this is something that's relevant for y'all.
To set the stage, I guess let me lay this down real quick here.
Another bad word is investigations. Another one is mitigations.

(07:11):
So neutralization, investigations, mitigations. Well, why is that?
They're corporate cultural applications of these words, and they simply sometimes
mean different things to different teams. But here in this context,
we're not thinking about how our present companies use these words.
The key thing is, you know, not everybody that's in counterintelligence or insider

(07:33):
risk does investigations.
Not everybody participates in tabletop exercises with multifunctional teams.
Not everyone's involved in incident response.
Not everyone is involved with investigative dispositioning or decisioning on
HR actions or IT actions. But you probably have a place somewhere along that cycle.

(07:56):
And when we talk about the investigative cycle, we mean everything that goes
into it from the initial detection of an issue or what we'd call predication, right?
All the way through dispositioning and actions.
Wherever you sit there, I would advocate for this, that it's helpful to know the whole cycle.
If you're just doing insider risk detection and triage, it's still helpful to

(08:21):
know the whole cycle because your downstream customers are the ones receiving
your triage analysis and your recommendations.
And it's helpful to know the types of things that they have to consider as they
work through their investigative playbook.
And at some point, they're going to do an investigation, if you're not the one
doing it, and present their findings to HR.

(08:43):
And employee relations is going to look at it and figure out,
well, what do we need to do about this? What's the severity of the incident?
Can we try to retain this employee, or was there malicious intent?
All these types of questions come out. So hopefully throughout the discussion
today, while Ryan's basically giving me a hard time about whatever, that's his job.

(09:03):
He made that my job vice versa early on in the program, as you all well know.
So I take that job very seriously.
We'll be jamming on this topic. I think it's such a great topic and it's relevant.
I mean, I don't know. I just saw news break earlier in the week.
It might have been yesterday where a company had identified a new hire who was

(09:26):
actually a North Korean hacker, probably associated with their intelligence services.
And, you know, it was first identified by a SOC analyst, you know,
who was like, hey, as soon as the system touched the network,
it started downloading malware to the device.

(09:47):
And so, you know, switched on SOC analyst, saw it was something,
you know, weird, reached directly out to the employee.
Since it was a new employee, it's like, hey, man, what's going on?
Why are you have so much malware and all that? Yeah.
And the new employee came back and he said in the article that they released,
they said he immediately became suspicious.

(10:10):
And so the SOC analyst, once he got the hairs on the back of his neck standing
up, he handed it off to another team to investigate.
So it is relevant. And then through the course of that investigation,
which involved the FBI and others, and others,
they fully identified a North Korean hacker had, you know, lied about his application

(10:32):
process, lied about his background investigation and everything else.
There were no red flags and was hired onto the company.
So it's a great topic. I think it's a relevant topic and something that I look
forward to picking your brain on because you have more investigative experience than I do by far.

(10:53):
And so I'm interested to see where you're going to take us on this journey as
we go through this conversation.
Well, and, you know, I could also just kind of see what you're interested in
as well. I feel really lucky to have been in so many investigations.
By the time I was in investigations for, I'd say, 10 years, I'd still kind of

(11:18):
really scratched the surface of this whole investigative cycle.
And I participated in parts of it, like most of the folks coming through the
military counterintelligence services.
You know, most of us don't see the whole cycle unless we're doing crim work.
And the Army doesn't do – Army counterintelligence doesn't do criminal work.
And I guess you could say that national intelligence investigations are criminal

(11:42):
in nature. We're still investigating the specs to criminal codes,
but they're 18 U.S.C. for the most part that have to do with national security.
So some similarities, but, you know, Ryan, you and I didn't do,
you know, sexual assault cases in the military.
We didn't do murders or wrongful deaths or car accidents or,

(12:05):
you know, any of that in the Air Force and Navy.
Maybe they usually start there, but then if their acumen is good and they're
interested, they can move over into the counterintelligence side of investigations.
And then if they're interested in ops, of course, they can go the case officer
route like we did in the Army.
So in counterintelligence, most of the cases are resolved well before there

(12:30):
needs to be a formal HR action or IT action.
So for that reason, you don't really get to see the whole cycle a lot of times.
Well, I'll also add, and I think I remember this from FM 2.22-2,
they specifically said that any type of indictment or prosecution is a secondary

(12:51):
function of counterintelligence investigation.
And so in many cases, we were really looking to learn about what the adversary
was doing, what their approaches were, and seeing if we can operationalize it for our benefit.
And so I agree with you. Unlike other investigators that do crim work,

(13:13):
many times we just didn't get to the prosecution phase or disposition phase.
And so it's a bit different in corporate.
I will tell you that the speed of investigations is way different.
It can be. It can be. It depends on the significance.
You know, when you look at espionage cases across the board,

(13:35):
they take longer because evidence is hard to come by.
The adversaries are usually much more careful about leaving a digital trail.
And that means it's just simply going to take longer to gather facts.
I've had cases in corporate America go well over a year.
And that's crazy for standard corporate, like misconduct investigations that

(14:00):
are open and shut within a few weeks.
When you do a case for a year, trust me, everybody notices.
Yeah. What's taking so long turns into how do we get out of this in the best possible way?
And that's where I like this idea of getting risk off the table,

(14:21):
but without some of the unintended consequences.
And it's not as easy as it sounds, actually. So I'm going to ask you,
because we've danced around it just a little bit and you've mentioned it,
but I really want to understand your investigative cycle.
And I think that'd be a really good place for us to start the conversation and

(14:44):
just pick your brain a little bit.
Well, I didn't prepare to answer that question. I'm sorry.
Chat GPT 4.0. What is the full, let's see, what are all the steps of the investigative cycle?

(15:06):
There are more than you think. There's like 15. Wow. Yeah.
It has to start with predication. Yeah. I mean, well, predication isn't really
a phase of the investigation.
It just gives you a reason to do an investigation.
We'll go with ChatGPT's 4.08 steps because I can see that it encapsulates the others.

(15:29):
It really depends on who you ask. It's kind of like how many functions of CI
are there. It totally depends on whom you ask.
So once you have got predication, then you got to put together an investigative
plan and make sure that your other stakeholders that might be affected by your
case, they're aligned with your strategy.
And that's a good opportunity for some people to say, hey, you know,

(15:53):
I could help in this way, or I could help in this way. And have you thought about this?
By other stakeholders, I mean, someone from HR, someone from employee relations,
Investigations from compliance, from legal security, straight down the line.
And these are the types of individuals that can make sure you're aware of all

(16:14):
the tools that are available to your investigation and sometimes the personnel
resources you may need to leverage as well.
And you're trying to define outcomes as well. And that's why you would want HR in the room.
That's why you'd want compliance and legal in the room. Based on the predication,
there's usually a common set of outcomes and you want to be on the same page

(16:36):
and just make sure everybody's kind of tracking.
Particularly if you need access to really sensitive data or data streams or
data sources, you might need a special permission to get access to some of that.
For example, if there's an allegation that someone lied on a resume,
the only way to get that resume is to ask HR for it.
And since they're not in the habit of providing personal details like that to

(17:00):
anyone, they aren't really used to that.
And if your company's new to investigating things like resume fraud,
then they're most certainly not, they're going to be new to it and not be used to requests.
So you could have a situation where you need a senior HR director to help direct traffic.
So the preparation and planning is really important. Get that alignment.

(17:23):
Make sure people are cool with what you're going to be doing.
From there, you initiate, make sure you've got your permissions documented.
Undocumented, for me, I just look for an email from my key stakeholders that
says, I'm okay with your plan as you briefed it, and I will print a PDF and save it in my case file.
Next is to gather as much background information as you can.

(17:44):
When I'm doing a case, you know, I'll take the predication, but really what
I want to know is, based on the type of case it is, what do I need to get smart on?
And I'll spend a little bit of time understanding the assets that That could
be impacted if there's a malicious actor in our midst.
So sometimes that means talking to program managers or chief engineers on product

(18:08):
development initiatives, things like that.
Or it could be speaking to someone in cycle plans, or it could be.
Someone that is responsible for a go-to-market strategy. So whatever it is,
I want to understand the impacts.
And then I want to see that background information on the employee,
where are they coming from, where do they work previously, which university

(18:32):
did they obtain degrees from, and that sort of thing.
So that's that initial gathering information.
It's not the full, you're not exercising the IP or the investigative plan yet, though.
You're really still just preparing and planning and getting smart on the issues.
The next phase is information collection. And that is a very methodical approach

(18:56):
to listing all of the places that potentially have data that's useful for your
case, and then going out and getting it all into one place.
To understand that phase of the investigation is a whole class.
There's all kinds of things with evidence, evidence handling that are important
to know, is what you're collecting a copy?

(19:17):
And is that copy just a working copy?
Or is it what we call best evidence, best copy, or BEBC?
Or is it an original piece of evidence that now you're responsible for the evidence chain of custody?
Of course, applies to digital evidence, just like it does to physical.
Once you have everything in one place, then again, it depends on the case and

(19:39):
how many resources you need to expend.
The analysis phase is next. And I've done a couple of different things with analysis.
One is I want to bring in experts. So whatever little widget gadget is potentially
impacted by a compromise, I want experts on that widget or gadget.
Whatever person can talk to me about the financial impacts, usually a program

(20:01):
manager or chief engineer, I'd like to talk to them. Go to market strategy.
I want to talk to that person one more time and say, here's what I found.
Does any of this concern you?
I want to talk to a people leader and ask questions like, is there any reason
somebody on your team would think this is a good idea?
And I like to ask it like that because it could be a clear policy violation,

(20:22):
but one that is culturally acceptable on certain teams. I run into that a ton.
And it's not my job to be the police. It's just to understand the situation and gather the facts.
So it's a lot of interviews, And not all the interviews are witness interviews.
Some of them are just for that context. You know, cooperating witness interviews
or what we used to call source interviews is kind of like talking to coworkers.

(20:48):
Have you noticed anything suspicious?
Things like that. And lots of operational security concerns with doing those
interviews we could hit on in a different podcast episode perhaps.
But that's where your collection happens. Your analysis is once you've got a data set.
For big cases that went on for over a year, I like to set up an air-gapped standalone

(21:12):
forensic workstation and dump all the digital evidence onto it and index it
with something like FTK so that it bucketizes all my keywords and I can go through
and look for things of imminent concern. CERN.
Other times I realized that I just didn't have the expertise to do something
like real digital forensic investigations or cases that involve a lot of translation

(21:37):
and bring in somebody that was good at those things.
Talk to me about how this could be okay in one culture, but not another.
Well, for that, I need to bring in someone from that culture that intimately
knows it. Then after that, it's the action phase.
So before you take action that could be noticed by the subject of the investigation,

(21:59):
or in the case of corporate cases, usually it's a data subject,
you know, you need to understand what's happening, but you're going to have gaps.
And sometimes the only way to fill a critical gap in order to close your case
is to do things that could be noticed, like a search, you know, physical search.
You want to go search the subject's workstation. The area that they use to spread

(22:22):
out their notes and, you know, work on the computer every day in their trash can.
Some investigative subjects are pretty savvy and they'll set up little hidden
cams and hidden audio things just for counter surveillance to see if security
is coming around and snooping on their desk.
And they can do that inside the workplace if they're careful.

(22:43):
I have worked cases where we found hidden devices.
Nice. Several. That's a dead indicator, though. So once you see something like
that, you're like, OK, we've just escalated to the next level.
Oh, absolutely. There are key threshold events, and that's one.
Any sign of obfuscation.
Here's how I think about obfuscation.

(23:05):
What well-meaning employee tries to hide their tracks?
Yeah. I have not ever come up with an exception to that rule. No.
And I don't mean using good tradecraft or operational security that's acceptable
if you're doing OSINT or something.
I mean literally hiding your tracks so that your own company can't discover what you're doing.

(23:29):
Oh, yeah. That's a problem for a lot of reasons. And, you know,
it may be that you've stolen the last little jar of jam out of the communal
kitchen, but you know it's the boss's favorite.
You're hiding something. And that might be all. I've had cases like that, too.
Well, there's technologies, too. There's applications that, you know,

(23:51):
could see if somebody's looking, pulling logs from your computer or,
you know, checking on different things within 0365 and that sort of thing.
I mean, so it's all there's the surveillance piece and the counter surveillance
piece is alive and well, I would just put it that way.
Yep. Yeah, you're right. And so if you've already done everything you can without

(24:13):
actions and then you take those actions, then it's time to to neutralize the threat.
So the action phase involves things like.
And, you know, back in Army counterintelligence
land, the unicorn of a CIA investigation was usually an arrest.
Yeah, that was you couldn't imagine anything being possible after an arrest.

(24:37):
Everything I was taught, including down at J.
Sita by retired FBI Special Agent Riley, was that once there's an arrest,
you've officially lost control of your investigation.
So if you had any outstanding information requirements or do-outs,

(24:58):
you have to stop everything because now it's going into litigation of some kind.
It's either going to be a prosecution run by the state or the feds,
or it's going to be civil litigation run by the company.
And you have to stop because now everything has to be directed by the legal
office, wherever that happens to be.
Each one was so different. In one case, there was an arrest before we wanted it to happen.

(25:23):
And if we ever get one of my colleagues, Gunnar Newquist on the line,
former NCIS, now works for Strider Technologies, very, very,
he's a great dude. He's super smart.
And he's got a lot of cases under his belt. Now, he can tell you all about how
NCIS had a little issue with how quickly we had to arrest someone in Hawaii

(25:44):
that that was a case because there was potential for violence.
So from the Army's standpoint, they're very risk averse if there's potential
for violence, particularly to family members of the investigative subjects.
And they went ahead and just buttoned it up.
And unfortunately, that hurt our ability to continue gathering information about

(26:04):
the strategic risk that this person presented to us.
So we ended up leaving some risk on the table. But the risk we left on the table
strategically, according to the commander of a couple different big organizations out there, was –.
It was more important to get the risk off the table of access to the top secret

(26:27):
information happening out there in the Pacific Command, but also the risk to
other people, non-military persons.
So that's one of those kind of consequences that can pop up.
These are the decisions that you end up participating in as you bring a case to closure.
It's the cost benefit. fit? You know, does the tactical risk outweigh the strategic risk?

(26:53):
Or can we continue to tolerate the tactical risk while we work on the strategic
for another year, leaving a person in place with their access,
perhaps not even knowing what they're doing with it?
Those are always tough conversations. And those carry over nicely into,
I think, the corporate environment where you have We have risk decisions about

(27:14):
how to disposition and how to action cases.
So we're still in the action phase, right? Yeah. Actions might involve IT actions,
HR actions, law enforcement actions.
And each of those has a lot of, we'll say, decision trees, a lot of different
spokes that have to be considered.

(27:34):
Then you've got reporting, you've got resolution and follow-up and closure,
and a feedback loop. So what ChatGPT missed is an impact assessment.
You always need an impact assessment when there are actions, in my opinion.
A lot of cases don't get to the action phase, but when they do,
I feel like the impact assessment is critical to understanding,

(27:57):
you know, how do we do this better next time? Are we protecting our critical
assets as well as we should?
Did this uncover some policy gaps or training gaps or maybe a process gap?
Building security in by design to some programs. So that feedback loop and AAR is really important.

(28:18):
And I think the other thing that's important afterwards is root cause analysis
as one of the case closeout tasks.
Without RCA, it's tough to figure out how to train investigators where to look.
So the RCA is the best chance you have, considering we don't do a lot of cases

(28:40):
that make it all the way to action, right?
Of those few cases, you've got to take some time to do root cause analysis.
That's what helps you get into the mind of the perpetrator and think like they did.
Once you can do that, you can start trying to replicate that threat signature
and go threat hunting and build detection models.

(29:02):
So that was the longest possible answer. But no, it's a virus.
It's great that you went through the whole investigative cycle,
because I'll tell you, I have in the past, and it's not very common,
but I have done it where I've gone into an investigation with a preconceived outcome.

(29:24):
Sure. This is what I think this is. I think this is based on the initial information,
oh, this is going to be this. And then, you know, information starts flowing
in from records checks, from conversations with others, you know,
through the planning process.
And then, you know, you start analyzing.
It's like, oh, man, it's exactly what I thought it was going to be.

(29:46):
But then as more information comes in and you start doing more analysis,
getting more context, you realize only wrong.
And I've jumped the gun on some of the, especially in a corporate environment
where, you know, some investigations happen very fast, where until I get through
all of the records check and do my analysis and start getting that context,

(30:08):
I don't fully understand the situation.
And so I have had to, you know, teach myself that my initial thoughts are wrong.
You know, take the time to go through all of the information before you start
in military terms, shoot the Red Star cluster before you start alerting everybody
and telling them that we've got this big deal.

(30:31):
You know, that's embarrassing, isn't it?
Oh, it's so embarrassing. And I've done it.
I've done it a couple of times. And I had a really great boss in my first job.
And he was even more excited about investigations than I was.
You know, so as soon as he as soon as he smelled smoke,
we were launching and I got a burnt me a couple of times, you know,

(30:55):
not intentionally, but he he was communicating our results and our findings in real time.
And we had to backtrack, you know, take take a step back and go,
OK, well, maybe it wasn't as bad as we initially thought. And so I appreciate
you going through the investigative cycle.
And I think it's important for our audience to know, because I know there's

(31:18):
some younger agents out there and younger practitioners.
I said, not younger, but less experienced. Take the time to go through the process,
understand the process.
And before you start jumping to conclusions, make sure that you have the right
information to move forward with.
So thank you for that. Yeah. And I think your last thing you just said is perhaps

(31:42):
the conclusion of this episode.
If there's a lesson to learn from doing all these investigations,
it's remember what your job is.
Your job is actually not to disposition or action cases most of the time.
It's actually just to be an objective gatherer of facts.
That is what an investigator is in the legal investigations world,

(32:06):
which is typically either detectives, private detectives that work on behalf
of a legal team, or they're just private detectives that work for any legal team freelance. Lance.
That's the definition. That's their only job.
Now, as you and I are now, we've also got this advisory role because we've been

(32:26):
doing this for so long and we've seen a lot of cases and understand the whole cycle and everything.
So we can advise as to risk factors to consider.
We can advise based on the actions that are being proffered by the various different
stakeholders, holders, how those might play out.

(32:47):
Or we can advise on how the adversary might respond to certain actions.
But typically in a corporate setting, it's going to be employee relations that sets the HR actions.
The IT actions, of course, happen off of thresholds, typically,
risk thresholds that are well-defined in playbooks.
So pretty much anybody can hit the off button on someone's access if certain

(33:09):
conditions are met, right?
Likewise, in a case, you know, not every case goes a year. sometimes you will
find that evidence of obfuscation within a week and you might not know why they're
obfuscating and you got a choice to make.
And usually that's the boss's choice or the boss's boss's boss's boss's choice.
What's their risk tolerance for letting this go for a couple extra weeks while

(33:30):
you try to figure out what's really going on.
It could be useful to pull that investigative subject into an interview early
in the case under some pretext and just put the idea in their mind that we have
no idea what you're doing, but you're doing something.
Yeah. And then that is a very provocative technique.
I would not recommend that without a lot of coordination, but it typically provokes

(33:54):
the investigative subject to start doing things out of pattern.
And if you if you know their pattern, it's really useful. If you don't know
their pattern, you're totally blowing it.
You're giving them every opportunity to get out of it. So don't do that unless
you really know the pattern.
Right. But it is. I mean, we've used that technique in the past,

(34:17):
too. You know, it's like, OK, all sensors are on.
Let's have a conversation. And it's typically a good idea any time that you
do such interview to watch the reaction after. Yes. And so.
But and one thing I would say about employee relations, I mean,
ultimately, even employee relations make recommendations to key leaders.

(34:40):
And a lot of times they're not the final, you know, like, hey,
terminate our disabled network access or any of that.
It's in coordination with the management, or at least that's part of my experience
with corporate investigations, which is a little bit different than what we've
seen from our military time.

(35:00):
Yeah, I suppose. I guess with the military, it was always a headquarters element
that was involved in the disposition. And there was always an elite attorney
in the room representing the HQ element.
And that's been my experience with corporate America as well on cases that have,

(35:21):
you know, potentially severe impacts. Yeah.
So I like that. It provides it's kind of a weight off our shoulders,
as a matter of fact. Oh, for sure.
As you know, think about it. If what we had to do every day was specialize in
getting the right disposition that got the right effects with the least amount
of risk left on the table, we would not be able to do anything else.

(35:45):
Our employee relations folks in every company are busy with misconduct cases.
They're busy with data exfil cases from levers. They're just constantly overwhelmed
with the amount of allegations of toxic leadership and harassment and discrimination
and all the DLP escalations,

(36:07):
sometimes in the millions,
actually, per month, mind you, for big companies.
And so I think it's refreshing for them that they've got some SMEs that they
can rely on to give them advice about counterintelligence and insider risk matters.
It's refreshing to us that we're advising on risk and making sure they are aware
of what it is and the significance of certain artifacts that we discover in

(36:31):
cases, particularly if those artifacts are associated with advanced threat actors.
But we don't have to then sit through the next several weeks of hand-wringing
over which is the most cost-effective way to get this risk off the table. Is it federal referral?
Is it a, you know, are we going to litigate? Are we going to terminate?

(36:53):
You know, I thought it might be also helpful to look at the different types
of actions that are available when we're doing corporate investigations,
just so we level set on it. Yeah, please do.
I'll try to handle it in kind of categories, I guess.
When we talk about dispositions, I realize that that's not always on everyone's

(37:15):
top of mind, especially if we're doing detection and triage.
We don't really get to see the dispositions. But it might be helpful for us
to know that part of the cycle and what the considerations are.
A disposition is the characterization of the case.
And I like to start with, was the allegation substantiated, unsubstantiated,

(37:37):
or partially substantiated?
And right next to that is, there wasn't enough information to confirm or deny
the allegations. investigations, in which case you'd usually close the investigation,
but archive it so that if something pops up again, you can reopen it.
For substantiated and unsubstantiated, those are dispositions.

(37:57):
That means the initial allegation was either true or it wasn't,
or it was mostly true apart from some misperceptions or whatever.
So then what do we do with that? Once it's substantiated, there are seven categories of dispositions.
So how do we characterize that substantiation and what are we going to do with

(38:18):
it? it could be substantiated with a hyphen, no action required.
So what that means is that the investigation finds no evidence of wrongdoing.
That means that it happens a lot with like an infosec policy violation.
So if somebody is trying to move data as part of their job from one environment

(38:38):
to another, and something gets dorked up a little bit, and there's data loss,
or there's integrity loss, and something has to get rebuilt from a backup, up.
That's the kind of case finding that nobody gets fired over.
Typically it's me. It might mean retraining or something.
I've also seen it in a way too, that, you know, like sending to a Gmail account,

(39:00):
you know, typically I look at Gmail accounts as personal accounts.
Of course they are. Whenever I see, you know, sensitive value moving,
you know, leaving a corporate environment, going to a Gmail account,
I'm thinking, oh my God, We've got a data exfiltration event.
But then, you know, whenever you ask, like, is this normal? Like you said,
you know, track it down and ask the manager, like, is this normal activity?

(39:23):
And the manager goes, oh, yeah, the guy that we're working with has a Gmail
account. That's the only thing he uses.
It's like, okay, my bad.
And so, I mean, yeah, sure, the allegation looked bad. It was substantiated
through everything else. But.
It's not a violation, and this is how they work.
Well, it might be a violation of policy, but not one that requires any disciplinary

(39:47):
action because culturally the management has decided on that program that it's acceptable.
I have – of course, we've all experienced that, and I don't hold the data subject
or the investigative subject really at fault there because that is a management problem.
They know they're violating policy.

(40:08):
And rather than call the policy team and say there's a problem, there's a gap.
Or rather than call the tools team or IT operations team and say,
I need more resources to be able to do data transfers properly.
They're like, it'll be fine.
You're worried too much. You see eye guys.

(40:31):
Yeah. You know, meanwhile, we're participating in remediation conversations
about people's private GitHub repos that get hacked and the end to all the credentials for cloud access,
you know, everywhere are stolen to every platform that's running right now in
in product development.
When that stuff happens, it's like to us, it's a big moment and we'll never forget it.

(40:57):
But to the people that don't know that it's possible, they think we're nuts. Right.
You guys are overreacting. You see the score. Yeah.
But thank you. It's we don't have to care that much, honestly,
what their response is, because, again, we're objective gatherer of facts.
So if we do a case and we find out that that was what happened and there was

(41:20):
no malicious intent and impacts were low, this was a management decision,
not so much an employee decision, then it goes a different direction.
That management needs the manager needs retraining and then the manager needs
to facilitate retraining for their entire program. And they probably need resources.
Anyway, next is a a warning.

(41:42):
The best companies
i've worked for do whatever they can to retain good
employees they know it's expensive to replace
them and you know
honestly by retaining an employee that is is under the stress of knowing they're

(42:03):
under investigation if you can help them find a pathway to get back on track
They will never forget the type of loyalty that the company displayed to them.
Sometimes something less than a sanction or termination will help you retain
the best and the brightest talent.
So a warning is important when someone does violate policy and they do it intentionally,

(42:29):
but not with malicious intent.
It's more like a negligence case. Okay.
So that's just like, hey, we know what you're trying to do.
You're violating policy clearly, but you're doing it to be productive and to
save time and resources and save the company money.
What you don't know, though, is we're highly regulated. And when our team members

(42:52):
do these certain things, it brings a lot of scrutiny to our program.
And it's unwelcome because now we can't work.
All we're doing is audits. Right.
So sometimes a warning can be an appropriate way to get someone's attention.
It goes in their H.R. file and probably gets removed after a certain point of

(43:12):
time. But otherwise, that's it.
Then if the if the person does it again, you've got a documented warning on
file and you can terminate if you want to.
Training's kind of the same way. It's another disposition. What's up?
No, I see that a lot. I mean, I see people circumventing security and cybersecurity
policies to get work done.

(43:34):
It's like, oh, man, let's just push the document to me so I can work over and over the weekend.
You know, not malicious.
They were not trying to do harm to the company. Of course, you're actually trying
to go above and beyond to do work and get that thing done.
It's still a violation. You know, we still have to treat it the same way.
I love that. I love reaching out, giving the warning, even if it's not an official

(43:58):
warning, doing some retraining. I think that's wonderful.
I'm sorry. I keep interrupting you, but this is great stuff.
I love where we're at here.
Well, last time I checked, it's supposed to be an open conversation.
But I mean, but you're on a roll, man.
I don't want to break you up. No, it's fine.
What day is it? It's Wednesday? It is hump day.

(44:21):
So I'm not really allowed to claim that my brain is fried until Friday afternoon. Right.
Where were we? So warnings, yes, absolutely. Let's treat our investigative subjects
as if they're our peers, because they are.
They have a role for the company, and it's to be productive along certain workstream.

(44:42):
And we have a role for the company. It is to protect company interests like the legal team.
So we can protect the company in a lot of different ways. And that's really
the point of this whole conversation is it's not just through terminations.
Out of all the cases I've worked, most of them were resolved with letting the
employee know how serious this policy violation can be in terms of impacts.

(45:06):
And usually they have no idea and they're really embarrassed and they're looking
for work the very next day.
It takes a strong statement from someone in HR saying we are not going to do
anything to you for this this time so that they relax and can get back on track.

(45:27):
Yeah. Nobody wants to be fired. So a lot of times they'll just quit at midnight
and after their interview and that's done.
So we want to help them. What's that? Which is too bad in a lot of cases.
I mean, that's not really the intent.
It depends, but mostly not getting risk off the table. That is one way to get risk off the table.

(45:50):
And it's to let someone know they really dork something up and there are huge impacts.
And if you already know that they've already been cautioned on this very issue
a dozen times over the last year and a half,
then maybe we want to set the conditions for them to feel more comfortable resigning
than waiting for an investigative outcome. Yeah.

(46:14):
And so that comes back to those probing types of things we can do in cases to
elicit a response that helps the company in some way.
So I think this intervention, like the warning, the verbal warning,
is just the same as training.
In fact, I would never really consider a conversation as a warning to someone.

(46:37):
I feel like that should come from HR.
Coming from us, we're supposed to be helping people understand the intent of
policy, know where to find it.
Usually that's the problem. They have no idea where to find it,
and the search feature doesn't work in the intranet, whatever.
There's too many policies, something like that. Yeah.

(46:59):
So, you know, we should be helping people get access to what they need and clarify their questions.
That's our job beyond being investigators.
We have an obligation to protect them as much as we do to protect the company.
And that's protecting them from making a mistake or that sort of thing.
It goes all kinds of different ways, but we're here to protect the employee

(47:23):
as much as anything else.
Yeah. Think about it. I've known investigators that were investigated,
and you can only imagine what's going through their mind.
They already know all the places that the investigators are going to look,
all the people they're going to talk to, the questions they're going to ask.
They know what the whole process is.
It can be unnerving. Now think about someone that doesn't know and might be

(47:46):
concerned they're going to get fired over a very minor accidental infosec issue or something.
We have to put them at ease appropriately, usually following a conversation
with HR to make sure there's alignment.
But, yeah, we want to help them. Yeah. So all these dispositions,

(48:07):
we may substantiate an allegation.
And it doesn't mean there's going to be a negative HR action or IT action.
It just might mean this person needs help.
And the incident brought it to our attention that their whole team needs help.
Let's get them the help they need. And it's over.
That's where I'd like to see cases in most of the time. So unless there's some

(48:31):
kind of malicious intent or just gross negligence, gross incompetence or misconduct,
some kind of ancillary misconduct comes out of the case.
Typically, I want to look for those opportunities to intervene as an organization
and get things back on track.
That saves money. That saves a lot of money. I gotcha. For sure.

(48:54):
Investigative resources stop.
The litigation doesn't have to happen. We don't have to terminate an employee
and wait for the lawsuit.
We don't have to hire somebody else and wait a year for them to get up to speed.
So these first few substantiated dispositions are the ones that I like to focus most of my attention on.

(49:16):
And it dovetails nicely with an education and awareness program.
Program, really your boilerplate enterprise roadshow deck,
as one of my colleagues likes to call it, it should be a one-on-one explanation
of your team's mission and generally what you're trying to accomplish for the company.

(49:38):
But beyond that, education and awareness means figuring out what the company
is struggling with and helping the people who are struggling get the resources
they need that are in our And now we've got some negative actions, too.
I mean, if you substantiate a case, it might mean we got to let somebody go.
But short of that, there's some there's some other ideas out there,

(50:01):
too. One of them is sanctions.
You can sanction someone by taking half of a paycheck or a whole paycheck or
a few paychecks or putting them on some kind of leave without pay or leave with
pay while the investigation continues.
And those sanctions, they hurt, but it gives an employee hope that there's a

(50:25):
there's a light at the end of the tunnel.
Likewise, the performance improvement plans, that's an HR action,
and that wouldn't be a disposition, but it kind of has the same effect of giving
somebody an opportunity.
Unfortunately, statistically, most people put on PIPs leave the company pretty much right afterwards.

(50:46):
They figure if their efforts aren't appreciated, they'll take them elsewhere.
The disgruntlement can be high. So a PIP is usually a red flag indicator that
we're about to experience a data loss, unfortunately, in our paranoid minds.
It's a significant life event. I would just put it that way.

(51:07):
Oh, man. It's devastating to some people.
Oh, God. The loss of even one paycheck can just crush the entire family financial
situation sometimes. Yeah.
So they can go into fight or flight and preservation mode and all sorts of problems can happen there.
But, you know, the sanction and the PIP, those are things that provide the employee

(51:30):
an opportunity to adapt to the requirement.
This whole failure to adapt thing, you know, is common in psychology,
but it's also common in military service.
Where we have people that just cannot force themselves into the mold that's

(51:52):
required in an organization as large as a military service, where things just
have to happen in a certain way.
And if they can't do it, they are eventually processed out for failure to adapt.
And so I love that this kind of middle road exists in the disposition area for

(52:12):
getting someone's attention,
floating the idea of penalties, but not necessarily talking about a termination.
Investigation let's get you back on track you hurt
the company you cost us you know gazillions of dollars with
this but there were a lot of mitigating circumstances and let's talk about your

(52:32):
personal culpability which is probably less than the whole incident there were
other contributing factors organizationally environmentally whatever and you
can maybe dial it down to the
level that gets the point across and gets this person back on track, ideally.
Now, next, you get deeper and deeper into these weeds, you can do a demotion.

(52:54):
And that happens with managers a lot. If they're level three,
they can get demoted down a notch or something, or down all the way to an individual
contributor sometimes.
Then you've got terminations, you've got suspensions. So those are some of the
substantiated hyphen lines.
And we've got no action required, warnings, training, sanctions,

(53:17):
demotions, terminations, and suspensions.
We didn't put law enforcement referrals in there because it would be a subcategory
of one of those disposition types.
And I've seen every one of those dispositions, and I've seen one other.
And that's a great list. And I have a story for you, which I think you may find

(53:41):
kind of interesting on this.
And so we went through the entire investigative cycle. We found there was a
core group of employees that all submitted their notice of termination around the same time.
And, you know, I took that first step.
I said, oh, they're leaving to go start their own company.

(54:03):
Sure enough, you know, our investigation proved that they were communicating
back and forth with each other while on work equipment.
And sure enough, they had a business plan.
They had identified a gap in the way the company was doing revenue cycle work.
And if you've ever been in health care, you know that revenue cycle is a big deal.
And we're talking on the scale of tens to billions of dollars.

(54:28):
And they had figured it out. And so as a team, they all left at the same time.
And they were going to go start their own company.
And we had them. We did subject interviews of them.
It was a great time, great investigation. We had all of the evidence.
And I thought of we're going to go straight to prosecution.

(54:49):
We're going to terminate them. We're going to prosecute them.
Industrial espionage is it's going to be a wonderful thing.
And, you know, I'll get to live out the rest of my days, you know,
a hero for the company until it got to general counsel.
And he looked at us and he was like, oh, great investigation.
Yep. You got everything and this and that. And he's reading through all of this

(55:10):
stuff and he gets to the part where he's like, hey, they've solved the revenue
cycle deal, you know, which is a major headache for us.
And he was like, you know, that's a bunch of smart guys. Yeah.
And they've got a company already stood up and they're getting ready to do this whole thing.
And he looked at us and he's like, have we thought about partnering with them? Yeah.

(55:31):
Have we thought about forming a business relationship with this core group of
guys who are leaving the company to go do this thing?
And he was like, maybe we should give them some seed money. Maybe we should
help them out and invest in them and then build a partnership.
They could take this headache away from us and we can have a partnership and everybody is happy.

(55:53):
They talk about a disposition of a case that I had never seen before.
I was completely shocked and, but it worked out and, and everybody walked away
happy, big smiles on everybody's face.
So dude, I would have fallen out of my chair 15 years ago if somebody said that,
because I didn't know there were all these other options on the table.

(56:16):
I think there's an analog, though.
I think there's an analog to a federal referral based on operationalization.
Wow, that's hard. If you're from East Tennessee, anyway.
Lordy. Now, Spellcheck would like me to know that operationalize isn't a word.

(56:39):
I've had other grammar fascists tell me also that it's not a word.
So operationalization most certainly cannot be a word no can't be but you know
how i feel about that i'm gonna say it anyway anyway there we go there's our
operationalization conversation,
for posterity it's a word okay yeah you heard it on unintelligence and that

(57:06):
should that should tell the grammar fascists everything they need to know Exactly.
But, you know, every time I've encountered that same scenario a couple of times
since then, and this is, you know, and that's the first thing that I always think about,
you know, and instead we know what this looks like. Like, I've seen it before. This is the playbook.

(57:29):
And I always think, you know, I wonder, instead of, you know,
doing cease and desist orders and looking at litigation and all of these different
things that drag it out, just wonder if we shouldn't partner with them.
And, you know, again, that army guy that has a horn growing out of his forehead
whenever I mention it, but it worked.

(57:50):
Well, I don't think it's much different than operationalizing an investigative
subject for a CIA case in the military or the FBI.
Most of our investigations that I did, the full field investigations with FBI,
most of them resulted in something other than a prosecution. Right.
The prosecution, like that Army field manual, is just not the end goal of investigations at all.

(58:17):
It's to remove the risk from the table. And sometimes you can remove the risk
while finding an unexpected opportunity, right? Your example is amazing.
It's very similar to bringing in – I worked a case that was for the defense

(58:38):
industry for a company, resulted in a referral,
and the guy ended up just being completely innocent of all allegations.
And every single indicator that DOD tells us to look for, for like signs of
espionage, was kind of sort of present.
And I tend to not focus too much on one or two indicators, but when there's

(59:01):
a cluster, it gets my attention. And there was a cluster.
But when we understood the context, it ended up being an amazing operational activity.
Or I should say opportunity.
So, I think that's the analog. I think about suits a lot.
If you've ever watched that show, from an attorney's perspective,

(59:24):
they're trying to, number one, protect the company.
And number two, find ways to jump on opportunities when possible.
And they're really good at it. The good attorneys are. And the better resource
to your OGC is, the better talent you're going to have.
Yeah.

(01:00:00):
Yeah. I mean, you know, whenever it's a lost cause, I mean, there are just some
things, some red lines that get crossed that you just can't come back from.
But for the most part, I mean, again,
I think 90% of the cases that I've
investigated in a corporate environment have turned out to
be unsubstantiated or substantiated with

(01:00:24):
no real disposition other than training and
that sort of thing and so i think that's why we always
move through the investigative process as discreetly as
we possibly can we don't read on the entire organization
that oh by the way i'm investigating dave holder this week for you know an email
that sent out of the company with some sensitive information yeah i really i

(01:00:47):
mean we have an obligation and it's a professional ethical code i think for
most investigators too that we're trying not to
tarnish the reputation of the person under investigation unnecessarily.
And so, you know, being discreet, you know, using things like least intrusive
means, you know, and keeping it to a core group of people that have a need to know.

(01:01:11):
It's critically important things that we live by and we do this every day instinctively.
And that's, I think that's the professionalism of a counterintelligence investigator.
Yeah. And ideally with any type of investigator, you know, I worked as a legal
investigator for a while, a private detective as a little while,
of course, national security crime investigator for the military,

(01:01:35):
corporate investigator.
Gator and you know i met people
at different i'd say different phases of
their professional maturation and they
still some of them had had a i mean way more experience and training and acumen
and everything than i ever will and a lot of people just hadn't been exposed

(01:01:57):
yet to a lot of the concepts that that you and i went through in the different
assignments we had so they didn't know they existed,
and it was helpful to point them in the right direction.
Remember the question we fielded episodes ago now about what makes counterintelligence
different or special than the other security disciplines?

(01:02:21):
And I do think that our focus and our, you know, we had to get credentialed
as investigators so that what we collected in a case was admissible in court.
We had to get trained in the whole cycle and everything you would learn as a
as a detective on the police force.
We went through. Now, it doesn't mean we were any good at it,

(01:02:42):
but we were trained and certified to do it.
And then, you know, we had to go work like a probie or, you know,
whatever you want to call a boot.
Had to work as a boot for a while and and do it under supervision to get good at it.
But the fundamentals always apply. Least intrusive means is a fundamental that

(01:03:03):
should apply to any case.
And the bigger the company is, the more sensitive they are to sticking with those fundamentals.
Because if you get it wrong, it has ripples throughout the whole chain of that investigative cycle.
And it just bogs everything down and creates opportunities for the kind of litigation
that we don't want getting sued.

(01:03:25):
Yeah. And I think what it also is, you've said it before in the past too,
you know, it's not necessarily a crime scene that you're investigating,
you know, where you walk in and a crime has occurred.
So all the evidence is there and, you know, counterintelligence investigations,
along with a lot of information security type investigations.

(01:03:47):
I mean, we see indicators, we see smoke, and then it's going through,
you know, putting the pieces of the puzzle together to ultimately build up to,
you know, full understanding of what's happening here.
And I think that separates us a little bit from traditional criminal investigators.

(01:04:10):
You know, you're right, probably in practice. I would hope fundamentally there's not much difference.
Because even in a criminal case, you've got to maintain secrecy,
if you hope to prosecute it anyway.
You've got to understand the risks to the case, not just the risks to the organization,
and mitigate risks to both.

(01:04:31):
That's a real hard pill for some investigative offices to swallow.
You mean I have to protect the integrity of my case from other people in the company?
Yes. And that doesn't mean they're trying to do the wrong thing.
If they don't know the whole cycle and the potential impacts of talking about

(01:04:53):
a case out of school, then they just don't know.
It's a well-meaning accident, an accidental discharge or something,
as we'd say on the range, on the gun range.
We have to look for signs that people in our investigative chain may not be
tracking some of these fundamentals and just partner with them and help them. Yeah.

(01:05:46):
Investigators from all different places are just people like us trying to use
critical thinking skills to do the best they can with the tools they have.
And we all get different opportunities throughout our careers based on whatever
cases roll across our desk and whatever classes we get an opportunity to attend.
So I feel like we should all be trying to work together.

(01:06:09):
I see that a lot in ACES.
Are you familiar with ACES? I am. Yeah, I am. I used to be a member.
A couple of years ago and it just didn't, I didn't participate enough to justify
keeping the membership.
And yeah, it's an interesting way you said that, because I kind of had the same
problem where it was such an active community that it was almost a 20 hour a

(01:06:33):
week part time job just to keep up.
But that should be an encouragement to those that are looking for that type
of, I guess, environment to learn from and to grow in.
There are a lot of practitioners out there that are trying to understand behavioral
analytics and traditional investigative fundamentals and techniques.

(01:06:57):
So there's a lot of great resources at places like ACES. Well,
and I will tell you, I kind of disagree with you a little bit because there's
one investigation type that I think that counterintelligence professionals are
head and shoulders above the rest of the investigative community.
Now, and I will tell you, I have shortcomings. I am not the guy to investigate

(01:07:18):
certain crimes or certain things, you know, toxic leadership.
And I mean, I could probably fumble my way through it.
But there's one type of investigation that I think counterintelligence agents should only touch.
And that's espionage related investigation.
And attorneys. And attorneys with experience.

(01:07:40):
Yeah, for sure. And that's the only caveat that I would add to what you said
earlier, that all investigators are all, you know, doing the same thing.
We all have the same kind of code of ethics.
But whenever it comes to espionage, you know, I don't think that's a specialization, though.
Yeah. More than it is a fundamental.

(01:08:02):
If you think about the investigative fundamentals that you would be exposed to in ACES or the...
Or NALI, National Association of Legal Investigators.
I've been a NALI member for a long time, and I think I just let it last, so I've got to fix that.
But they've got a bunch of textbooks that some of their leadership have written,

(01:08:24):
and they are now the underpinning of private detective agencies and legal investigators.
The same fundamentals apply whether you're You're dealing with espionage or criminal activities.
The difference is specialization. So I wouldn't call your lack of exposure to

(01:08:46):
toxic leadership cases as a shortcoming.
It's just simply not your area
of specialization, just like attorneys specialize and on down the road.
Yeah. I don't disagree with you. I know you were trying to disagree with me.
I was trying to disagree with you. You're right.
But it's in cognitive dissonance. I set up a little bit. All right.

(01:09:10):
But you set me straight again. Thanks, Dave.
But I mean, I figure that's why you brought me here. Right. Just so I can make you look smart.
You fail. By disagreeing most of the time on purpose, even if we're on the same page.
And we've talked about ACES and another professional association that I would

(01:09:32):
highly recommend to our audience is the Society of Human Resources Management.
And that's SHRM.org.
There's a lot of good stuff in there that will help you navigate the HR side of investigations.
They have investigative playbooks, just like ACIS does,

(01:09:55):
and they can kind of help you normalize all the disparate little thought clouds
hanging around in your mind about what might happen in the dispositioning phase of a case.
Some great work done by SHRM to collect and stage good resources for practitioners like us.

(01:10:16):
It's also a great way to gain some credibility with your HR folks.
If what you're citing comes from SHRM and not detectspies.org.
I'll tell you what, that's a hell of a community for HR professionals.
Professionals and they wear that badge proudly and

(01:10:40):
so getting it they got a lot of good stuff on there
yeah i haven't spent enough time with it i
need to need to check them out and it
makes sense because hr sees it all they see
everything if nothing else it
can help us communicate effectively with hr professionals yeah our paradigm

(01:11:02):
or lens can be so crystallized and condensed over years of doing this kind of
work that it's almost like growing up in one community and never leaving.
Like we, we have our own language or our own dialect. Yeah.
And so it's good to break out of that, that siloed dialect and,

(01:11:23):
and look at things from that HR practitioner's perspective.
And they do a lot more than I think most people give them credit for.
Oh, for sure. They just don't brag about it. But I mean, they're under that
same veil of secrecy that counterintelligence professionals are.
Absolutely. So.
Which makes me appreciate them even more. Yeah. And fortunately for me,

(01:11:45):
currently, I work with some of the best HR and employee relations professionals, I think, in industry.
I'm blown away by how awesome they are day to day.
Now, is that just because they sign your paycheck?
I hope they're listening.

(01:12:09):
Yeah, I'd have to agree. I don't know that I've ever had a bad HR department,
actually, trying to think.
The thing is, if your HR department sucks, they're not going to survive.
There's going to be too many lawsuits and too much churn and too many headaches.
They're just going to get replaced. yeah where

(01:12:32):
ci professionals like with some types
of cyber professionals literally can
hide for an entire career think about the
new trend of working 8 9 10 12 15 full-time jobs yeah you can only do that in

(01:12:52):
cyber and in dev any kind of software dev or dev sec ops something where you're
completely remote employee.
And all you got to attend is a few well-planned meetings a week with each organization.
I've seen guides out there for how to add the 12th job.

(01:13:12):
Like it's, it's tips for, here are the apps you need to control your schedule and communications.
Here's how to outsource certain things that you can't do or don't want to do, or don't have time to.
And it's safe to outsource these types of things like really detailed guides and i'm thinking,
well i'm sitting here trying to do the right thing i've only got

(01:13:34):
one full-time income should i have 12 there's
no way i could do it i don't have any desire number one yeah i have no desire
either one job is plenty but i know it's kind of like these people that have
multiple romantic partners.

(01:13:55):
I'm like, one is all I can handle.
Please don't complicate my life any more than it is right now.
I think about that with these jobs too. It's like, man, you,
you've got 12 romantic partners and they all have needs and they're not all
predictable needs, wants, desires.

(01:14:16):
Oh man. I don't, I don't know how they're doing it.
No. Well, that's why they have big bucks. Yeah.
I mean, I think earlier in the conversation, you were mentioning that you had
maybe a couple of instances or, you know, cases. I do.
Let's jam on that for a little bit. What do you have in mind?

(01:14:38):
Earlier in our startup with this podcast, I mentioned a couple of things that
I experienced in Afghanistan, one of which was providing support to a combat
commander just south of the capital in Kabul.
There was an army captain down there who had a company.
So, you know, anywhere between 60 and 120 maybe people at any given time,

(01:15:04):
depending on casualties and people rotating in and out and all of that.
They had already lost a third of their combat power by the time I got to the base on a tipper.
I had a tipper that there was an insider there that was a laborer coming in
from the local community and working on the base.
And that person was, according to the allegation,

(01:15:27):
they were communicating with Taliban actors outside of the base that were trying
to set up mortars and lob grenades into the camp or rockets.
And so this person had a job on the base and they just picked up their cell
phone and said, you were 10 meters off to the right.

(01:15:47):
This time you were only five meters off to the right. Fire for effect, basically.
Basically walking in rounds so i got there and i finally got a chance to talk
to the company commander and he said oh we let that guy go we caught him and i just was like oh.

(01:16:08):
Oh how are we going to prevent this guy from getting a job at another base with
a slightly changed name well we thought we're here we'll go ahead and do a screening operation,
And so we checked the did the biometrics just to make sure people didn't have
records of a latent fingerprint on an explosive device that they'd uncovered somewhere or whatever.

(01:16:31):
And their stuff was broken, which we had done some recon. We knew that their stuff was broken.
So we brought those technicians down to fix their gear and they fixed it.
So we sent the entire workforce, local workforce, to get re-enrolled in biometrics and do the screening.
A lot of problems there. So evidently, word had circulated outside the base

(01:16:55):
that our stuff was broken.
And they just infiltrated the shit out of that base.
We found nine people that were tied to really bad threat actors.
Some of them were in direct communication with threat actors during a maneuver
operation while we were there.
They're communicating with a cell tower by blinking lights.

(01:17:22):
So they would get the phone call from the person on the base that was our insider
threat, and then they would signal out to the target of the maneuver operation
that was out in the valley.
And the combat company rolled those people up from the tower and brought them
to the base and interrogated them.
So there's all this stuff going on, and it's public now. It was released in

(01:17:45):
a book called Dog Company.
Good book. And that was – Good book, by the way.
It is. It's challenging to read, isn't it? I found it very frustrating.
Enlightening, particularly the first half, but the second half when it gets
into the court case was very frustrating to read in a constructive way.

(01:18:07):
It really illustrated the challenges that our young captains have to face when
they're losing their troopies downrange and can't get things to work.
They can't get their ROE defined and things like that.
Dog Company by Roger Hill and Lynn Vincent. If you haven't read it,
it's a great book about how counterintelligence works in a deployed environment.

(01:18:30):
Things like screening the local workforce for connections to Al-Qaeda,
all the way down to people smuggling bombs onto bases.
Wide variety of types of issues. We work downrange in support of these commanders.
And the book illustrates what happens when you find nine spies and turn them
over to the local company commander.

(01:18:51):
And he decides to take matters into his own hands rather than stick to the official
playbook, which is to turn them over to local authorities.
So, just a little spoiler alert there, you know, part of the reason for that
book was that things did not work out in this company commander's favor.

(01:19:12):
He was called on the carpet for breaking policy and ended up losing his job,
but we stayed in touch, and he gave me an opportunity to write a good bit of
the book and contribute all of the counterintelligence-related material.
And that was an interesting opportunity for the Army to present a narrative

(01:19:34):
about what we do in support of combat commanders.
We find the evidence, right? And ultimately, it's not ours. It's theirs.
They're the ones who own the mission on the ground. And I feel the same thing
applies in corporate security and corporate investigations.
Ultimately, it doesn't pay for
us to get impassioned while we're doing our objective gathering of facts.

(01:19:59):
What we need to do is be really good at getting those facts that are the hardest
ones to find and then locating the right specialists to help us contextualize them.
At that point, then we can provide some advice and assistance.
We only have to hope that the organization does the right thing with those facts.

(01:20:20):
And in Roger's case, he had a decision to make that that kept his troops alive.
And his preference was to keep his troops alive than to lose his job.
And so he kept his absolutely safe lives with his decisions.
But, you know, it broke policy. Don't do that.
If you're in a war zone, make sure you're okay with the consequences if you have to break policy.

(01:20:47):
Well, you brought up a good point about collecting and gathering relevant information,
information that answers the allegations, or at least, you know,
provide some light into the allegations.
And what I've found in the corporate environment is that the information is there.
You know, we have a whole array of cybersecurity tools that log everything.

(01:21:10):
But it doesn't really come in very digestible, easily accessible,
clear, concise displays.
In a lot of cases, it comes out in a CSV file.
And so here we are manipulating Excel spreadsheets to try to get some insights

(01:21:30):
into what's taking place.
And I don't know if you experience this a lot. A lot of the data that we'll
get from our information security team or information security tool set just comes to you very raw.
And I spend a lot of my time, a lot of my day manipulating that data into a

(01:21:53):
format that I can make sense of. And still, it's not great.
And it's at times frustrating.
So if you're an entrepreneur out there that's looking to make a difference in
corporate counterintelligence, it's please take the logs,
you know, everything that we have available to it to us and put it in a format

(01:22:14):
that a guy like me that's non-technical can make sense of it and get straight to the point.
And I don't know if that's something you've experienced or not.
I kind of took a different approach, but I definitely experienced the challenge.
There's a tendency to want to feel like you know everything when you're doing an investigation.

(01:22:36):
You can feel like it's your responsibility to know all the factors, all the context.
When in reality, we're like a showrunner.
Think, what's his name that did Yellowstone? Showrunner. Talking about?
Kevin Costner. No, no, he's an actor. Well, he's also a showrunner,

(01:23:01):
but not for Yellowstone. He isn't.
Let's see. Yellowstone director, Taylor Sheridan. How could I forget that?
The guy's a hero owner of the four sixes ranch.
Now, I mean, it's just an incredible story that anyway, as a showrunner,
he doesn't have to know everything.
He's got experts for that. Like a president, the president doesn't have to know

(01:23:23):
everything. They've got cabinet members that they can appoint because in an
ideal world, they have qualifications.
Right. I don't want to get into politics, but as an investigator,
it's not our job to know everything, but it's our job to properly contextualize

(01:23:44):
the facts by bringing people in that do know that are experts in those things.
So, I guess that's kind of how I did it.
If I didn't know enough about a Chinese or a Russian academic institution that
had a reputation for mainly existing to support military and intelligence initiatives,

(01:24:07):
then I'd bring somebody in that did.
I could speak intelligently about it and help determine whether there was relevance
in our case to those type of strategic intelligence collection activities. Yeah.
Likewise, if I needed an infosec engineer to help me understand whether something
was potentially malicious or not, I'm bringing the engineer into the case.

(01:24:31):
I don't want to make any inferences that aren't completely supported and with
an ability to document in a case that will hold up in court.
So bring in the infosec engineering person or a pen tester who can say,
you know, based on this sequence of events, this was absolutely malicious.
There's no known reason that anybody I know has seen for somebody to do things

(01:24:57):
in this sequence that are for an authorized business purpose.
Well, that's really handy information.
Now it's not Dave Holder's counterintelligence or insider threat person document or saying it.
I don't have to be entered into the court as a witness that is an expert witness, right?

(01:25:18):
That's a whole bar there you have to meet. And I would not make that bar for some topics.
I can make it on counterintelligence topics, but not others like infosec engineering,
probably, or pen testing.
So you're right on track.
I mean, as investigators, we're trying to collect those facts and to properly

(01:25:39):
contextualize them. The only way we can do that is go into the most reliable
sources of information.
And sometimes that's not ourselves, right?
We're just the showrunner or the tailor show.
I would say it depends on the size of the company, because I have found myself
being the showrunner and the evidence collector and evidence analyzer and expert

(01:26:03):
on what the logs are telling.
Now, some companies just don't have that large of a footprint.
Well, that's fine as long as you aren't trying to act like the subject that you aren't. Right.
So let's say you wanted to make a comment about a psychological predisposition
somebody brings to a company when they are hired.

(01:26:23):
And you feel like that could play into their decision-making process or whatever.
Well, are you the best person to be commenting on a person's psychological disposition?
No. No, but you can document that there is a known psychological predisposition
and that makes it into the case.
And then if the legal team cares about that, then they can go find someone and

(01:26:48):
legal teams do that all the time. So that's not up to us.
It's just a document. Hey, we're talking to people and this person mentioned
that they're aware of a psychological predisposition that might be relevant to this case.
Bam, documented. minted, it's now an investigative lead for the legal team to
follow up if they choose to prior to dispositioning, right?

(01:27:12):
So kind of knowing what you're good at and what you're in, what you're in.
Unintelligence. With Dave Holder and Ryan Rambo. Unintelligence.
I love it. Oh, man. Oh, boy. Well, dude, that might be the sign. You know, that.

(01:27:33):
We're talking about Yellowstone and show running.
Anyway so i know that there's a listener question out there because this listener,
made sure that it was a standing question for every episode yes bethany what
you drinking brother i you know tonight i am drinking water i this afternoon

(01:27:59):
after i got finished with work in between work and podcast, I had to go and cut the grass.
And dude, I still got a push mower. And so, you know, this old 52 year old body
does a push mower as fast as he used to.
And so in the Gulf Coast of Mississippi, where it's a thousand degrees with
200% humidity, water, water is absolutely fire.

(01:28:25):
You're just wading through, you know, sludge.
It's so bad down here. I mean, you have to have a knife seriously to cut the air. It's that bad.
Or to cut through the mosquitoes, the pterodactyls. There's a lot of mosquitoes as well, for sure.
And little biting flies and gnats. The mosquitoes are one thing,

(01:28:47):
and you can kill those off.
But the flies and the gnats, there's nothing known to man yet that can keep
those things off of your skin.
So well enough about that but what about you what are you drinking.
Lagunitas again oh my goodness I'm on a roll I actually had a guy named Walter

(01:29:11):
Harvey crack jokes about IPAs just over the weekend and I would just say to
Walter Harvey there's no finer beer than an IPA other than.
Fresh German beer.
So... Fresh. Yeah. Fresh. Which is different than we get here.

(01:29:33):
Just like Irish beer. Yeah, even Guinness, like, in Ireland is different, I hear.
German beer, I've experienced. I have an Irish, though. Mm-hmm.
I don't know... I mean, I like Lagunitas. It's made in California.
I got a friend who lives right next to the...
Distillery whatever it is called what's a it's a beer factory for all i know

(01:29:53):
yeah it tastes good consistently so.
It's good beer and i'm i'm just like 100 on
the light beer yeah sort of
sort of thing right now especially midweek so i like
to sip on a lagunitas there you go no
more whiskey midweek i learned that lesson i was

(01:30:15):
trying to keep up with you man and and walt harvey too i
i know walt and we've had a few whiskeys together and a
few beers over the last decade or so here and there one wall is absolutely top-notch
professional and just a top-notch human being yeah well dude Dude,

(01:30:37):
it's been a great conversation.
I'm a little smoked after our three-hour working group session today, which was fantastic.
I want to thank all of our listeners who attended that as well.
Great, great topics, great discussions. We're talking about things that are
coming up over the horizon, like the Democratic National Convention,

(01:30:58):
the elections later this year, some of the expectations that are going to come out of that.
Hopefully, it doesn't play out
that way, but there could be civil disturbances and riots and all that.
Making sure from a corporate standpoint that we're staying ahead of all of the
things that could potentially happen.
So, great discussion, followed up by Cutting Grass and Now podcast.

(01:31:23):
I don't know about you, but I'm smoked.
I'm good. Oh, you're good. Yeah, let's go into the next section of the podcast.
We've got another hour and a half of content. Oh my gosh.
I'm going to take a quick nap and cue music.
Well, we were going to get into the unintended consequences and we got into one.

(01:31:47):
Right. And that was the that was the Afghanistan case where the unintended consequences.
I turned over my my facts to the principal, who in that case was a company commander.
And it resulted in an international flap, as we would say. And a couple generals
ended up having to go do something else for work after that and colonels.

(01:32:11):
So it was a bad ending.
You know, those were unintended consequences. Another one was when I recommended
that a commander at a different base let his main interpreter go,
because the evidence strongly suggested that this interpreter was actually a
spy for adversarial interests outside of the base.

(01:32:35):
And the following day after termination, that base started receiving mortar fire,
accurate mortar fire for the first time in about a year, which was about the
length of time that that interpreter had been working on the base.
That was an unintended consequence. Yeah.

(01:32:57):
We got risk off the table, or so we thought, but we invited a new kind of risk.
And that was an important lesson learned. The commander wasn't mad at us or
anything like that, which was gracious.
But every commander we talked to and supported after that, we were able to provide that story.
That's the kind of feedback loop that we need to make sure we've got here in

(01:33:20):
corporate detections and investigations.
We learned an important lesson about not creating more risk or at least mitigating
the risk of a termination.
What are they likely to do afterwards?
In the U.S., it's a very litigious society and people want to just sue you for
anything, knowing that most companies are just going to settle.

(01:33:43):
They're going to get paid.
In other countries, it's not quite as litigious. But here, that is the typical
unintended consequence we'd be worried about.
But apart from that, what are the other types of ways things can go sideways?
So I guess that's what I wanted to bring to the attention of our audience just as food for thought.
When you're running cases, what's the full investigative cycle?

(01:34:04):
Who else is involved? What are some ways we can advise without pretending to be something we aren't?
It's actually our responsibility to say when we don't know something.
Thing, or to say, we're not the right expert for this question.
We should bring a B and C type of person in, you know, we do that.
And, and that reduces risk, you know, getting the right information,

(01:34:28):
getting the best possible investigative findings and properly contextualizing it.
That's our job. And if we do a really good job at that and let the other professionals
handle the things that they're supposed to be specializing in,
even if they're terrible at it, we partner with them and we bring them along because guess what?

(01:34:49):
They're going to need to bring us along when we come into their sphere of influence at some point. So.
That was the burning question that I've kind of been getting pinged with on
LinkedIn and at professional associations is, what do you mean by unintended consequences?
Beyond a combat situation, what do you mean by that?

(01:35:09):
Hey, you get the risk off the table, but in a way that creates more risk for
the company. That's what I mean. And that can take a lot of different colors.
So that was a roundabout way of recapping. And I love that concept.
And I'm trying to think back to any investment.
Well, I mean, of course, I've seen where, you know, we've highlighted a risk, highlighted a threat.

(01:35:35):
It's gone to litigation and then the litigation just drags on forever and ever
and ever. You know, it creates horrible relationships.
And sometimes the juice just isn't worth the squeeze. You know, yeah.
Yeah. You lost a little bit of intellectual property.
Yeah. You lost a little bit of proprietary information.

(01:35:57):
But, man, you didn't gain anything through the court case.
And you actually lost a lot more money by, you know, taking it to court and doing that thing.
And I think that's, in a lot of cases, it's an unintended consequence of a good
corporate counterintelligence investigation.

(01:36:19):
Sometimes it's just better to say, okay, yeah, we took a hit on that.
We took the L on that one and just walk away from it.
But I don't think that's every case.
But there are some cases where you just say, okay, yeah, see you later.
Well, and we really haven't, I guess, made that distinction.

(01:36:41):
Today, we've mostly been talking about cases where our goal is to hopefully
preserve our workforce and keep them as peers that are happy about their jobs
and they're productive and everything else.
Else, education and awareness and sometimes putting up those guardrails on the bowling alley lane.

(01:37:03):
Okay, that's all fine and good, but you're absolutely right, dude.
Sometimes it's glaring and it's easy to see what the problem is,
but it may not be easy to see how to disposition it in a way that actually reduces risk.
And that becomes a conversation with a whole bunch of different stakeholders. Yeah.
And ultimately what they decide goes and we can't be impassioned about the outcome

(01:37:25):
because it was our job to present the facts and properly contextualize them.
Has it been your experience to make recommendations in that sort of environment?
Whenever you get to the disposition of the case, where do you see a counterintelligence
professional fitting into that discussion?
Should we even be involved in that discussion?

(01:37:45):
We should be, because ultimately, when we're talking about risk management,
we're looking for the type of HR action or IT action that reduces risk.
And in the case of espionage, where there's an external co-conspirator,
or at least that's the allegation, if we show that that's the case,

(01:38:06):
then, yeah, we need to talk about the impacts of any decision we make.
Leaving someone in place has impacts.
Terminating has impacts. The tone and tenor of the termination has impacts.
The attestations that we request as part of the exit interview,
they're very, very important in an espionage case, because those are the things

(01:38:31):
you lean on in litigation.
So i i think our advice though
isn't on i would definitely fire this person or or
anything like that it's more like ask me
questions about the potential downstream impacts of these decisions from a risk
perspective particularly as it applies to the external threat actors perception

(01:38:53):
of the way things are happening right now we want to not just reduce our risk
but it Ideally, we want to also...
Influence the adversarial actor's perception of what we know about the incident.
So let's say you terminate a high profile person and you know they're going

(01:39:14):
straight to the intercept with every confidential file they have stolen from
the company and intercepts going to look at it and see what they're going to publish and whatever.
They can create all sorts of narratives off of that. Well, knowing that and
knowing that an adversarial threat actor that has other types of persistence
in your environment, or at least you suspect they might, right?

(01:39:36):
If you had, let's say you had an insider you discovered that was responsible
for technical penetrations of the company.
So human-enabled technical penetrations. Well, you discovered the human,
what about the technical penetrations?
And during the subject interview, did they disclose them all?
Or might there still be some back doors somewhere that that same adversary can exploit?

(01:39:57):
Okay, so you work through all of that. Well, let's say you neutralize all of
those threats, but some other adversary goes, I can't believe this adversary missed this technique.
If they had just done it this way, there's no way they could have closed it down.
And then they'll start attacking because it's just the process of having a case
and disposing of it and terminating someone exposed a critical vulnerability.

(01:40:22):
So if you're not careful, the messaging itself can identify a vulnerability
and communicate it back out there to the exploitative threat actors out there.
So I think that's our place at the table as advisors. It's not people that are making the decision.
We don't own that decision about disposition.

(01:40:43):
But we can answer questions about how is the adversarial threat actor going
to respond to this? What should we be preparing for at our cyber defense organization?
Because I guarantee the very first thing they're going to hit is everything
cyber enabled and we're going to get attacked that way.
Which APTs is this threat actor typically paying to attack us and others like us?

(01:41:10):
I use the word adversarial because when we're talking about threat actors,
they're just other countries' intelligence services.
And I would never want to intimate that Chinese people or Russian people or
Iranian people are bad in some way.
I don't think that way. I don't believe that.

(01:41:30):
But just like the U.S. has intelligence agencies,
the NSA was famously outed for hoovering up all Americans' communications data
just in case they might get a warrant for federal officials to look at it.
And then it was available, right? Other countries do the same thing.

(01:41:54):
So I don't want to say that that's all bad on its face.
Some of it is legitimately cyber defense and some of it is legitimately, of course, InfoSec.
But there are those actors that we all know about and let's call it an adversarial
intelligence agency. agency, well, they're not going to send their employees to the U.S.

(01:42:18):
Or to any other country to get a job at one of our companies and act like a
regular software engineer.
They're going to pay someone else to do that. They're going to use proxies of all kinds.
All these different ransomware gangs, all these different hackers are all proxies
that compete for contracts with intelligence agencies around the world.

(01:42:39):
So we need to know a little bit about the threat intel picture.
And so, you know, your cyber defense threat intel folks need to be in the room.
So when you're talking about the potential fallout of a termination where there
was a known threat actor, sophisticated intelligence agency involved and all
of that, you need to think about the downstream effects from a threat intel perspective.

(01:43:02):
Why are we in the room when this position is happening? I'd say it's just for advice and assistance.
Consistence is to make sure the context doesn't get misinterpreted.
Most of the time, I haven't had to do a lot of education in those meetings.
It's just but a lot of times I do have to raise my hand and say,
well, that's hang on. It doesn't work that way. It's actually this way over here.

(01:43:23):
And it just keeps things from kind of getting a little off track.
Well, I think also it depends on the corporate environment, too.
If you're a government contractor, there are very clear rules and guidelines
of when something needs to be escalated to a government agency.
You know, that's true, but they don't have to take any action most of the time.

(01:43:44):
There's a there's a reporting requirement that's a compliance issue.
Yeah, but that's that's a lot different than taking an H.R. action.
Yeah, well, I think the H.R. action. And well, in a few times that I've had to do it,
the HR action was actually taken out of our hands and off the table until the
federal investigation had kind of run its course or whatever else.

(01:44:09):
I mean, we couldn't tip the hand of the investigation with the employee and
we were directed to do so.
Now we can see that like, hey, we want to terminate this employee and get this thing out of us.
We don't want to put our company at further risk, but that's still,
you know, has taken under advisement in some cases, you know,

(01:44:32):
that's you're right. That is a thing.
There are times when an espionage case, particularly that could have.
Strategic effects in the battle space yeah they
need to be handled a little differently and there's regulations for
that bro i you know i did an experiment how long could i draw out this conversation
after you said you're you're beat and ready to call it i'm done punishing you

(01:44:55):
man i appreciate you jamming on this topic being mostly investigative in nature
yeah no i think I think it's fascinating.
And again, you know, I don't have the breadth and depth of investigative knowledge
that you've had over the course of your counterintelligence career,
both on the government side and the corporate side.

(01:45:17):
I was doing some other things, so I got to play around with it,
but it wasn't my forte exactly. Exactly.
And so I think it's important for us, you know, after some time off to get right
back into some very, you know, difficult discussions.
I mean, this is this deep, difficult topics to cover in a corporate setting,

(01:45:41):
especially in a podcast.
So but you have there's no way with there's no way within two hours to handle
it all. And so we're going to end up leaving a lot of like little questions
and gray areas on the table.
But that's okay. We'll just treat it as a primer and sorry, primer and a primer.

(01:46:02):
Get the topics out and open them up for discussion to the rest of the listeners
and get people on the show that want to contribute. Yeah.
And I hope that they, you know, find some things that they want to pick apart,
dive a little bit deeper in.
And that's what this podcast is all about is to start the conversation,
dive in as deep as we can and bring in other people with us.

(01:46:25):
Well, if we can convince Jeff Jones to pop a cold beer and listen to this episode.
I'm sure he'll have lots of input. I'm sure he will. I'm sure he will. And he will serve.
He will. He has graciously offered to be our legal advisor as we're having these conversations.

(01:46:47):
And we'll absolutely take him up on it.
So those of you listening, if you have questions that would be better addressed
to an attorney with a lot of national security law background, ground.
We will absolutely entertain those questions and get the right expert on.
We have a lot of great guests lined up ahead of us for the rest of the year.

(01:47:09):
We're totally stoked to get them into the conversation.
I think you guys will be too. We won't name them as we're, you know,
still haven't gotten final confirmations and then people's schedules change, but we're very excited.
We have at least a dozen really interesting guests lined up to get us schooled
up on counterintelligence.
Well, Dave, it's so great to be back in the studio again with you.

(01:47:33):
So great to have this conversation with you. Yeah, man.
Yeah, I'm stoked. I'm tired today, but I'm energized to do more.
So I can't wait to get this episode out and start jamming on the next round of topics.
I think it's going to be, it's going to be a lot of fun.
Heck yeah, man. And thanks everyone for your questions and insights.

(01:47:55):
We'll be back. Take care.
Music.
We'll be right back. Thank you for listening to Unintelligence,
the corporate counterintelligence podcast.

(01:48:17):
The thoughts and opinions, along with any mistakes made during live sessions, are our own.
We represent no corporate or government agencies.
And if interested, we invite you to join the conversation as we seek to turn
over stones and shed light on the counterintelligence mindset and its applications
in the places we all work.
And we're always open to feedback, so we make sure to speak to the topics you're

(01:48:40):
interested in. So keep the comments and likes flowing.
Until next time, stay safe and secure and report concerns to security professionals. Thank you.
Music.

All Episodes

Episode Transcript

Popular Podcasts

United States of Kennedy

Dateline NBC

Stuff You Should Know

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Corporate Counterintelligence: Navigating Investigative Cycles and Unintended Consequences

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}United States of Kennedy

Dateline NBC

Stuff You Should Know

All Episodes

Corporate Counterintelligence: Navigating Investigative Cycles and Unintended Consequences

United States of Kennedy