From government to private enterprise, counterintelligence can unlock big benefits in cybersecurity. We sit down with a counterintelligence professional to define the practice, and how everyone can benefit by employing it.
Virgil Capollari, Founder & CEO of Adaptive Risk Strategies, is a strategic leader with decades of experience in intelligence, counterintelligence, risk, and insider threat across his distinguished career in the United States Air Force, Department of Defense, the financial sector, and non-profit organizations. Virgil is adept at building effective, ethical counterintelligence and insider threat programs that focus on prevention while keeping the human aspect of the mission at the forefront.
Beyond his efforts to prevent harm, Virgil is also an advisory board member and community representative who guides state and local policies - particularly in support of U.S. military veterans - and enjoys reading, traveling, learning languages and helping people wherever possible. As a lifelong learner, Virgil has an AAS in Intelligence Operations from Cochise College and a BA in History from the University of Maryland.
AJ Nash (00:01.794)
Welcome to Needlestack. I'm one of your two hosts today. My name is AJ Nash. I'm a career intelligence professional, but in the intelligence community for about 19 years. I've been in the private sector now for about nine years. I'm passionate about intelligence-driven security and building intelligence-driven security programs. My background's counter-insurgency, counter-terrorism, fighting war criminals and all sorts of things like that. But in the private sector now, I help companies build and mature their intel programs.
run a podcast on the side and get to do this with my co-host, Robert. Robert, you want to introduce yourself?
Robert Vamosi (00:33.642)
Yeah, I'm Robert Vamosi. I'm a CISSP. I've been in the space for over 20 years, written two books, and I host my own podcast as well. So excited to be here today. And we actually have a guest this time.
AJ Nash (00:47.852)
Yeah, we do. Virgil Capillari. Now Virgil's an old friend of mine and anybody who's seen my podcast, Virgil was already on it once. We go back ways in the Air Force days. Virgil was a good old school Intel guy and a counter Intel guy and an insider threat guy. Virgil, you want to tell people where you've been and what you do?
Virgil Capollari (01:04.542)
Actually, I thought you doing a pretty good job, but my name is Virgil Capillari. I lead a small consultancy, Adaptive Risk Strategies. With it, I bring over 20 years of government experience in the intelligence community. I've worked a variety of assignments and positions, spent a good portion of my career either translating, trying to recruit bad people, steal information from other places.
And then spent the last, I'd say more than half of it trying to find those other Virgil's out there, track them down, identify them, disrupt them or stop them or slow them down.
AJ Nash (01:45.516)
Are you saying there's more than one Virgil Capillari out there?
Virgil Capollari (01:48.093)
You know what? And I'm going to use the word fortunately very loosely.
AJ Nash (01:54.306)
As I said Virgil, I go back away. So yeah, I doubt there's more than one of you, but I wish I was. You're a pretty, pretty awesome guy to work with and a bright fella. And I'm, excited you're here today. I'm really looking forward to a cool conversation with you and Robert. And we're going to talk about counterintelligence and all the things that you do in that space and help educate some folks, including myself on the industry. So what do we got first, Robert? What are we thinking?
Robert Vamosi (02:15.584)
So you're both from the intelligence space. We kind of understand what that is. But when we talk about counterintelligence, what are we talking about?
Virgil Capollari (02:26.014)
I guess I'll take a stab at that first. Really, the ideas, methodologies, methods used to identify, disrupt, exploit potential and actual threats. Right? So if you think about security as being a traditional rifle or a cannon mount that's posted on a hill trying to stop or deter someone or an entity,
Counterintel is basically trying to help steer that. Maybe you want to point it in this direction because this is where we think the likelihood of something bad may be happening and we kind of give security the real backing to kind of make the most informed decision. Think of it that way.
AJ Nash (03:14.36)
So is counter Intel, the way you're describing it is that Intel that specifically focused like, obviously I'm an Intel guy too. You we grew up doing this stuff. SIGINT and collections and bad guys, whatever. But a lot of what we did in my career at least was figuring out what bad guys were doing, collecting that, know, analyzing it, translating it, writing reports and saying, here, here's where bad guys are. Here's what they're thinking, et cetera. What's the difference between that and what you're talking about with counter Intel? Is it like, is it deceiving? it, how is it, how is it different from, the traditional Intel we're talking about?
Virgil Capollari (03:21.298)
Sure.
Virgil Capollari (03:42.375)
Traditional Intel is trying to gather what exactly the intentions and capabilities of our adversaries are, of folks that are looking to harm us. What counter Intel is looking to do is kind of disrupt their methods and how they're going about it. Now, I'm going to let you in on a really big human secret. There's only two ways information can get out, either through electronic means or through humans. That's the easy part. The tough part is now finding out exactly how they're doing.
And then depending on where you stand and depending on whether it's an operation or investigation, the steps you're going to take to try to mitigate those potential exploitation points.
Robert Vamosi (04:28.758)
So in the security world, would this be the difference between offensive security and defensive security?
Virgil Capollari (04:36.252)
I think that more on the corporate side of the house, yes. We're trying to get an idea ahead of time as to who's trying to do what, and then try to advise our companies and organizations how best to proceed to prevent what we have from going to somewhere it shouldn't.
Robert Vamosi (04:52.736)
You mentioned something about disrupting, that's where I'd leapt to the offensive part of it.
Virgil Capollari (04:59.236)
Okay, well, the disruption part of it is you are taking the steps to actually disrupt their how they're doing what they're doing. Whether you've gained more information about how maybe your product, your intellectual property, your people are being exposed. And now you're not just going to allow that to happen. You're going to educate them. You're going to take other steps to maybe protect what you have a little better. That's really kind of disrupting what they're doing. Maybe you're going to work.
more closely aligned with law enforcement, maybe some other organizations to help you.
AJ Nash (05:33.43)
It's interesting. it's like a lot of our Intel work is about understanding adversaries, getting ahead of them, either attacking them before they attack us or preventing them from being able to execute their missions, their attack, for instance, if we're thinking like kinetic, you know, attacks here. It sounds like what you're saying here is it's the same, but in this case, it's not the kinetic piece. It's the intelligence itself. We want to keep them from exploiting us. want, we're collecting on them. We want to keep them from collecting on us. So we want to keep our information from getting out. So we find out about their intelligence operations. Hey, they're planning on talking to so-and-so.
You know, our boss is going to be met at a meeting, but the person meeting him or her isn't really who they say they are. But we know that now. So now we got to prepare our boss, either not go to the meeting at all or prepare them with the right talking points. So it's really, I mean, as literal as it gets, it's countering their intelligence efforts. Right.
Virgil Capollari (06:20.633)
Yes, mean, think about it like a baseball game. If the intelligence, regular intelligence is the offense, counter intel is really the defensive side of the house. We're going to set up these measures in place to kind of make sure that we're not going to strike out when we're up at bat. That they're going to be either re-forced to walk us or throw pitches right down the middle.
AJ Nash (06:39.886)
Mm-hmm.
AJ Nash (06:46.86)
Okay. That's, and that's really interesting because that's, that's the fine line. Like obviously I'm, I'm a career human. Well, not human. I'm a career signature and open source guy, all source guy. I know you, you and I grew up in significant, but then you moved into the human side, which is where, most of this happens, right? Is the human component of understanding, assets and, and, know, turning assets or creating assets or understanding how adversaries are performing or planning to perform their intelligence operations because you talk to those people.
Robert Vamosi (07:18.39)
If we can. I'm thinking human is going to be what analog, it's going to be like literally face to face meetings in the flesh, whereas signet is going to be electronic.
Virgil Capollari (07:34.724)
For the most part, we would say yes, but we'd say that in today's day and age with texting and with other electronic means, it's still the human-to-human component. You still have a chance to kind of get a ground assessment as to the facial expressions or some other things, some other indicators that a meeting may reveal that, let's say, signals intelligence or something could necessarily tell you.
It's not saying one's necessarily better than the other. It's just saying that you're looking at it from multiple vantage points.
AJ Nash (08:10.958)
Well, you make a good point. I hadn't really thought about that. Timing has changed. Like old school, you go back 50 years, right? Human was people talking to people, meeting, drop dead drops, meeting at bars, whatever it might be. Right. There was no texting. There was no cell phones. It was human was people talking to people and SIGINT was like telegraph, telephone collections, right? There wasn't much in between. Whereas now what you're talking about, I mean, human can cross into the technical space, right? at times because you can be working a target.
And you're using some of these technical means, but it's, it's not significant collection because you're already targeting them. You know who you're talking to, right? Whereas significant tends to be a third party collect effort. but it's interesting. I hadn't really thought about the fact that there's sort of a hybrid approach to some of it now from what you're saying.
Virgil Capollari (08:51.47)
Yes, it's no longer just kind of resident and how we react around people still hasn't changed. Whether we're more recluse behind our computers or not, it's a different story, but it is a people business and you know, the best, longest lasting relationships are the ones where people make an effort to kind of connect with you. We just have to be a little more wary of whether the connection has an underlying motive that's not kosher.
No?
AJ Nash (09:22.222)
Hmm, interesting. That's an interesting point. Uh, so, all right. We've talked a little bit about what counter Intel is, right? The difference between, uh, Intel and counter Intel and sort of laid that out. So let's, let's go a little bit deeper, man. So you're, you're a counter Intel professional. This is, this is your life. This is what you do. Can you walk us through like what you do and, really what you don't do? I think, I think people should know that, you know, as a counter intelligence professional. So, I mean, to paraphrase office space, what would you say you do here?
Virgil Capollari (09:50.51)
Well, first thing is you gotta take the time to educate. Educate's the most important part of what you're doing. This is who I am as a counterintelligence person. This is what I'm trying to accomplish. I find more often than not, a lot of this gets lost in the sauce and the technical piece. what I'm trying to do, what we're all trying to do is kind of figure out what is most important to us.
And then what steps are we taking to protect it? Because what you tell me and what you do don't necessarily align. If you tell me that if this intellectual property or these sensitive financial records, they went outside the company, could hurt them. It's like, okay, well, then why are you letting anyone just walk back there where they have access to it? It's almost like your house.
So what we're trying to do is get an idea as to what you deem most important. And not every company should be deeming everything the same way. In government industry, it's kind of simple because companies that do a lot of government work, the government tells them what's important and what they have to do. That's called the minimum, you know, so if you're meeting the minimum standard, you're doing what the government wants. But a question I often ask throughout my career is, if you didn't have government contracts, would you just let anybody come through here?
So, right.
AJ Nash (11:18.258)
They might sadly cost, you know, cost becomes a factor. I imagine there's a cost benefit analysis. What's the most important stuff? What are your crown jewels? You know, what are the things you should be protecting? And it seems like a lot of companies struggle with that, I guess, to understand what are the most important things. And it sounds like I don't want to speak for you. I'm to let you jump in again, but it sounds like you're saying that that's part of what you do is help them understand. Hey, these are the things that probably are most important. I'm sure you receive, but I imagine you coach as well because that affects how you're going to set up your your security posture around those things.
Virgil Capollari (11:47.851)
Absolutely. So we try to get an idea as to the people, the information, the equipment, the operations. Just because you have the Play-Doh, the Play-Doh itself really the secret sauce? Or is it the way it's twisted, molded, shaped? OK. Now let's step back and find out who wants this and who has access to it. Those two important questions will kind of help frame it around it.
AJ Nash (12:02.648)
Hmm.
Virgil Capollari (12:17.034)
Now, and then from there, you kind of build out your counterintelligence protection plan and you work closer with your security folks to try to get an idea as to who's concentrating on what. What we're really doing is helping individuals and organizations prioritize their resources. Because if someone tells me that everything is important, then that means nothing is important. I mean, in layman's terms. So what we want to do is say,
Well, we think you should maybe dedicate majority of your energy to X, Y, and Z. Just because, you know, if you think of all the bad things that could happen in the world, and you know, at some point, I remember reading that the sun, which is the largest star in our immediate, you know, world, is supposed to burn out. But we're not living tomorrow like it's burning out.
AJ Nash (13:12.878)
No, I think we got some time left. hope so at least I got some things to do like I just bought new groceries So I can't have the Sun burn out yet,
Robert Vamosi (13:20.822)
So you mentioned education and I just wanted to clarify there it's both you as the counterintelligence analysts learning about the organization but it's also the organization understanding what the crown jewels are and what the targets might be and Really educating themselves
Virgil Capollari (13:39.096)
It's very much a mutual exchange. Solid counterintelligence professionals don't come in and tell someone what's most important. We have to have an understanding of how people, the processes, the equipment, the information all interact. And then it's incumbent upon, at least in my opinion, the intelligence and counterintelligence professionals to build a program and tailor it around that.
because companies and organizations still need to be able to produce what they're doing in order to exist. Therefore, think it's outside of government, think there's a, or inside government, shall I say, I think there's a limited appreciation for just what companies have to do to continue thriving and producing because there's various trade-offs. We're only here to try to focus on what is
what I would say is most important and or what executive leadership wants us to know or what they tell us. We in turn try to educate them in a way which marries up with their vision and it's absolutely crucial and critical that this happens because the effectiveness of the program is going to be dependent on their buy-in.
Robert Vamosi (15:04.15)
So could you maybe walk us through an example of what you might do for, an insider threat?
Virgil Capollari (15:11.639)
So what we would do is we would kind of start with kind of discussing a basic castle analogy. The castle puts up the wall, know, removes the drawbridge and hey, everybody's safe inside there, right? But more often than not, especially throughout world history and European history, many castles fell apart from within. So the problem necessarily isn't that somebody from
or something from the outside is going to break down the door and steal the safe. The idea is that somebody may be inside. And now it depends on also how you utilize the words. In the government, at least in the intelligence world that I came from, many of us have, when we thought about a threat, we thought about an entity that had the capacity and means to exercise harm.
AJ Nash (16:09.09)
motivation right it was like means motivation access that kind of thing right yeah
Virgil Capollari (16:10.144)
Yeah.
They could actually do it, right? And so therefore, usually backed by a state entity, foreign government, so they had a few more resources at their disposal. When we talk about it more on the non-government world, I think of more of kind of like a hybrid between a risk, somewhere between a risk achieving a threat. And we'll just say an individual or entity that could harm you.
that doesn't necessarily mean that they're malicious in their intent. It just means that even by accident. So as we try to discuss the insider threat program, we're just saying that you can't really have an outside threat dynamic without an internal one. There's no kibbles without the bits. You know, kind of need both. if an entity is looking to hurt you from the outside,
they're probably looking at who has access to the inside and working on that dynamic. That's at least a part of my career. I didn't have to step foot in any of these organizations. Just had to wait for somebody to go inside there and then work on trying to meet them.
AJ Nash (17:30.594)
makes sense. It's a lot easier to get ahold of a human being than it is to crack, you know, the security systems, right, especially on a harder target. I don't care how great your security is, if you treat your employees poorly, you've got a huge vulnerability, right? So you know, and lot of companies do that, right? They they're, they're very good on their security, but you find out that they underpay people or they treat them poorly. And, they'll vent on social media, LinkedIn, whatever it is, I imagine that's an open door for somebody like, you know,
who wants to take advantage of counter intel folks some of the threats take advantage of that. And then your job, sounds like, is to understand who are those vulnerable people are and be able to understand who might be targeting them and how to prepare to deal with that or how to prevent that. That's what I'm gathering here.
Virgil Capollari (17:59.231)
Mm.
Virgil Capollari (18:13.749)
Really excellent points AJ. mean things don't happen just in a vacuum. Humans are a little more complex. There's a lot of other touch points and one of the best, one of the early things or best points I try to emphasize is as a company organization, the last thing you really want to do is contribute to creating an insider threat program or an insider threat per se. If you're going to treat people poorly or you're not going to pay attention to certain things,
AJ Nash (18:33.742)
Mm-hmm.
Virgil Capollari (18:43.559)
You shouldn't help the bad folks because that's likely what's going to happen. Our job is not to become a better victim. It's to actually, you know, try to stem it where we can. But it's a, it's a constantly evolving process. one of the most important foundations of it with education is basic communication. You know, that's kind of, what I find that companies that have high insider threats, aside from just having a really special product.
They have poor communication or challenges there and challenges in education.
AJ Nash (19:18.36)
Do you, you've been doing this a while. So how do you find, how do you find the companies? And by find, mean, how does, how does it feel to you? How, what's your experience been in having that messaging that, Hey, there's a business use, you know, companies are driven a lot by, know, metrics and business case and we're trying to estimate, cetera. Do you have a lot of success convincing people who maybe aren't currently doing so that, Hey, there's actually a business value in treating people well, you know, in,
Compensating them properly, but also building an environment that's a good place to work in the event people have to be exited, exiting them with respect and dignity. Is that part of your program as well when you're teaching folks about counterintel is to talk about the business value of being good to people? I I'd like to think people would do it anyway, but a lot of times that's not part of the metrics, right? So is that part of your program as well?
Virgil Capollari (20:08.341)
It is because if companies are going to take time to try to recruit talented individuals or kind of widen the pool of applicants, if you're spending this time and money to acquire them, the goal should be to get them to stay. And, you know, we live in a world where, you know, AJ, at least when we were growing up, you know, it was very uncommon to change multiple jobs in one year.
You kind of, you worked a few years, you showed some basic loyalty and I think that's generally been the case. These days, things are much more fluid. I've seen resumes where individuals have maybe worked three or four jobs in two years. And I have to kind of step back because I don't want to make sure I'm bringing my biases, but it's just, it's something to pay attention to. if it's an investment in people,
then I say that your greatest security strength or weakness is going to be the people you have. If you're hiring the right kind of people, it's going to work out. But beyond that, I find that most companies that are receptive to the message are either trying to change their posture or they're really kind of moving along with that because they're asking that question because they're not pushing back. I find that,
that companies that do take that time, it just makes everything else flow so much better. And more importantly, once again, it comes down messaging from the top. The CEO, the executive presidents can't know everything that's happening. That's not their job. It is incumbent upon us to make sure we're communicating to them in a language in a situation that they can understand. So that's why I think.
Robert Vamosi (22:05.718)
So we've talked about inside the castle. Let's flip that around. What happens when the king leaves the castle? How does the counterintelligence professional approach that where an executive is going out into the big dangerous world?
Virgil Capollari (22:22.899)
We provide foreign travel security is a very big part of it. And without having the benefit of being there and without the benefit of no longer working in the government and the intelligence community, we kind of have to rely on what we have out there based on knowledge of given locations. I mean, I guess it depends on where someone's telling me they're traveling to. However, you know, if it's a hostile, non-friendly country,
You know, chances are they're not probably going to uphold and respect individual human rights, especially of Americans, especially of other folks. So we try to provide whatever research, know, OSIN open source research. We try to provide other avenues to kind of learn more about the individuals they may be interacting with, where they're traveling, where they're staying, and taking the time to kind of
educate them on X, Y, and Z. This is where you're to be traveling to. This is what we've seen. In addition to government reporting from State Department and other channels, we advise them on steps to take, maybe what they should or should not bring with them, and show them another point. So through open source research, that's one piece of it. You're learning about where they're traveling to. From the counter piece, we provide them
This is what the open source research is on you, on what you do. This is where an adversary or someone bad is already studying you and could likely hurt you in X, Y, Z. So this is what we recommend you do to kind of take those steps. The key point here is if that analogy of the rifle being pointed outward, it gets pointed back inward. It's a two-way street.
AJ Nash (24:17.87)
Hmm. So that's really interesting. So if, if an executive is going to travel, it's to recap a little bit, but, to expand it. So you're not only going to do the travel, report to say, Hey, listen in this country, you know, don't bring electronics or you can't use encryption because it's illegal or don't use the wifi cause it's unsafe or, know, there's protests in this neighborhood and all the things that we do in travel, you know, weather traffic, the whole bit. Right. But you're also, from what I'm hearing, you're going to
do you're going to act like an adversary and you're going to do open source research on your protectee to be able to say this is what you look like to the adversary. And then from there, I'm going to jump ahead here and get your confirmation. But it sounds like at that point, then thinking like a, like the threat you're going to say based on this profile, these are the things we would expect a threat to do. Is that, is that capturing it correctly?
Virgil Capollari (25:11.715)
Yes, and at the earliest stages, we communicate with them and let them know that this is how we plan to proceed because we want to make sure they're comfortable with us. Although it's open source and research, you you want to respect people's basic privacy. And I'd say 99 % of the time there's no problem and they actually find it really interesting. And what we try to remind them is that if we're looking at this,
Imagine what a foreign country who may be looking to hurt you, a government, they've got even more resources, time, people to take a look at you and try to find, you know, pressure points.
AJ Nash (25:53.934)
What are some of those things that you, when you do open, I'm going to dig into this. want to, I'm going to get one more granular. want to understand what are the things you're using, you know, what are the things you're building into a profile and then like, what are the steps and the kind of tools you use to go do that? I mean, I mean, we talk about open source, right? And I know you and I do this kind of stuff, but for the audience, not everybody maybe does, or maybe they're looking for some new tricks from an expert like you. Like what are your, what are your basic, uh, steps and, and strategy for that? go to these websites, I pull these things together. These are the topics I'm trying to accomplish. These are tools I use if you have any favorite tools or whatever.
What are your thoughts on that?
Virgil Capollari (26:26.5)
Depending on the company and very what skills they may offer, you know, or what they do for a living. We take a look at, we try to get an idea from them at the earliest stages as to any conferences they've attended. You know, in the past trade shows, things like that to maybe promote their business. We try to get an idea of what foreign businesses that they have, if any. And if they're sponsoring students,
from any given countries or locations on special visas. From there, we kind of wind and we kind of build our research around that. So if they're able to, you know, kind of share some of the business partners or attempts to connect, we say, okay, if you're traveling to country Y, we notice that these entities have reached out to you. by the way,
This entity also seems to have business relations with another company you're doing business with in, I don't know, Mexico or Canada. Did you know that? And then we're like, we also see that you're going to be traveling to here, to this location on this date. You posted this already. We took a look at some of the other people who liked it from around the country there. What else can we gather? OK.
We also noticed that online you said that you're going to be traveling here and you know your daughter is thinking about going to school here.
Who knows? Maybe while you're there, you may be approached. Maybe people will be extra friendly. Who knows? We kind of build that in about them. So we take a look at their pressure points. What are your business vulnerabilities? Are you looking to expand capital? Are you getting more resumes than normal? Is business tough? And now you're becoming, you're letting the guard walls down because you have to keep your business afloat. Do they know that?
AJ Nash (28:23.138)
Mm.
Virgil Capollari (28:34.563)
So we kind of, you know, we kind of take a look and then the individual themselves. What do they let us know about their persona? Sometimes some of these people are really, really kind of plain and boring for a lack of better word. And there's not a whole lot going on. We love it. We want that absolutely. Sometimes, you know, they spend more time on vacation and going to these other places. You know, we just kind of, we kind of try to, we build around what
AJ Nash (28:47.864)
That's great, I'm sure. That's what you want, Yeah. Yeah.
Virgil Capollari (29:04.323)
they do, rather than try to offer something generic that may not touch them, it may, you know, waste everyone's time.
AJ Nash (29:13.454)
So boring people are easier to secure and protect because they don't leak as much information and they don't interact with as many potentially threatening people. So boring recluses who don't spend time on the internet or social media are counterintel professionals dream protectees, it sounds like.
Virgil Capollari (29:30.276)
Wow, you just summed my life up in about two minutes.
AJ Nash (29:33.378)
But people aren't like that, mean, especially now, most people live very out, out and open and they're on social media and they're traveling and they go to these conferences and all these things. It sounds like what you're saying is every one of those movements, which are all normal business and professional and personal movements, adds more risk, adds more opportunities for adversaries and therefore, you know, more opportunities for you to, have a deeper, research project and a, and a more complete threat picture for them, which is really interesting to me.
Virgil Capollari (29:58.319)
The biggest challenge really is we find two extremes. When the pendulum swings one way, they're everywhere and anywhere on the internet. And then when it swings back the other way, they're not there at all. Both make me wonder what's going on here.
AJ Nash (30:13.944)
That is suspicious.
Virgil Capollari (30:15.407)
But in order to accomplish that, you do need, I'd say a little more kind of a secure subset. Authenticate was from the earliest stages of government. It's always been a reliable tool. It gives you a non-attributable kind of situation. When we say non-attrib for the folks listening, we're talking about IP addresses not showing up from your exact house.
and location where you can do some basic research. And we all know that if it's out there on the internet, it's out there forever. So it's not being hidden. we use various, you know, various tool sets along that space and just some other analytic tools along the way, you know, other OSIM platforms. But for at least for the internet, we find the one stop shop with Authenticate works. It does what it needs to do and
It's for the person who doesn't want to think much deeper, which is me, what I'm setting up, but gets the job done.
AJ Nash (31:18.702)
Well, and I get that. That's me too. Like I've been using the tool for, for a long time. That's not really what the point of this show is obviously, but it turns out conveniently that that's the case, right? I'm a huge fan of silo and using it forever because yeah, it's simple and it works. And so I appreciate the plug for that as well, but it's good to know that it's helping you.
Virgil Capollari (31:34.648)
Yeah, I know, but it is. I mean, it's been easy from the early stages, even from...
AJ Nash (31:38.647)
Yeah, very cool.
Robert Vamosi (31:39.872)
So putting on my security hat, what you describe kind of sounds like you're red teaming a company, finding some adversarial information to let them know, like, hey, if I can find this out, the bad guys can find this out. I'm kind of curious. In the government, I imagine they do this 24-7. They run these teams, these counterintelligence teams, all the time. But in the corporate world, is it something like doing a pen test where you do it on demand?
Is it something that maybe companies should start to consider doing 24 seven themselves?
Virgil Capollari (32:15.809)
I would say depending on companies, would encourage them. I would encourage any company, any individual in the security space to get outside of their comfy zone and constantly learn about what's happening. Now this is both a blessing and a curse. Just because something happened someplace doesn't mean it's going to necessarily happen at our place. So the danger is the commercialization aspect of threat.
You know, and now everybody's chasing down, North Korean imposters acting as IT personnel. And, you know, if your company has an in-house IT shop, then you're probably not worrying about, you know, that, that side of it. It's to be aware. But, but, but, but the point is, but the larger point is, and I'm sorry for that.
kind of drawing thought. I think the real point is that
AJ Nash (33:14.677)
That's what that is for.
Virgil Capollari (33:20.791)
Companies are taking kind of this red teaming approach and they should because once again, threat and risks do not remain static. And we've had many of these programs and security programs for years, yet we're about one week away from another story in the news where some company has been exploited, someone did something, and we're all coming back to the drawing table.
Well, if we have all these other things, what's not working? And I say that if it becomes overly burdensome with tools and processes instead of what the mission goal is.
AJ Nash (34:07.744)
Interesting. Good.
Robert Vamosi (34:07.84)
So do you have a preference of being an Intel person or playing the counterintelligence role? seems counterintelligence is more fun.
Virgil Capollari (34:17.845)
Yeah, I think so in the career. I do. But I do like it. It's interesting to see, you know, sometimes you go out, you talk to people just to see what they're willing to tell you about themselves. And, you know, I mean, it really is. mean, you know, I mean, and if you really want to watch it at work, you find someone who's worked sales. Sales constantly has to do it. Why? Because you have to interface with people. You have to figure out what they want and then try to apply it. I mean,
AJ Nash (34:30.318)
The thing is I do that too.
Virgil Capollari (34:47.628)
I've taken a look at folks that salespeople that work at mid-size or mid-range autos to upper end autos. If I got out of my truck at a Porsche dealership, the salespeople probably wouldn't even approach me because I...
AJ Nash (35:06.776)
You don't look like a Porsche owner. Is that what you're trying to say?
Virgil Capollari (35:07.276)
I am not breathing that down payment, you know, but, very much so. Yeah. I mean, I prefer the defensive side. There's a lot more you can do. And, I know there's always an ongoing debate within the law enforcement and Intel side, but, I think there's a time and place for each one. I think the arrest, yeah, it's nice. It does its piece, but personally speaking, a little disruption along the way.
a little steering them down a different side of the river is just as effective.
AJ Nash (35:47.31)
Yeah, I mean, that's I think that's really interesting, right? And obviously I'm an Intel guy, but you know, as you said, salespeople is a good example, right? Salespeople, that's, that's their job is to elicit information. And that's what counter Intel is, right? Um, you know, I grew up in sales a million years ago, my family's in sales and it's sort of a natural thing. I go out in public and you know, people I know, uh, will, kind of laugh at how I converse with a lot of people and a lot of people tell me a lot of things. And sometimes I haven't told them much of anything.
It just depends on the conversation of what I'm trying to get. Sometimes I'm just very curious to learn things. And like you said, people will tell you people love to talk about themselves and they'll tell you all sorts of things. And you walk away and go, geez, I know a lot about these people now. I know I know they're going out of town. for how long, I guess I also know where they live. And I got a license plate. I could probably figure out their house. I could probably rob them if I wanted to, which is a very off putting conversation, by the way, to have with people. I realize when I say those things, I have to remind people I'm not going to.
Robert Vamosi (36:34.921)
It is.
AJ Nash (36:39.484)
because that's how we think, right? but it's very interesting to see how much people will leak. So listen, I know we got to wrap up. running, running out of time at this point, Virg. I really want to thank you for taking the time to come on and talk about counter Intel and about the work you do. It's, it's really fascinating, interesting work and a challenging, assignment, frankly, I can only imagine you've talked a little bit about it, but how difficult it is to get companies to understand this, to take this seriously and to, to apply these, these.
learned, you know, these experiences that you're giving them, right? These learnings, these teachings, so that they can have less risk, right? And so threats have a harder time, you know, getting in. Because again, I don't care how good your security is, your physical security, your technology, your people are generally the easiest way in, right? So treat people well and also listen to your counter-intel folks like Virgil so that you're better prepared.
to combatting those things. there anything, last words I just kind of wrapped up and I shouldn't have, but are there any last words that you want to add? Like advice, cajoling, a joke, whatever you got, man.
Virgil Capollari (37:43.435)
Yeah, one final piece to any visual out there looking to get more involved with CI or counterintelligence or build out programs. If you're operating too much in the secretive manner and you're not really communicating with your larger company or teams, you're doing yourself and the program a great disservice. The whole purpose is to communicate and get outward. I find it ironic that
being in the former government space, have to have this conversation that communication is really your key. And if you're too wrapped up in the processes, you're probably not delivering on all those points. That's just my editorializing on this. But no, really enjoyed this conversation. A lot of good stuff.
AJ Nash (38:33.326)
Well, that's a great point. People, It's a people thing. Process is important, but people are the business is what you're saying. Robert, you want to take us out at this point? You want me to take us out? All right. So, well, that's what editing's for, All right, so like you said, people are the business. I think it's a great point to close out on. Again, Virgil, thank you very much for coming on Needle Stack. It was great to have you and Robert here with me, and we were able to have a cool conversation that I hope people took a lot away from.
Robert Vamosi (38:33.472)
Yeah, sing.
Virgil Capollari (38:43.946)
Yeah.
AJ Nash (39:00.78)
and we'll be safer and more secure. And if you, if you need more information, reach out to Virgil Capillari. He's easily available on LinkedIn. He's a good guy to talk to. I highly recommend chatting them up. if you can't find his contact information, find us, we'll get you connected. and I think that'll wrap it up. So that's a, that's a great episode of Needlestack. Thanks everybody for being here. Please follow and like, and, and share and all the things that, that help us grow this podcast so we can keep bringing great guests like Virgil on and share all of their experience and all their wisdom.
