Why We Invested: Picnic

Protecting People and Companies from Social Engineering Attacks

Picnic is a cybersecurity firm going after an aspect of risk that the industry doesn’t spend nearly enough time talking about: attacks by social engineers. Social engineers are hackers who use public information about you, your company and your personal and professional networks to craft attacks designed to fool, coerce or manipulate you into performing a desired action that will harm you or your company. Financial fraud, operational interruption and IP theft all begin with social engineering.

As traditional cybersecurity has become more effective, hackers have turned to social engineering as a primary means of getting around hardened infrastructure and gaining access to privileged systems. Social engineering is now at the root of most successful attacks on enterprises, as hackers use exposed public information to effectively research and attack people, companies and supply chains.

We were introduced to Picnic by the founders of Verodin, a Rally portfolio company. Social engineering is particularly complex because it deals with human error, as opposed to just weaknesses in software and systems, and Picnic is the first time we’ve seen a company approach this problem holistically. They understand the human psychology and data behind social engineering, and they’ve substantiated it with software so enterprises can act.

Rally Ventures co-led Picnic’s 14M Series A financing in 2021. There is a massive market opportunity as people wake up to the reality of what needs to be done, and we are thrilled to back this talented team. Below is a short Q&A with Founder and CEO Matt Polak.

1. What is Picnic and what core problem does it solve?

The name Picnic is an old IT phrase that means Problem in Chair, Not in Computer. It’s the term IT people use when someone causes a technical problem, like clicking on a bad link.

Picnic is laser-focused on social engineering, which refers to the use of human psychology to manipulate people for a particular purpose. It is fundamentally about tricking people, and in order to do that you have to have information about the person you’re targeting. If a bad actor doesn’t know anything about you, it will be much harder to trick or scam you.

Skilled social engineers begin by analyzing open-source intelligence — which is any information about you that is publicly available — to determine who is valuable and easy to compromise. This data is then used to both select a target and craft an attack plan, which involves manipulating that targeted person into handing over sensitive personal or enterprise data.

Picnic finds and removes available reconnaissance about people and businesses that is known to be harvested by social engineers. Our goal is two-fold: first we want to reduce the risk the enterprise has of being socially engineered by reducing the amount of info that can be found to trick people. Second, we want to give the enterprise the ability to improve existing security investments and processes with Picnic’s new intelligence from beyond the firewall. This leads to fewer alerts coming into the Security Operations Center (SOC) and fewer incidents that enterprise security teams need to solve.

We accomplish this with two different applications. The first is the enterprise security application that provides the security team visibility across the human attack surface, and gives them the ability to take automated and continuous actions to reduce risk found beyond the firewall. Picnic exposes who within their enterprise is most likely to be attacked and how, so they can make decisions proactively. The second is an employee-facing application that identifies where people have personal info exposed. It continuously works to find and remove or neutralize sensitive data over time.

2. Is the problem you’re solving accelerating in terms of its scale?

Absolutely. There has been an industrialization or productization of cybercrime over the past few years. You can have limited skill as a threat actor and be successful, because you can now buy ransomware as a service. Threat actors have broken down the process of launching a ransomware attack into pieces, so anyone can go and buy the pieces they need to make an attack happen.

A recent example of this industrialization of cybercrime would be the attack launched against Twilio and Cloudflare. The threat actor, 0ktapus, built a service that automates the process of hacking someone. This threat actor group first scanned employees on LinkedIn to see who would be valuable to target. They then went out to find personal information (like emails and phone numbers) on data broker sites to build a target profile.

Next, they set up fake websites that look like the websites targeted employees were regularly logging into. And finally, they texted the employees, potentially using Twilio’s own software, trying to trick them to login to the fake websites. Historically, threat actors would have to do this entire process manually, but now it’s automated. Plus, the scale of these attacks is growing. 0ktapus hit more than 130 organizations in that attack, in addition to Twilio and Cloudflare.

Picnic has built the same systems and capabilities as the threat actors — we see what they see. We can do what 0ktapus did, but in a way that helps our customers understand how they could be targeted. We’re working against the problem by understanding how it’s being done and showing people how it could happen to them so they can prevent it.

3. We’ve been looking for an opportunity in this space for 10+ years. Why do you think it’s been challenging for successful companies to emerge in this space?

Social engineering is complex because it is the one vector in IT that administrators cannot control. You’re dealing with humans, not computer systems, and humans are often the weakest link in any system. Plus, you’re dealing with personal data, which can feel like a boundary that’s hard for CISOs to address.

A lot of it comes down to the right mindset. Many founders who work in cybersecurity are engineers, and they naturally think about this problem the way an engineer thinks about any problem: by trying to design a system. Social engineering doesn’t easily lend itself to being solved that way because it is actually a system of systems — with elements such as people — that can’t be controlled or predicted. I started out my career in the defense intelligence community and then went on to found a company that focused on competitive intelligence and strategy work. All of that helped inform Picnic’s approach to social engineering.

4. What are a few things every person should be doing to protect themselves against attacks by social engineers?

It’s a long list, but the first and most important thing is to make sure you have multi-factor authentication on all your important accounts: banking, email and healthcare. If you have that, it is much more difficult for bad actors to break through.

The second is to have the right mindset–to know that this is how modern attacks happen. Someone will try to trick and/or impersonate you, and you need to be aware of what your online presence exposes you to. For example, if your social media accounts are set to public, you’re at a higher risk of someone impersonating you through an app like Venmo. The ability to correlate your phone number with your friend list is way easier if your social media accounts are public.

In a business context, Linkedin is the number one source for threat actors. An easy tip here is to broaden the geographic zone that you’re in. Instead of Minneapolis, you could say Greater Twin Cities. I also recommend using different pictures across different platforms. Small changes like this make it much harder for social engineers to stitch your profile together.

5. What are you most excited about right now?

People are starting to understand social engineering and see that it’s a problem you can fight successfully. Watching that transformation happen inside of our customers is really exciting. People realize that they can stop attacks before they occur inside their environment, and it will have a significant impact by lessening alert fatigue and lessening all the associated pain of dealing with social engineering attacks. There is a realization that security teams can come upstream of the problem. We’re at the beginning of that wave, which is pretty cool.