Future of Threat Intelligence

Future of Threat Intelligence

Team Cymru
ประเทศ สหรัฐอเมริกา
แนวเพลง ธุรกิจ
ภาษา EN
จำนวนตอน 115
ล่าสุด 02.07.2026

Future of Threat Intelligence is a podcast that explores the shift from reactive detection to proactive threat management in cybersecurity. Hosts engage with top cybersecurity leaders and practitioners to uncover strategies for anticipating and neutralizing threats. Each episode provides actionable insights to help organizations stay ahead of emerging trends and technologies.

ตอน

  • Why the old phishing training is obsolete after deepfake attacks 02.07.2026 42นาที
    Resource constraints, not attacker sophistication, are the biggest cyber threat facing state and local governments, and AI is widening the gap by making low-skill attackers faster and more convincing. In our latest episode of the Future of Threat Intelligence podcast, Randy Rose, VP of Security Operations and Intelligence, Center for Internet Security, shared how community defense, essential controls, and human verification hold the line as phishing and deepfake threat intelligence evolve.Topics discussed:Why resource constraints are the number one cybersecurity challenge for state and local governmentsHow AI makes low-skill attackers faster while ransomware and phishing stay the top threatsMapping CIS Implementation Group 1 controls to top MITRE ATT&CK techniques to reduce riskWhy traditional phishing training is obsolete after AI-written phishing and deepfake attacksHow community defense turns one organization's attack into protection for thousandsKey Takeaways:Prioritize an essential set of controls, starting with CIS Implementation Group 1, to buy down the most risk against top threats like ransomware.Map your controls to the top MITRE ATT&CK techniques so you know which defenses deliver the greatest impact.Retire phishing training built on spotting typos and odd phrasing, and train people for general skepticism instead.Build proactive verification, such as two-person integrity, before trusting an email, phone call, or video feed.Inventory access alongside hardware and software, tracking who and what has access to what, including AI and agent tools.Maintain and exercise an updated incident response plan, and know exactly who to call in each scenario.Use AI for data translation, correlation, and enrichment at scale, and reserve creative thinking and context for people.Listen to More Episodes:  YouTube  •  Apple  •  Spotify  •  Website
  • Coalition's Daniel Woods on the attorney-client privilege tactic shaping every IR investigation 18.06.2026 42นาที
    Daniel Woods, Principal Security Researcher at Coalition, sits at an intersection most security practitioners never access: underwriting data, claims history, and live forensics findings from the same vantage point. In this conversation, he traces how cyber insurance evolved from a 10% loss ratio product in the late 1990s to carriers reportedly hitting 130%+ during the ransomware era, and what that financial pressure forced the market to actually build. He also explains the mechanics behind why lawyers end up directing IR investigations, who that structure protects, and why every practitioner who has ever written a forensic report should understand it before an incident forces the question.Topics discussed:Early cyber insurance economics and how a near-90% profit margin shaped the marketHow California's 2003 breach notification law created the data breach litigation economyHow the shift from on-site auditors to yes/no questionnaires left insurers blind to whether backups were actually recoverableWhy RDP as an initial access vector dropped from roughly 80-90% of ransomware claims to around 20%Why insurers put lawyers in front of IR investigations and what that means for what gets documentedThe unresolved legal problem with cyber war exclusions along the nation-state/criminal contractor continuumWhy security practitioners should be in the room during the insurance buying process, not reacting to the vulnerability report afterwardWhy cyber insurance is a broad digital risk product and not just a ransomware backstopKey Takeaways:Get your security team into the insurance buying process before the vulnerability report arrives. Once it lands, you are in reactive mode with your carrier already holding findings.Insurers like Coalition built their underwriting model around external perimeter scanning, specifically flagging open RDP, VPNs without MFA, and exposed attack surface before they quote. That scan is happening whether your team engages with it or not. Use it.The backup question on an insurance application has moved well past yes or no. Insurers now ask about recovery time, maintenance cadence, and whether backups are actually tested. A tape environment that takes two months to restore is not a recovery capability and carriers know it.When a lawyer is directing your IR investigation, what goes into the forensic report is a legal decision, not just a technical one. Daniel's own interview research with lawyers found that technical practitioners routinely undermine the privilege structure by writing explicit characterizations of organizational failure, things like "flagrant culture of noncompliance," that lawyers cannot shield and litigants can use. Know what you are writing before an incident forces you to find out why it matters.Standalone cyber policies and property policies respond very differently to nation-state incidents. Cyber insurers paid out on Sony under standalone cyber. The war exclusion fights over NotPetya happened in property insurance courts. If your coverage mix includes both, those are not equivalent protections.The attribution problem cuts both ways. Nation-state actors contracting ransomware groups, or using financially motivated TTPs alongside espionage operations, make war exclusion clauses nearly impossible to apply cleanly. Know where your policy language actually draws that line.Cyber insurance covers more than breach response. Impersonation, deepfake fraud, and privacy violation liability are all coverable under the right policy structure. Most buyers do not realize that until they file a claim.Listen to more episodes: Apple Spotify YouTubeWebsite
  • How Akira hits thousands of SMBs with $50K-$150K ransoms undetected | Alex Bovicelli 04.06.2026 26นาที
    In part two of this conversation, Alex Bovicelli, Senior Director of Threat Intelligence at Tokio Marine HCC - Cyber & Professional Lines Group,  gets into what the industry keeps getting wrong about ransomware targeting. The organizations getting hit most often are not the ones making headlines, and the attack methods used against them require far less sophistication than most practitioners assume.Drawing from claims data across thousands of insured companies, Alex explains how groups like Akira have deliberately built around high-volume, low-ransom SMB campaigns, why unpatched MSP tooling is one of the most consistently exploited entry points most defenders aren't tracking, and how a low-tier threat actor sitting on an infected employee machine for six months can hand off access to a major ransomware group. He also breaks down how access brokers are assessing victim maturity, insurance policy status, and organizational structure to decide whether ransomware or BEC delivers the better return, which has nothing to do with CVSS scores.Topics discussed:Why SMBs face structurally different attacks than enterprises, not scaled-down versionsAkira's volume-over-value model: ransoms in the $50K-$150K range, thousands of targets, below the threshold that attracts law enforcement attentionUnpatched MSP tooling as a lateral movement vehicle the victim never sees comingHow a low-tier threat actor's own machine was infected with an info stealer, exposing the 6-7 month timeline between initial access and ransomware deploymentHow access brokers assess victim maturity, insurance coverage, and org structure to choose between ransomware and BEC for maximum ROIWhy criminal exploitability outweighs published vulnerability severity as a patching signalHow cyber insurance claims data gives CTI teams visibility into active exploitation before it surfaces publiclyKey Takeaways:Stop treating SMB ransomware exposure as a scaled-down version of enterprise risk. The attack methods, economics, and entry points are structurally different, and your defenses need to reflect that.Track SSL VPN brute forcing campaigns specifically. Groups like Akira have optimized these tools to run unattended and return thousands of valid credentials against organizations with no account lockout policies.Enforce account lockout policies and MFA on every remote access entry point. These aren't advanced controls. They're what separates organizations that get hit from those that don't at the SMB level.Audit your MSP's patch posture as part of your own risk assessment. If your MSP is running unpatched tooling, your organization inherits that exposure whether you know about it or not.Integrate info stealer log analysis into your detection pipeline. A low-tier threat actor's infected machine can expose a 6-7 month old foothold and reveal exactly how a major ransomware group obtained initial access.Understand that access brokers are evaluating your organization's maturity, insurance status, and whether you're centralized or decentralized before deciding whether to hit you with ransomware or BEC. Your structural profile affects how you get targeted.Replace CVSS as your primary patching prioritization signal. What access brokers actually care about is ease of exploitation combined with the number of available targets, and your patching sequence should mirror that logic.Use post-claim incident response data to validate and calibrate your pre-claim detection signals. Insurance claims data provides visibility into what is actively being exploited in the wild before it reaches the news cycle.Listen to more episodes: Apple Spotify YouTubeWebsite
  • The CVSS problem: why severity scores don't predict what gets exploited 21.05.2026 45นาที
    Patrick Garrity, Security Researcher at VulnCheck, has a data problem with how the industry prioritizes vulnerabilities, and the data is his own. After manually categorizing roughly 800 exploited vulnerabilities by technology type each year, what he keeps finding is that the CVSS severity distribution of exploited CVEs tracks closely with the overall CVE population. Meaning the scoring system most teams use to decide what gets patched first has no meaningful relationship to what threat actors are actually targeting. He hasn't yet sliced it fully by category, but what's already visible is enough to warrant rethinking your triage logic.He also walks through VulnCheck's exploitation velocity data: roughly 29% of exploited CVEs already have exploitation evidence on or before the day the CVE is published. His read on that number is direct if you're in that bucket, you're likely already compromised before you've had a chance to prioritize the patch.Topics discussed:Why the CVSS severity distribution of exploited CVEs mirrors the overall CVE populationExploitation velocity data: roughly 29% of exploited CVEs have evidence on or before CVE publish dateHow MFA adoption shifted threat actor focus from credential compromise to direct exploitationTree map methodology for categorizing 800+ exploited vulnerabilities by technology type annuallyCascading vulnerability research: how one high-profile exploit draws threat actors and researchers to adjacent productsSource validation framework for assessing reliability across 118+ exploitation evidence reportersVendor security-through-obscurity blocking defenders from building detectionsEU Cyber Resilience Act mandating 24-72 hour exploitation disclosure windows in 2026How Coalition uses vendor risk indices to set cyber insurance rates based on technology stackKey Takeaways: If your remediation SLAs are gated on CVSS score, you're likely deprioritizing real exposure. Patrick's data shows the severity distribution of what gets exploited tracks the overall CVE population, not a cluster at the critical end.For any CVE where exploitation evidence predates the publish date, treat it as a probable breach, not a patching event. Patrick's framing: you're "likely already compromised." IR engagement should precede remediation, not follow it.When a major exploitation event lands on a product, immediately pull your full inventory for adjacent products in the same technology category. Both threat actors and researchers start looking at related products the moment a category gets attention.Audit your network edge devices for end-of-support and end-of-life status. Many of these products carry 20-30 years of tech debt and were never built with product security as a baseline consideration.When evaluating or renewing network security products, ask the vendor directly: what does your vulnerability disclosure process look like, and is patching automated? If remediation requires a manual change control window every time, that's a structural liability that compounds under pressure.Push back on vendors who restrict patch details or technical indicators to paying customers. Threat actors who already reversed the product don't need that information. Defenders who are trying to build detections do.Look at how insurance carriers like Coalition score your technology stack by vendor risk. If products you're running carry a high-risk rating in those indices, that's worth taking into a vendor conversation or a board briefing it's independent, data-backed validation that your exposure is real.Listen to more episodes: Apple Spotify YouTubeWebsite
  • Unit 42's Andrew Rathbun on the Sysmon Configuration Mistake Enterprises Are Making 07.05.2026 42นาที
    Andrew Rathbun, Senior Consultant at Palo Alto Networks Unit 42, has spent years tearing apart Windows endpoints across ransomware, APT, insider threat, and DPRK IT worker cases. His read on the state of enterprise Windows logging is blunt: most organizations have spent significant money on detection tooling while leaving the native forensic record so truncated that proving an intrusion timeline is nearly impossible. He introduces the "conveyor belt of volatility" as a forensic lens, every second, events fall off the back end of your log, and the default sizes Microsoft ships are a relic of 2002 disk economics. Accepting those defaults in a contemporary environment isn't a configuration oversight; it's a gift to the attacker.The conversation goes deep on the four artifacts Andrew calls his sysadmin Christmas list of Sysmon, the Security Event Log, Volume Shadow Copies, and the $J USN Journal, and why each is typically either absent, stale, or undersized when he arrives on a case. He also covers what DPRK IT worker cases look like from the endpoint, why EDR alert queues are generating true positives that go ignored for days, and how he actually uses AI on cases, including a specific example of generating a PowerShell script to convert Linux audit log epoch timestamps to human-readable time, a script he's been running in production for years.Topics discussed:The "conveyor belt of volatility" framework for understanding Windows event log retentionWhy accepting default log sizes actively shortens the forensic timeline available during incident responseWhy Sysmon's inclusion in Windows 11 is long overdue, how stale installations with outdated event IDs are a common unforced error in enterprise environmentsHow volume shadow copies can extend forensic visibility across months of attacker activityThe $J USN Journal as a file system ledger for every file creation, deletion, rename, and size change on a Windows partitionWhy EDR is a mandatory but insufficient control, including how alert fatigue causes true positives to be miscategorized as false positivesWhat DPRK fake IT worker cases look like from the endpoint, including the forensic value of USB artifact timestampsHow AI functions as a genuine force multiplier in DFIR while remaining unreliable as a source of authoritative forensic ground truthWhy GitHub fluency, not tool mastery, is the foundational skill for anyone entering digital forensicsKey Takeaways: Size the Windows Security event log to at least 1 GB. The default 32 MB cycles 4624/4625 events fast enough that authentication history from the week before your incident is already gone.Deploy Sysmon and keep it current. Treat version currency as a security control.Size the $J USN Journal appropriately on all Windows partitions. It's a file system ledger of every create, delete, rename, and resize.Enable volume shadow copies and treat retention depth as a forensic asset. Alert on event IDs 1102 and System 104. These signal security log and general event log clearing.Audit EDR queues for true positives closed as false positives.  Baseline USB artifact timestamps and KVM device registry entries on remote worker endpoints. Use AI to parse unfamiliar log syntax and generate one-off scripts — not as forensic ground truth. Don't assume EDR coverage eliminates the need for native Windows logging. They capture different visibility layers.Build GitHub fluency as a foundational DFIR skill.  
  • Trend AI's Robert McArdle on Criminal Business Models Surviving Tech Revolutions 23.04.2026 40นาที
    After 18 years tracking cybercriminal operations at Trend AI, Robert McArdle, Director of Cybercrime Research, has developed a framework for predicting how threat actors adopt new technology: the answer consistently comes down to economics, not capability. He breaks down three rules of thumb his team uses: criminals want an easy life, any new technology must beat the ROI of their current model, and cybercrime is evolutionary rather than revolutionary. Those rules explain why ransomware has actually slowed the adoption of new attack methods and why the lowering technical barrier for attackers creates an asymmetric burden on defenders, who must demonstrate value to an employer rather than simply make a profit.Robert goes deep on where agentic AI is headed for both offense and defense, including a sobering implication for law enforcement; as criminal operations become increasingly automated, arresting the principals may no longer disrupt the business. His team has already put this to work on the defensive side. Their internal agentic system ACER has discovered 210 zero-days in a matter of months. He also raises a specific concern that practitioners should take seriously: CTI reports containing detailed reverse-engineering write-ups and code samples are essentially training data for malicious LLM prompting, and the industry should reconsider what level of technical detail is actually necessary to publish alongside IOCs.Topics discussed:The three-rule framework for predicting criminal adoption of emerging technologyHow the lowering technical barrier for entry shifts the entire cybercriminal bell curve upward Why embedding AI directly into malware remains rare below 1% of observed cases, and the two structural reasons that limit adoption The shift toward jailbreaking non-Western LLMs as criminal operators anticipate that law enforcement coordination is effectively nonexistentHow agentic AI transforms criminal business models from linear service stacks to exponentially scalable operations The emerging law enforcement challenge when operations are ~75% autonomous, arrests no longer constitute meaningful disruption Why CTI publishing norms need to evolve, specifically how detailed code samples and reverse-engineering screenshots in APT reports can be fed directly into LLMs to accelerate malware developmentPractical defensive posture for shadow AI proliferation: treat AI-powered tools as untrusted software under existing vulnerability management frameworksKey Takeaways: When assessing whether adversaries will adopt a new technique or tool, evaluate it through three lenses: ease of operation, return on investment versus current methods, and evolutionary fit with existing business models.Before publishing detailed reverse-engineering write-ups, code samples, or pseudocode in APT reports, assess whether that level of detail serves defender use cases or primarily serves as a development accelerant for threat actors. Audit your organization's shadow AI exposure as a software risk problem, not an AI problem. Structure specialist agents to handle discrete tasks rather than relying on a single broad LLM. Pressure-test your law enforcement response playbook against autonomous criminal infrastructure. Evaluate your AI security tooling for hallucination risk in detection workflows.  Model romance scam and investment fraud at scale in your threat landscape. Monitor for jailbroken non-Western LLM wrappers in criminal marketplaces. Factor defender tooling complexity into hiring and onboarding benchmarks. Track zero-day discovery velocity as a benchmark for agentic security ROI. Listen to more episodes: Apple Spotify YouTubeWebsite
  • Scott Scher on Why CTI Teams Forecast Instead of Predict 09.04.2026 45นาที
    Scott Scher, Cyber Threat Intelligence Lead, makes a distinction that reframes how intel teams should think about their own value: they are forecasters, not predictors. That shift in framing has concrete consequences for how CTI programs justify themselves internally, and Scott argues that the most meaningful metric isn't alert volume or report count, but the decisions intel has actually influenced. Scott also addresses where he sees the threat landscape heading, and his read on ransomware cuts against how many teams are still oriented. He argues that encryption-focused ransomware has largely peaked in value for attackers; the real shift is toward pure data exfiltration. He also touches on AI in CTI with a grounded take; it’s useful for accelerating manual analyst tasks like data gathering and link analysis, but only if intelligence teams define how it gets used before the organization does it for them.Topics discussed:Why CTI teams operate in the forecasting space rather than the prediction spaceThe practical implications for how assessments are communicated to stakeholders and leadershipThe challenge of quantifying CTI value through decision-driven metrics rather than output volumeMapping each stakeholder's workflow outputs and the triggers that drive them, then injecting intelligence at the right point in that chainThe evolution of ransomware toward exfiltration-only models, and why this reframes the defensive priority from backup to data loss prevention How CTI teams can use strategic intelligence to drive organizational decisions on edge device hardening and third-party riskThe role of AI in intel workflows as a force multiplier for manual analyst tasks, and why teams need to define that use case proactivelyThe collective defense model emerging at the state and local government levelWhy making analytic assessments scientifically defensible is what separates credible CTI from noiseKey Takeaways: Reframe your team's value proposition around decisions influenced, not products delivered. Map each stakeholder's workflow before defining your intelligence requirements. Conduct monthly stakeholder cadences specifically to capture feedback on delivered products. Ask stakeholders about their biggest obstacles, not just their intel requirements. Reorient ransomware defensive priorities toward data loss prevention.Use sustained trend analysis to build strategic intelligence cases for resource allocation. Get ahead of how AI is used in your CTI workflows before organizational pressure defines it for you.Treat qualitative stakeholder feedback as a scientific input, not an afterthought. Document the reasoning behind every intelligence assessment, not just the conclusion. Pursue an interdisciplinary lens when building CTI programs and hiring. 
  • You Can't Trust Your Zoom Call Anymore. Deepfakes, DPRK & the New Attack Surface 26.03.2026 42นาที
    Deepfakes have moved well past the uncanny valley and into active threat operations, and Tom Cross, Head of Threat Research at GetReal, has the client-side case studies to back it up. Tom explains how North Korean IT worker infiltration campaigns have transformed HR and video conferencing from administrative functions into active attack surface, albeit one that most security teams aren't monitoring, logging, or ingesting into their SIEM.Drawing on a long-running collaboration with a former West Point professor and intelligence officer, Tom also applies the military framework of tactical, operational, and strategic intelligence to cybersecurity, arguing that most CTI programs are really just lists of burned indicators. The actual value of IOCs, he contends, is retrospective: discovering you were communicating with a known-bad actor means you may still be compromised. He makes the case for connecting adversary intent models, red team findings, and vulnerability data into a unified predictive picture. YT Thumbnail title: Your Zoom Call Is an Attack SurfaceTopics discussed:How North Korean IT worker infiltration has converted HR processes and video conferencing into an active, unmonitored attack surfaceVoice-cloned peer impersonation via messaging apps, followed by deepfaked video calls and malware deliveryWhy deepfake audio attacks on IT help desk credential reset processes are among the most likely near-term vectorsBiometric indicators of compromise and the significant false-positive risks that distinguish them from traditional IP or domain IOCsHow the military intelligence framework of tactical, operational, and strategic analysis applies to CTI programsThe strategic importance of retrospective IOC analysis versus forward-looking ingestionWhy DPRK's financial motivation model expands their target set far beyond what traditional nation-state threat modeling would predictKey Takeaways: Ingest video conferencing logs into your SIEM.Audit your remote credential reset process for social engineering resistance.Map red team findings and vulnerability data to specific adversary profiles rather than treating them as a generic remediation backlog.Implement retrospective IOC analysis alongside forward-looking blocking.Treat DPRK's financial motivation as an equalizer when assessing APT exposure.Build threat intelligence at the strategic layer by modeling adversary intent and objectives, not just cataloging observed TTPs.Apply extra care to biometric IOC sharing.Monitor employee working-hour patterns against claimed time zones as a behavioral indicator of potential employment fraud.Extend IOC taxonomy to include multimedia and biometric formats.Listen to more episodes: Apple Spotify YouTubeWebsite
  • Two Minds. One Reframe. A Shift That Won't Wait. 19.03.2026 42นาที
    Vincent Passaro, Engineering Manager at Stripe Security, didn't get there through a slide deck or a company mandate. He got there through a shower thought that followed a conversation with a friend, and it broke how he'd been thinking about building, leading, and even measuring his own team.The reframe was simple and did not start with "we're all going to be software developers. Rather, "we're going to be product owners." That single pivot changed everything downstream, including how he approached prototyping, how he set success criteria for agents, and how he coached his team out of chasing bugs and into defining outcomes.In this episode, Will and Vince trace both of their "pin drop" moments: the specific conversations that shifted their mental models, then try to articulate what that shift actually means for CTI analysts and security engineers working real problems today.They talk about what it felt like to stop asking "how do I wire this" and start asking "what does success look like," and how fast things moved once that happened. They're honest about what breaks, like the siloed tools that don't talk to each other, the governance vacuum that opens when every analyst is shipping products, and the dopamine trap of adding features instead of finishing work. And they're equally direct about what becomes possible when outcome velocity: not headcount or tooling budget, and what becomes the competitive edge.This isn't a conversation about AI hype. It's about what happens when two practitioners who've spent years operating the plumbing realize the plumbing has been commoditized and what that means for where human judgment actually matters now.If you've been waiting for the right moment to pay attention, this is probably the episode where you stop waiting.Topics Discussed"Product owner" vs. "developer" mindset and why it changes how analysts build toolingDefining outcome criteria upfront as the core discipline for AI-assisted developmentHow AI collapses experimentation costs and eliminates dev team dependencyAnalyst-owned toolkits and outcome velocity as a competitive edge for small teamsThe governance risk: product silos, duplicated tooling, and inconsistent standardsFT3 as an open-source framework built to lower the community contribution barrierWhy CISO/board resistance to AI on security grounds will backfireThreat actors are scaling the same way — analyst adaptation is the necessary responseKey Takeaways: The unlock isn't learning to code: it's learning to think backwards from the outcome. Define what success looks like, set the criteria the agent has to meet before it moves on, and stop micromanaging the implementation. That's the product owner shift.Slow down before you build. Spend more time in planning than in execution using deep research across multiple models, comparing outputs, stress-testing the concept before a single line gets written.Drop the subscription and treat the model like a teacher, not a tool. Start with a problem you already understand. Ask it to walk you from zero to fluent. It will tell you to stop thinking like a developer and start thinking like a product owner. If you have a backlog of problems you gave up on because they weren't staffable, go find them. The feasibility question that used to take months to answer now takes an afternoon. Start there.Before your next team planning cycle, map what everyone is building. The duplicate tools are already being written in parallel by people who don't know about each other. Get ahead of it now, because it only compounds.If you're involved in open-source threat intel frameworks, the contribution problem was never motivation, it was friction. The tooling gap is closable. Build the on-ramp and the community will use it.Listen to more episodes: Apple Spotify YouTubeWebsite
  • TIG Risk Services' Duaine Labno on How Remote Hiring Became an Opening for Infiltration 12.03.2026 30นาที
    What happens when a DPRK IT worker operation lands inside one of your clients, and the three-letter agency you call says they can't show up? Duaine Labno, Director of Special Investigations & Threat Intelligence at TIG Risk Services, walks through exactly that case: his team built a ruse to recover the compromised laptop, staged a physical handoff at corporate HQ, filmed the courier, ran his plates, and traced him to multiple properties. This produced the kind of ground-level intelligence the FBI told him they'd never seen before in a US-based DPRK case. Duaine explains why digital and physical investigations have to run in parallel from day one, not handed off sequentially, and what that looks like operationally when federal resources don't materialize. He also breaks down how post-COVID remote hiring processes that are speed-optimized gave adversaries a repeatable entry point, and why an untrained recruiter doing a soft document check is now a meaningful attack surface for corporate networks.YT Thumbnail title: Remote Hiring Broke Your Security PerimeterTopics discussed:How post-COVID remote hiring processes relaxed identity verification standards and created repeatable enterprise network entry points Running parallel digital and physical investigations simultaneously when tracking identity fraud and insider threatsUsing open-source intelligence and proprietary threat monitoring software to scan millions of data points for suspect behavioral patternsExecuting a live DPRK IT worker case using physical surveillance, a document ruse, and plate runs to identify a U.S.-based operatorWhy untrained recruiters conducting soft document checks have become a meaningful attack surface in corporate hiring pipelinesHow adversaries are weaponizing AI for voice alteration, deepfakes, and document manipulation to bypass hiring and KYC verification processesThe case for vetted, secure cross-industry intelligence sharing platforms to close gaps that individual organizational silos leave openWhere cyber threat intelligence trails end and physical investigation must pick up to produce actionable, court-ready evidenceKey Takeaways: Treat remote hiring pipelines as an active attack surface by pulling security, legal, and HR into the process.Train recruiters to recognize fraudulent identity documents as a first line of defense against adversarial infiltration of corporate networks.Run digital and physical investigations in parallel from the start rather than waiting for cyber analysis to conclude.Build contingency plans for federal non-response into any investigation involving foreign threat actors.Deploy threat monitoring software capable of scanning open-source data at scale to surface behavioral patterns and connections.Establish vetted, secure intelligence sharing relationships with peer organizations and law enforcement to close the visibility gaps.Pressure-test AI-assisted hiring tools against deepfake and voice alteration scenarios before deploying them.Listen to more episodes: Apple Spotify YouTubeWebsite
  • Thermo Fisher's Matt McKnew on the Evolution of Ransomware as a Service 05.03.2026 34นาที
    When Matt McKnew, Senior Manager of Incident Response at Thermo Fisher,  tracked down the Nimda worm in 2001 by analyzing packet captures to identify NetBIOS saturation patterns, threat actors weren't trying to get paid; they were causing disruption. Today, he's defending against ransomware groups that operate like businesses, complete with service models and affiliate networks. Matt explains why Clop's acquisition of six zero-days puts them in APT territory regardless of financial motivation, how attackers now hide in the noise of criminal operations making nation-state activity harder to detect, and why the North Korean IT worker scam succeeds by exploiting weak hiring processes rather than technical vulnerabilities. Topics discussed:Responding to the Nimda worm using packet capture analysis to identify NetBIOS saturation patterns across satellite ISP infrastructureBuilding trusted peer networks for crowdsourcing threat intelligence during active incidents rather than relying solely on formal feedsAnalyzing Clop ransomware's acquisition of six zero-days as evidence of APT-level sophistication despite purely financial motivationImplementing structured incident response documentation and processes to enable faster recovery and more nimble responseEvaluating nation-state threat actors by understanding their 5-year strategic plans and objectives rather than mapping everything to MITRE ATT&CKDeploying agentic AI to standardize analyst work products and maintain consistent intelligence delivery across global security teamsExamining North Korean IT worker infiltration campaigns that exploit weak HR and recruitment processesDifferentiating financially-motivated ransomware operations from nation-state APT campaigns while recognizing blurred lines in TTPsKey Takeaways: Document incident response procedures upfront with standardized policies to reduce response time during active security incidents.Build trusted peer networks across industry for crowdsourcing threat intelligence when formal feeds lack critical real-time information.Evaluate ransomware groups for APT-level capabilities when they acquire multiple zero-days regardless of their financial motivations.Research adversary 5-year strategic plans and national objectives to understand nation state threat actor targeting.Deploy agentic AI systems to standardize analyst work products and maintain consistent intelligence delivery formatting.Strengthen HR and recruitment processes with technical screening questions to defend against North Korean IT worker infiltration.Maintain curiosity and interrogate suspicious indicators until they make complete sense rather than accepting surface-level explanations.Recognize that attackers leverage the same automation and AI capabilities defenders use, requiring equivalent adoption to maintain defensive parity.Listen to more episodes: Apple Spotify YouTubeWebsite
  • Tokio Marine HCC's Alex Bovicelli on the SMB Ransomware Wave the Industry Isn't Talking About 26.02.2026 37นาที
    Running CTI at a cyber insurance carrier and across more than tens of thousands of companies forces a triage discipline most programs never need to build. Alex Bovicelli, Senior Director of Threat Intelligence at Tokio Marine HCC, describes how his team scaled by narrowing focus to one thing: the initial access vectors threat actors are actually using right now: not CVSS scores, not spray-and-pray alerts, but underground forum activity, access broker behavior, and credential exposure from info stealer logs that most SMBs have zero visibility into. When a detection fires, his team doesn't just notify, they walk the customer through remediation and confirm the issue is closed, because for a company relying on an MSP with no internal security staff, an alert without support is just noise.The more pointed conversation is about what's not making headlines: thousands of SMBs are getting hit by ransomware every year, and groups like Akira have built a business model specifically around it; high volume, low ransom, staying below the threshold that triggers serious law enforcement attention. Alex explains how those attacks succeed not through sophisticated tradecraft but through SSL VPN brute forcing tools left running unattended, returning thousands of valid credentials against organizations that have no account lockout policies, no MFA on remote access, and no way to know their credentials are already in a log collector somewhere. Topics discussed:Building intelligence-led CTI programs at scale by anchoring detection on initial access vectors, access broker activity, and credential exposureUsing underground forum proximity and info stealer log correlation to identify compromised credentials across thousands of organizationsOperationalizing pre-claim threat intelligence within cyber insurance to eradicate initial access before events generate claimsClosing the alert-to-remediation loop for SMBs by delivering detection, support, and mitigation confirmation as a single workflowHow Akira and similar ransomware groups deliberately target SMBs with high-volume, sub-threshold attacks Rethinking CVSS-based patching prioritization by incorporating criminal exploitability and at-scale attack frequency into triageSeparating AI as an intelligence producer from AI as a report summarizer, where automation could realistically drive patching priorityWhy most external threat feeds leave CTI teams in a retroactive posture, and how incident response data from insurance claims changes thatKey Takeaways: Anchor your CTI program on initial access vectors rather than trying to cover every vulnerability class across your environment.Monitor access broker activity and underground forums to understand which threat actors are actively buying and selling against your industry or infrastructure.Integrate info stealer log analysis into your detection pipeline to identify compromised credentials before threat actors use them for lateral movement or ransomware deployment.Shift your patching prioritization model away from CVSS scores and toward criminal exploitability.Design alerts for smaller IT teams to be remediation-ready on receipt because an alert without a clear next step will not get acted on.Close the loop on every detection by confirming mitigation was completed, not just that the alert was acknowledged.Enforce account lockout policies and MFA on all SSL VPN and remote access entry points as a baseline control.Assess AI tooling for your CTI program on whether it can produce intelligence rather than just consume it through report summarization.Use incident response data from post-claim analysis to validate your pre-claim detection signals.Listen to more episodes: Apple Spotify YouTubeWebsite
  • Coalition's Daniel Woods on What Cyber Insurance Claims Reveal About Security Controls 19.02.2026 38นาที
    Daniel Woods, Principal Security Researcher, and his team at Coalition analyzed forensic reports across their 100,000-policyholder base and found 50% of ransomware incidents begin with VPN or firewall exploits. But here's the twist: 40-60% of those aren't vulnerability exploits at all, they're stolen credentials bypassing perimeter devices entirely. Organizations running Cisco ASA devices show 5x higher claim rates than peers, with similar patterns across Fortinet, SonicWall, and Citrix SSL VPNs. When threat actors do exploit vulnerabilities, they're scanning and deploying shells within 24-48 hours of public disclosure, making your 72-hour patch SLAs dangerously obsolete.Daniel also surfaces the gap between security control theory and organizational reality. Microsoft claims 99.9% MFA effectiveness for individual Azure accounts, but insurance claims data shows no measurable risk reduction at the organizational level because that one service account without MFA, that legacy API integration nobody knew was enabled, or that exec who refused to enroll gives attackers everything they need. Organizations deploying threat-based training focused on social engineering tactics beyond phishing see measurably lower claim rates, suggesting we've been training for the wrong threat surface.Topics discussed:Analyzing cyber insurance claims data from 100,000 policyholders to identify which security controls actually reduce incident ratesUnderstanding why perimeter security devices like Cisco ASA, Fortinet, and SonicWall VPNs show 5x higher claim rates in insurance dataExamining the 40-60% of edge device breaches caused by stolen credentials rather than vulnerability exploitsClosing the gap between Microsoft's 99.9% individual MFA effectiveness claims and zero measurable organizational risk reductionRevealing security awareness training effectiveness through a study showing 2% phishing failure reduction versus threat-based training Comparing email security platforms where Google Workspace shows lower claims rates than Office365 due to included-by-default security featuresImplementing a zero-day alert service that notifies policyholders within hours when vulnerable perimeter devices need immediate patchingRethinking security awareness training as role-specific, finite courses targeting job risks rather than repetitive generic phishing exercisesKey Takeaways: Audit your external perimeter for exposed Cisco ASA, Fortinet, SonicWall, and Citrix SSL VPN devices.Implement hardware-based MFA enforcement across all services including legacy APIs and service accounts to close credential theft gaps.Reduce patch SLAs from 72 hours to under 24 hours since threat actors scan and deploy shells within 24-48 hours of vulnerability disclosure.Migrate email infrastructure to cloud-hosted platforms like Google Workspace that include security features by default.Replace repetitive generic phishing training with role-specific threat-based courses focused on social engineering tactics.Scan your policyholder or customer base for vulnerable perimeter devices using external scanning services to notify before exploits occur.Build identity management architecture around centralized services with hardware token enforcement.Evaluate security control effectiveness using multiple data sources rather than vendor claims alone.Listen to more episodes: Apple Spotify YouTubeWebsite
  • Stripe's Vincent Passaro on Fraud Taxonomies & Generating Red Team Testing Roadmaps 12.02.2026 1ชม. 8นาที
    Stripe's 3-person intel team created FT3 (fraud tools, tactics & techniques), a framework modeled after MITRE ATT&CK but purpose-built for financial fraud, to eliminate the communication breakdown where "fraud" required constant reverse engineering. The structured taxonomy now powers both analyst workflows and automated fraud systems operating at transaction-millisecond speeds, with technique-based tagging that gives fraud engines the context to make informed decisions without human interpretation of vague "fraudulent" alerts.Vincent Passaro, Engineering Manager at Stripe Security, walks through their shift from reactive blocking to building infrastructure targeting packages for law enforcement prosecution. By mapping card testing, account takeovers, and money movement techniques across the full attack chain, the team now produces actionable intelligence packages. The framework drives LLM-powered classification of legacy incident reports, threat-informed red team testing by automatically mapping techniques to API capabilities, and standardized intelligence sharing with financial institutions. YT Thumbnail title: Technique Tagging at ScaleTopics discussed:Creating FT3 framework modeled after MITRE ATT&CK to establish standardized fraud technique taxonomyTransitioning from AWS tier-3 incident response to financial fraud intelligence while applying cloud security methodologiesBuilding infrastructure targeting packages that map adversary infrastructure roles for law enforcement prosecutionScaling small teams through technique-based tagging that enables fraud systems to make decisions at millisecond transaction speedsLeveraging LLMs for automated classification of historical incident reports and mapping fraud techniques to API endpoint capabilitiesIntegrating threat intelligence with red team and fraud operations to create threat-informed testing roadmaps prioritized by business impactKey Takeaways: Build fraud-specific taxonomies to eliminate communication gaps where "fraud" requires constant reverse engineering.Map fraud techniques across the full attack timeline for complete adversary behavior visibility.Create infrastructure targeting packages that identify adversary server roles and network diagrams for prosecution-ready intelligence sharing.Leverage LLMs with fraud technique context to automatically classify historical incident reports and identify new techniques.Use API documentation and fraud frameworks together with LLMs to generate threat-informed red team testing roadmaps.Prioritize threat actor tracking based on business impact and platform prevalence rather than defaulting to nation-state actors or compliance checklists.Integrate threat intelligence, red team, and fraud operations under unified leadership to enable rapid validation of observed techniques.Design fraud frameworks with extensive contextual documentation to enable adoption by non-security teams and facilitate machine-readable intelligence sharing across organizations.Listen to more episodes: Apple Spotify YouTubeWebsite
  • Fortinet's Aamir Lakhani on Mapping Business Pain Points Attackers Exploit 05.02.2026 42นาที
    Fortinet processes telemetry from 50% of the next-generation firewall market, giving Aamir Lakhani, Global Director of Threat Intelligence & Adversarial AI Research, and his team visibility into a looming shift: threat actors moving from exploiting a small subset of proven CVEs to weaponizing the entire vulnerability landscape through AI automation. While defenders currently concentrate resources on commonly exploited vulnerabilities, Aamir warns AI will soon enable attacks across everything "just as efficiently and as fast," requiring security teams to rethink patch management strategies when they can no longer rely on focused defense. Aamir also touches on how The World Economic Forum's Cybercrime Atlas program operates through weekly sessions with 20-40 researchers who deliberately build intelligence packages using only open-source methods. This avoids proprietary data so law enforcement can recreate findings and successfully prosecute cases. He shares how his leadership approach rejects the traditional climb: stay at the bottom of the ladder and push your team up, because their public accomplishments improve both team performance and your career trajectory more than personal competition ever could.Topics discussed:A 50% next-generation firewall market share providing visibility into state-sponsored attacks and ransomware-as-a-service operations dailyAI-driven threat evolution from narrow CVE exploitation to automated attacks across vulnerability landscapes requiring new patch strategiesThreat actor professionalization, including recruitment events, training programs, and internal conferences for cybercrime operationsAdversarial AI capabilities using local LLM training with tools like Ollama to bypass jailbroken model dependencies like WormGPTNetwork-centric threat hunting using metadata and netflow analysis over full packet capture due to bandwidth and analysis constraintsWorld Economic Forum Cybercrime Atlas program methodology using open-source intel to build prosecutable law enforcement intel packagesPrioritizing team advancement over personal climbing by publicizing subordinate accomplishments to improve retention and performanceAI alert fatigue emerging from comprehensive attack cycle tracking where 10% incorrect information invalidates 90% accurate findingsKey Takeaways: Prepare for AI-enabled threat actors to exploit the entire CVE landscape simultaneously.Prioritize metadata and netflow analysis over full packet capture for threat hunting due to better manageability and analysis efficiency.Deploy open-source tools to baseline network behavior and marry telemetry data with threat intel platforms for pattern recognition.Identify your organization's critical pain points that would force ransom payment rather than focusing solely on perimeter defense tech.Join collaborative threat research initiatives like World Economic Forum's Cybercrime Atlas.Build intelligence packages using open-source methods to ensure findings can be recreated and prosecuted.Conduct CTF-based interviews focused on problem-solving approach and persistence rather than expecting candidates to know all answers.Spotlight team by publicizing accomplishments and research contributions to improve retention, morale, and your own career advancement.Mandate regular video check-ins to monitor team mental health and prevent burnout in high-stress roles.Listen to more episodes: Apple Spotify YouTubeWebsite
  • PayPal's Blake Butler on Finding Fraud Signals in Uncleaned Data 29.01.2026 42นาที
    PayPal's fraud team catches credential stuffing before money moves by watching business intelligence signals that most organizations overlook: explosive traffic growth to legacy endpoints, mismatched phone numbers against account creation locales, and anomalies hidden in raw uncleaned data. Blake Butler, Senior Manager & Head of Fraud Threat Intelligence, applies infrastructure analysis techniques from offensive security to fraud investigations. This fills the gap most organizations face: anti-fraud teams understand scam mechanics but lack technical depth, whereas infosec practitioners know infrastructure but not how criminals monetize accounts at scale.Blake breaks down how phishing kits now bypass MFA through real-time automation. His detection philosophy: counting and explosive growth patterns beat machine learning for uncovering fraud. Data scientists clean away the signal. Topics discussed:Applying offensive security infrastructure analysis methods to fraud threat intelligence investigationsDetecting credential stuffing and account takeover campaigns through anomalies in account creation regions, phone number locales, and explosive traffic growthUnderstanding how modern phishing kits automate real-time OTP theft by integrating directly into legitimate platform APIs during password resetsTracking massive fraud operations emerging from China and South America through business intelligence signalsIdentifying fraud indicators in uncleaned data: extra spaces, unrenderable characters, and AI-generated webshop metadata artifactsBuilding security communities to enable monthly collaboration with local practitioners on emerging threats and tool developmentBridging the critical talent gap between anti-fraud teams lacking technical infrastructure skills and infosec practitioners without fraud monetization expertiseEvaluating phishing-as-a-service platforms and encrypted communication tools that lower barriers to entry for criminal actorsKey Takeaways: Monitor explosive traffic growth patterns to legacy endpoints and unusual account creation regions to detect credential stuffing.Analyze raw uncleaned data for fraud signals including extra spaces, unrenderable characters, and metadata artifacts.Apply infrastructure analysis techniques to fraud investigations to identify phishing domains and criminal tooling.Track mismatches between phone number locales and account creation regions as indicators of automated account generation.Investigate anomalies in business intelligence metrics through simple counting before deploying MLMs to uncover emerging fraud trends.Build fraud threat intelligence teams that combine offensive security backgrounds with fraud monetization expertise to fill the critical industry talent gap.Attend security community meetups to collaborate with local practitioners on emerging threats between annual conferences.Implement MFA while recognizing that advanced phishing kits now automate real-time OTP theft through direct platform API integration.Hire candidates with infosec infrastructure knowledge who understand how criminal actors use tooling to automate credential stuffing and account monetization operations.Listen to more episodes: Apple Spotify YouTubeWebsite
  • Tidal Cyber's Scott Small on Operationalizing MITRE from Intel to Validation 22.01.2026 32นาที
    Tidal Cyber's Director of Cyber Threat Intelligence Scott Small reveals how his knowledge base now tracks almost 25,000 procedure-level instances across nearly 800 MITRE ATT&CK techniques and sub-techniques, capturing the command-level detail that exposes the false promise of "100% coverage" when working at technique abstraction alone. He argues that the pre-attack reconnaissance phase remains the most essential yet most ignored portion of the framework, including the recently formalized technique for purchasing and selling victim data on stealer marketplaces. Scott's AI workflow treats LLMs strictly as structured data processors that reference MITRE's written technique examples to parse unstructured threat reports, refusing to use them as intelligence sources themselves. He's seeing threat intelligence and detection engineering roles merge as individuals develop hybrid skill sets. His methodology for mapping TTPs to vulnerabilities gives security teams a data-driven rationale to deprioritize patches when strong post-exploitation defenses already cover the attack vector.Topics discussed:Tracking almost 25,000 procedure-level instances across 800 MITRE ATT&CK techniques to expose the false promise of technique-level coverage aloneDefending pre-attack reconnaissance phases including the technique for purchasing victim data on stealer marketplacesClassifying scanning activity by threat type to prioritize C2 infrastructure linked to APTs over fraud-related domainsBlending threat intelligence and detection engineering roles as analysts gain EDR skills Using AI as structured data processors that reference MITRE's written technique examples to parse unstructured threat reports without generating intelligenceMapping TTPs to vulnerabilities to create data-driven rationale for deprioritizing patches when post-exploitation defenses cover the vectorVisualizing attack narratives through the MITRE ATT&CK matrix to tell leadership about defense gaps and justify resource allocation decisionsKey Takeaways: Track adversary procedures at the command and protocol level to identify real defense gaps.Monitor stealer marketplace activity and automated dealer platforms for credential exposures tied to your domain, then reset credentials.Prioritize threat intel alerts by focusing first on APT-linked activity over fraud campaigns.Develop hybrid skill sets where CTI analysts understand EDR logging capabilities and threat hunters consistently consult adversary behavior reporting for hunt hypotheses.Implement AI workflows that use LLMs to extract structured technique data from unstructured threat reports, not as intelligence output itself.Map TTPs to specific vulnerabilities to build data-driven cases for deprioritizing patches when post-exploit defenses provide coverage.Create visual attack narratives using the MITRE ATT&CK matrix to communicate defense gaps and resource needs.
  • Marsh McLennan's Casey Beaumont on Vendor Breach Assessments That Cut through Legal Games 15.01.2026 39นาที
    When Casey Beaumont's entire CTI team departed just before new analysts started, she found herself running threat intelligence solo for months while directing incident response, threat hunting, and red team operations. That trial by fire taught her exactly what separates tactical intelligence from strategic value, and why the best analysts invest significant personal time building trust networks that enterprise tools cannot replicate. Casey's teams at Marsh McLennan, where she’s the Director of Advanced Cyber Practices, received warnings about Scattered Spider infrastructure 20 minutes after domains registered, before threat actors sent a single SMS phishing message to employee cell phones. That early intelligence enabled blocking domains internally and preparing communications before the first report came in. These private intel networks, built through years of trust and after-hours engagement, consistently deliver the warnings that matter most for large enterprises facing sophisticated, targeted attacks.   Beyond tactical response, Casey explains how her CTI program produces strategic intelligence that drives architectural decisions. She also shares her framework for vendor breach assessments that cuts through legal wordplay, why attribution matters far less than response speed during active incidents, and how to scope CTI mission appropriately to prevent analyst burnout in organizations with massive attack surfaces.   Topics discussed: Managing unified teams of CTI, threat hunting, red team, and incident response to eliminate resource allocation friction during active incidents and supply chain events. Building private intelligence networks that deliver infrastructure warnings within 20 minutes of threat actor activity. Transitioning from tactical incident response to strategic CTI leadership and learning analyst tradecraft through necessity when running solo. Conducting vendor breach assessments using four critical questions about control gaps, persistence, data exposure, and remediation plans. Evaluating intelligence relevance at large enterprises with complex environments where shadow IT, acquisitions, and distributed technology create unclear exposure. Why vendor breaches should not automatically disqualify partnerships and how strong vendor relationships enable influence over authentication improvements and security controls. Producing strategic CTI that drives architectural investment decisions by documenting systemic risks across technology ecosystems rather than isolated incidents. Understanding CTI stakeholder needs through deliberate interviewing to prevent analysts from producing reports that leadership ignores. Sharing unattributed intelligence with law enforcement that enabled warnings to seven or eight fully breached companies with no awareness of compromise. Why leadership overemphasizes attribution during active incidents when tactical response and containment should take priority. How great CTI analysts invest significant personal time building professional brands, attending conferences, and earning trust in private intelligence communities. Key Takeaways:  Consolidate CTI, threat hunting, red team, and incident response under unified leadership to eliminate resource allocation friction during active supply chain incidents and targeted attacks. Conduct vendor breach assessments using four critical questions: what control gaps enabled the breach, does the actor maintain persistence, what client data was exposed, and what remediation plans address root causes. Identify vendor evasiveness during breach discussions by listening for careful language around product names that insinuate limited scope while obscuring broader organizational compromise. Produce strategic CTI reports that document systemic risks across technology ecosystems rather than isolated incidents to give executives justification for architectural investment decisions. Interview CTI stakeholders systematically to understand what intelligence formats and content they need before analysts waste time producing reports that leadership ignores. Scope CTI team mission to specific focus areas like tactical threats and supply chain rather than attempting comprehensive coverage of vulnerabilities, geopolitics, and fraud with limited staff. Share unattributed threat intelligence with law enforcement partners when legal and privacy teams approve to enable warnings for other breached organizations unaware of compromise. Deprioritize threat actor attribution during active incident response unless conclusive evidence enables tactical pivots, focusing instead on containment and remediation before forensic analysis. Listen to more episodes:  Apple  Spotify  YouTube Website
  • State CISOs on Why Cyberattacks Against 1 State Attack All of America 08.01.2026 44นาที
    Michael Moore, CISO for the Secretary of State of Arizona's office, explains how he acts as a virtual CISO for all 15 counties by conducting physical security assessments at election facilities and providing real-time guidance during critical events. His approach treats surprise attacks as learning opportunities that should only work once, immediately sharing adversary infrastructure and TTPs across the entire election community to burn their capabilities. Michael emphasizes that misinformation, disinformation, and malinformation represent converging threat vectors that manifest as both cyber attacks and physical violence, requiring defenders to think beyond traditional security boundaries. Ryan Murray, CISO for the State of Arizona, shares his Cybersecurity Trinity for AI framework: defend from AI-enabled attacks, defend with AI-augmented tools, and defend the AI systems organizations deploy. He explains how Arizona replicated MS-ISAC functionality through AZ ISAC, enabling 1,000+ government personnel across 200+ entities to share intelligence in real time without requiring mature security programs. Ryan stresses that organizations already generate valuable threat intelligence internally through phishing reports and security alerts, and the real challenge is communication and relationship-building rather than expensive commercial feeds. Topics discussed: How physical security gaps at government facilities create tactical vulnerabilities that scale across entire states. Building sector champion models where election security and critical infrastructure specialists act as virtual CISOs for under-resourced local governments. Why misinformation, disinformation, and malinformation represent converging cyber, physical, and reputational threat vectors that radicalize populations into kinetic attacks. Implementing real-time threat intelligence sharing protocols that enable 1,000+ defenders to communicate via platforms like Slack during active incidents. The evolution from receiving threat intelligence to generating intelligence internally by analyzing phishing campaigns, user reports, and infrastructure scanning patterns. Applying the "surprise attack only works once" principle by burning adversary infrastructure and TTPs immediately through broad intelligence sharing. Why the distinction between "intelligence" in national security contexts versus cyber threat intelligence creates executive buy-in challenges. How to prove negative outcomes and communicate near-miss stories where intelligence prevented catastrophic breaches. The collapsing patch window problem where automated vulnerability discovery and exploitation eliminates traditional seven-day remediation timelines. Implementing the Cybersecurity Trinity for AI: defending from AI-enabled attacks, defending with AI-enhanced tools, and defending AI systems from prompt injection and data leakage. Why secure-by-design pledges fail when financially motivated vendors push defensive responsibility to the least capable organizations. Building tabletop exercise programs that prepare election officials for denial-of-service attacks disguised as physical threats. How generative AI enables Script Kitty 2.0, where non-technical adversaries automate reconnaissance, exploitation, and data exfiltration through natural language prompts. The challenge of deepfakes and synthetic media targeting sub-national officials who lack the visibility and resources for sophisticated reputation defense. Key Takeaways:  Build sector champion programs where specialists act as virtual CISOs for under-resourced entities. Implement real-time communication platforms like Slack that enable defenders to share threat indicators during active incidents. Generate internal threat intelligence by systematically analyzing phishing campaigns, tracking top recipients, subject lines, and infrastructure patterns. Apply the principle that surprise attacks should only work once by immediately burning adversary infrastructure and TTPs through broad community sharing. Use tabletop exercises to prepare personnel for converged threats like bomb hoaxes that function as denial-of-service attacks on critical operations. Frame AI strategy using the Cybersecurity Trinity: defend from AI-enabled attacks, defend with AI tools, and defend AI systems from exploitation. Recognize that patch windows have collapsed to zero for critical edge-facing vulnerabilities due to automated discovery and weaponization. Focus communications on near-miss stories that demonstrate how intelligence prevented catastrophic outcomes before executive awareness. Listen to more episodes:  Apple  Spotify  YouTube Website
  • Safebooks AI’s Ahikam Kaufman on Why CFOs Need Company-Specific AI Models for Fraud Detection 25.09.2025 27นาที
    Unlike CISOs who work with consistent vulnerabilities across cloud environments, CFOs face company-specific financial processes that change constantly, making automation historically complex to solve before the AI era. Ahikam Kaufman, CEO & CFO of Safebooks AI, explains why machine learning is the only viable solution to detect sophisticated embezzlement schemes that regulatory compliance demands every public company address — with no materiality threshold.  His background building fraud prevention systems at Intuit and Check has taught him how graph technology can link seemingly unrelated financial transactions to expose coordinated internal fraud attempts that would be impossible for humans to catch at scale. The challenge is compounded by the fact that most finance staff are accountants, not technologists, requiring AI tools that bridge data complexity without demanding high technical skill levels. Topics discussed: Sarbanes-Oxley requires fraud protection programs with no materiality thresholds, yet most organizations lack systematic detection across payroll, vendor, and expense systems. Financial fraud detection requires unique AI models for each company using historical data, unlike consistent threats across organizations. Advanced fraud schemes link multiple transaction types requiring graph technology to connect disparate activities that individual monitoring would miss. Fraudsters use AI for parallel attacks, fake invoices, vendor manipulation, and executive impersonation, requiring automated defense systems for real-time processing. Achieving 99.9% accuracy through structured enterprise data and rule-based controls where financial precision is non-negotiable. Financial AI platforms integrate with existing systems without replacements or workflow changes, providing immediate automation value. Key Takeaways:  Implement AI-powered fraud detection systems that monitor vendor account changes, payroll additions, and journal entry anomalies. Build company-specific AI models using 1-2 years of historical financial data to learn unique business processes, data structures, and transaction patterns. Deploy graph technology to link related financial transactions across different systems to identify coordinated fraud attempts. Establish partnerships between CFOs and CISOs to combine external cybersecurity threat detection with internal financial fraud monitoring. Focus on AI platforms that integrate with existing financial technology stacks without requiring system replacements. Create rule-based governance frameworks for financial AI systems to eliminate hallucinations and maintain accuracy levels. Monitor AI-amplified fraud techniques, such as sophisticated fake invoices, manipulated vendor banking information, and executive impersonation. Develop automated systems that can demonstrate reasonable effort for fraud prevention to satisfy regulatory requirements and insurance protections. Listen to more episodes:  Apple  Spotify  YouTube Website

ยอดนิยมใน

พอดแคสต์นี้ปรากฏในชาร์ตพอดแคสต์ของประเทศเหล่านี้ด้วย