A warning from the cloud. - CyberWire Daily

Summary7 min read

CyberWire Daily: Episode Summary – "A Warning from the Cloud"
Release Date: January 23, 2025
Host: Dave Bittner | Produced by N2K Networks

Introduction

In the January 23, 2025 episode of CyberWire Daily, host Dave Bittner delves into pressing cybersecurity threats impacting both industry and national infrastructure. The episode titled "A Warning from the Cloud" presents a comprehensive analysis of recent vulnerabilities, exploitations, and the evolving landscape of cyber threats, supplemented by expert insights from Joe Gillespie, Senior Vice President at Booz Allen, on the integration of Artificial Intelligence (AI) in cybersecurity.

Security News Highlights

1. CISA and FBI Unveil Chinese Exploit Chains Targeting Ivanti Cloud Services

At the outset, Dave informs listeners about joint efforts by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) in identifying two exploit chains employed by Chinese hackers to compromise Ivanti cloud service appliances. These exploit chains facilitate remote code execution, credential theft, and web shell deployment, affecting multiple Ivanti versions. Crucially, Ivanti's latest version remains unaffected.

Detection & Mitigation: Incident reports emphasized the importance of detecting anomalous user account creations and encoded script alerts, which enabled three organizations to mitigate attacks effectively.
Attribution: The exploits are linked to the Chinese Advanced Persistent Threat (APT) Group UNC5221, notorious for deploying custom malware such as Zipline and Warp wire.
Recommendations: Agencies advise defenders to analyze logs meticulously, replace compromised systems, and treat affected credentials as compromised assets.

2. Vulnerabilities in Central Europe's Renewable Energy Systems

Researchers Fabian Braunlein and Luca Mellet uncovered significant vulnerabilities in Central European renewable energy systems. These systems, relying on unencrypted radio signals for controlling up to 60 gigawatts of power (sufficient to power Germany), are susceptible to interception and replay attacks due to outdated protocols.

Potential Impact: Unauthorized manipulation of the radioripple control system could disrupt energy distribution, posing risks to critical infrastructure.
Recommendations: Researchers advocate for retiring these vulnerable systems in favor of more secure alternatives. However, modernization efforts are progressing sluggishly.

3. Critical Vulnerabilities in SonicWall's Management Consoles

A severe vulnerability with a CVSS score of 9.8 was identified in SonicWall's SMA1000 appliance management console and Central Management Console. This flaw allows remote, unauthenticated attackers to execute arbitrary OS commands through improper deserialization of untrusted data.

Current Exploitation: Active exploitation has been confirmed, prompting SonicWall to release a patch.
Immediate Actions: Affected organizations are urged to upgrade their systems immediately or restrict access to AMC and CMC to trusted sources as a temporary measure.

4. Emergence of the "Nice" Ransomware Strain

Cybersecurity firm Cipherma has identified a new ransomware variant dubbed "Nice," targeting Windows systems with advanced encryption and persistence techniques.

Attack Vector: Nice appends ".XDD" to encrypted files and deploys ransom notes via "readme.Txt," while employing bootkits, DLL sideloading, and Registry key manipulations to maintain persistence and evade detection.
Mitigation Strategies: Organizations are advised to block the ransomware's SHA256 hash, apply relevant patches, implement Multi-Factor Authentication (MFA), adopt a zero-trust framework, maintain offline backups, and monitor for threat indicators.

5. Cisco Discloses Critical Vulnerability in Ghost GTP

Cisco revealed a critical vulnerability in its Meeting Management tool, allowing remote attackers to escalate privileges and gain administrator access via the REST API. With a CVSS score of 9.9, this flaw results from improper default permissions and insufficient privilege handling.

Affected Versions: All versions up to 3.9 are vulnerable, with the issue being resolved in version 3.9.1.
Action Required: Immediate updates are essential as no workarounds are available. Prompt patching is necessary to mitigate potential risks.

6. Ghost GPT: A Malicious Generative AI Chatbot

Researchers at Abnormal Security have identified Ghost GPT, a malicious AI chatbot available on Telegram since late 2024. Designed to aid cybercriminals, Ghost GPT facilitates activities such as malware creation, phishing, and business email compromise.

Functionality: By connecting to a jailbroken ChatGPT or open-source language model, Ghost GPT delivers uncensored responses, making sophisticated cyber attacks accessible to low-skilled threat actors.
Impact: The tool enables tasks like exploiting development, phishing template creation, and malware coding with ease, significantly lowering the barrier to executing complex cyber campaigns.

7. ClamAV Patches Critical Vulnerabilities

The ClamAV team released security updates addressing a critical vulnerability in the ole2 file parser, which could lead to buffer overflows and denial of service. An infinite loop issue in ClamAV's directory monitoring tool was also resolved.

Recommendation: Users are strongly encouraged to upgrade via the ClamAV downloads page, GitHub, or Docker Hub to ensure continued protection against emerging threats.

8. Ineffectiveness of Paying Ransomware Demands

A Hiscox survey indicates that only 20% of companies that pay ransomware demands recover all their data, and 10% experience data leaks despite payment. The 2024 Cyber Readiness Report highlights increased cyberattacks, with phishing accounting for 60% of incidents.

Business Impact: Nearly 70% of U.S. companies report an average of 60 cyber incidents annually. The report underscores the importance of employee training, retiring outdated technology, and maintaining consistent backups to bolster defenses.

9. DOGE’s Integration into the United States Digital Service (USDS)

An article by Steven Levy in Wired examines Donald Trump's executive order establishing the Department of Government Efficiency (DOGE), which embeds DOGE into the United States Digital Services (USDS). DOGE aims to streamline government IT systems with a centralized, top-down approach inspired by Elon Musk.

Concerns: Critics worry that DOGE's adversarial structure and policy enforcement focus may undermine USDS's innovative ethos, potentially leading to its dissolution by 2026.
Future Outlook: Despite DOGE's transformational goals, the shift raises questions about the future of USDS and its legacy of impactful public cybersecurity initiatives.

Industry Voices: The Role of AI in Cybersecurity with Joe Gillespie

AI Integration and Its Rapid Evolution

In the Industry Voices segment, Joe Gillespie discusses the transformative role of Artificial Intelligence (AI) in cybersecurity. He highlights the frenetic pace at which AI technologies are evolving and being adopted in both defensive and offensive cyber operations.

Quote:

“What large language models are capable of doing, the amount of content that they're amassing and what they're able to produce, that's accelerated tremendously.”
[Joe Gillespie, 16:28]

Defensive Challenges and AI's Dual-Edged Sword

Gillespie outlines the challenges defenders face as adversaries leverage AI to automate and enhance cyberattacks. He emphasizes the need for defenders to harness AI's potential to stay ahead in the cybersecurity arms race.

Quote:

“With threat actors, adversaries well funded, having access to these same generative AI capabilities that have been emerging rapidly, it's just changing the way that we need to think about defense.”
[Joe Gillespie, 16:28]

Proactive Threat Hunting through Agentic AI

Gillespie advocates for agentic AI systems that can conduct proactive threat hunting by formulating and testing hypotheses about potential adversary actions. This approach shifts from reactive alert-based systems to intelligent, predictive defenses.

Quote:

“Rather than having the AI models sift through the haystack and find the needles, what we found has been very effective for our clients is... threat hunt all your hypotheses, everything that a threat actor might conceivably do and get very predictive, but proactive with those predictions.”
[Joe Gillespie, 24:15]

Future of AI in Cyber Defense: Agent vs. Agent

Looking ahead, Gillespie envisions a future where AI-driven agents autonomously defend networks by continuously hunting and mitigating threats at a scale unattainable by human analysts.

Quote:

“The future of sort of this combat in the cyber landscape. It is agents fighting agents. And the question is who can construct the better agents and who can employ them more quickly, more rapidly and apply more processing power to them.”
[Joe Gillespie, 28:47]

Overcoming Information Overload with AI

Addressing the "signal-to-noise" problem, Gillespie explains how AI can filter vast amounts of data, allowing defenders to focus on actionable intelligence with minimal false positives.

Quote:

“What's where we've had the most success, right, in sort of the evolution of cyber defense... we've been super successful in detecting threat adversary behavior while generating very minimal false positives.”
[Joe Gillespie, 24:15]

CISA Leadership Legacy: Jenn Easterly

The episode concludes with a retrospective on Jenn Easterly's tenure as Director of the Cybersecurity and Infrastructure Security Agency (CISA). Celebrated for her leadership, resilience, and collaborative approach, Easterly's efforts significantly strengthened CISA's role in combating threats like China's salt typhoon espionage campaign and various ransomware attacks.

Legacy Highlights:
- Collaborative Defense: Emphasized public-private partnerships, advocating for collective security over isolated efforts.
- CISA’s Growth: Under Easterly, CISA became a pivotal agency in national cybersecurity, fostering innovation and robust defenses.
- Personal Touch: Known for her creative flair, Easterly's unique personality—ranging from solving Rubik's Cubes to playing electric guitar—left a lasting impression on the agency's culture.
Future Outlook: Despite potential challenges under the new administration, including possible budget cuts and reorganization, Easterly remains optimistic about CISA's enduring legacy and the necessity of focusing on emerging threats to national infrastructure.

Conclusion

"A Warning from the Cloud" provides an in-depth exploration of the current cybersecurity landscape, highlighting significant vulnerabilities and the critical role of AI in both offensive and defensive operations. With expert insights and comprehensive news coverage, the episode underscores the imperative for continuous innovation and collaboration to safeguard digital infrastructures against evolving threats.

For more detailed information on today’s stories, listeners are encouraged to visit CyberWire Daily’s daily briefing or engage through their feedback channels.

Note: This summary excludes advertisements, introductions, and outros, focusing solely on the episode's substantive content.

Loading summary

Transcript19 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Deleteme. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K CISA and the FBI detail exploit chains used by Chinese hackers to compromise Ivanti cloud service appliances. Energy systems in Central Europe use unencrypted radio signals. A critical sonic wall vulnerability is under active exploitation. The nice ransomware strain isn't. Cisco discloses a critical vulnerability. Its meeting management tool Ghost GTP is a new malicious generative AI chatbot ClamAV patches Critical vulnerabilities in the open source antivirus engine. A new report questions the effectiveness of paying ransomware demands. Doge piggybacks on the United States Digital Service. On our Industry Voices segment, we're joined by Joe Gillespie, Senior Vice President at Booz Allen, discussing Cyber AI. And Jenn Easterly leaves CISA a legacy of resilience and dedication. It's Thursday, January 23rd, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is great to have you with us. CISA and the FBI have detailed two exploit chains used by Chinese hackers to compromise Ivanti cloud service appliances. They published IOCs and noted flaws that are being exploited for espionage. Hackers use these vulnerabilities for remote code execution, credential theft and web shell deployment affecting multiple versions. Ivanti confirmed the latest version is unaffected. Incident reports highlight detection methods including anomalous user account creation and encoded script alerts, which helped three organizations mitigate attacks. Mandiant has linked these exploits to Chinese APT Group UNC5221, known for deploying custom malware like Zipline and Warp wire, Agencies urge defenders to analyze logs, replace compromised systems, and treat affected credentials as compromised. Researchers recently revealed that renewable energy systems in central Europe use unencrypted radio signals, leaving critical infrastructure vulnerable to exploitation. The radioripple control system manages power from renewable facilities, controlling up to 60 gigawatts enough to power Germany. This system, based on outdated protocols, allows anyone with the right tools to intercept and replay commands, potentially disrupting the European power grid. Fabian Braunlein and Luca Mellet discovered this vulnerability during research on streetlight control in Berlin. Realizing the same technology controls energy infrastructure by reverse engineering radio receivers, they demonstrated how unauthorized messages could stop energy feeding into the grid. While experts debate whether a 60 gigawatt disruption could cause a blackout, the vulnerability highlights the risk of unencrypted control systems. The researchers recommend retiring radio ripple control in favor of more secure alternatives, but progress on modernization has been slow. A critical security vulnerability has been identified in SonicWall's SMA1000 appliance management console and Central Management Console, allowing remote, unauthenticated attackers to execute arbitrary OS commands with a severity score of 9.8. The flaw arises from improper deserialization of untrusted data. Active exploitation has been confirmed, but prompting SonicWall to release a patch. Affected organizations should upgrade immediately or restrict AMC and CMC access to trusted sources as a temporary mitigation, cipherma has identified a new ransomware strain nice that's nice with two N's. So I don't know if it's N nice or just nice. We're going to go with nice. Targeting Windows systems with advanced encryption, persistence and evasion techniques. It appends XDD to encrypted files and displays a ransom note readme Txt, while modifying system wallpapers to alert victims using bootkits, DLL sideloading, and Registry key manipulations. NICE ensures persistence while employing obfuscation and rootkits to evade detection. Organizations are urged to block the ransomware's SHA256 hash, apply patches, use MFA, adopt zero trust framework, maintain offline backups, and monitor for threat indicators to mitigate risks. Cisco has disclosed a critical vulnerability in its Meeting Management tool that allows remote attackers to escalate privileges and gain administrator access via the Rest API. With a CVSS score of 9.9, the flaw stems from improper default permissions and inadequate privilege handling. It affects all versions up to 3.9 but is fixed in version 3.9.1. Cisco urges immediate updates as no workarounds exist. No active exploitation has been reported, but prompt patching is essential to mitigate risks. Researchers at Abnormal Security have identified a new malicious generative AI chatbot, Ghost GPT, being sold on Telegram since late 2024. Ghost GTP is designed to assist cybercriminals in activities like malware creation, phishing emails, and business email compromise attacks. It connects to a jailbroken chatgpt or open source language model to deliver uncensored responses. Unlike its predecessor, wormgtp, Ghost GPT is available as a Telegram bot, eliminating the need for technical setups. Buyers can quickly access the tool for a fee, enabling low skilled threat actors to execute sophisticated campaigns. The Chatbot facilitates tasks such as exploiting development, phishing, template creation, and malware coding. Tested by researchers, it easily generated a convincing DocuSign phishing email. GhostGPT's growing popularity among cybercriminals highlights increasing interest in AI tools for illicit purposes. With thousands of views on online forums, the ClamaV team has released security updates addressing a critical vulnerability in the ole2 file parser that could cause a buffer overflow and denial of service. ClamAV, a widely used open source antivirus engine, detects malware viruses and trojans, serving as a trusted security tool for individuals and enterprises. These updates also fix an infinite loop issue in clamav's directory monitoring tool. Users are strongly encouraged to Upgrade via the ClamaV downloads page, GitHub, or Docker Hub. A survey by Hiscox reveals that less than 20% of companies who pay ransomware demands recover all their data, with 10% finding their data leaked despite payment. The 2024 Cyber Readiness Report highlights that businesses often pay ransoms to protect reputations or recover data without backups. But paying up rarely pays off. Nearly 70% of U.S. companies report increased cyberattacks, averaging 60 incidents annually. Reputational damage is significant, with 47% of businesses struggling to attract clients after an attack. HISCOX advises businesses to bolster defenses through employee training, retiring outdated technology, and maintaining consistent backups. Phishing accounts for 60% of attacks, underscoring the need for security awareness. The report warns that inadequate cybersecurity damages trust, deters partners, and attracts regulatory scrutiny, posing greater risks than bankruptcy for many firms. In an article for Wired, Steven Levy examines Donald Trump's new executive Order, which establishes the president's Department of Government Efficiency. DOGE the EO embeds DOGE into the United States Digital Services, a small, innovative tech agency that has improved government it since its Obama era inception. DOGE aims to streamline government IT systems promising significant cost savings. However, it shifts USDS collaborative approach to a more top down, musk inspired model, focusing on centralizing data and enforcing the DOGE agenda. While doge's goals, like addressing inefficiencies and hidden budgetary waste, could be transformational, its adversarial approach and political overtones raise concerns. New four person agency teams, including HR and legal personnel alongside engineers suggest a shift from building solutions to enforcing policy, potentially undermining USDS ethos of innovation. Usds, which survived previous administrations through deft navigation and bipartisan support, now faces uncertainty. Critics fear doge's disruptive structure could sunset USDS by its scheduled end in 2026, jeopardizing its legacy of impactful public Coming up after the break on our Industry Voices segment, we're joined by Joe Gillespie, senior Vice President at Booz Allen, discussing Cyber AI and Jen Easterly leaves CISA a legacy of resilience and dedication. Stay with us.
[12:21]
Jack in the Box
What's the best time of day to get a deal? All day with Jack in the Box's all day big deal meal. You get to choose from four entrees like the supreme croissant and five tasty sides plus a drink starting at $5. So hurry in or take your time. You've got all day at Jack. Every bite's a big deal.
[12:46]
Dave Bittner
Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can Keep your company safe and compliant. Joe Gillespie is senior Vice President at Booz Allen. In today's sponsored Industry Voices segment, we discuss cyber AI.
[14:48]
Joe Gillespie
I would say, first and foremost, it's been fast, right? That's the thing that I think has surprised me more than anything else about sort of the rate of adoption and the rate of change when it comes to AI and how it's being applied in the cyber fight on both sides. You know, that from, from academia and from, you know, a lot of the folks who are leading fundamental research in AI, things are just evolving so quickly. What large language models are capable of doing, the amount of content that they're amassing and what they're able to produce, that's accelerated tremendously. And we've seen adoption in really interesting ways from, you know, assistive technology to, from, you know, for analysts. So whether they're in a SOC and they're, you know, trying to work an alert and conduct an investigation, you know, having the equivalent of a chatbot there with them, that will help prompt them and point them in the right direction, that's been really effective, you know, running sides have with a human, but all the way up through fully autonomous capabilities, things that are able to, you know, identify new threats and help, you know, thwart them in real time. And then on the threat actor side, automatically generating exploits against things that are discovered and even discovering new vulnerabilities in the wild. It's been really fascinating and really moving at a frenetic pace.
[16:17]
Dave Bittner
Well, can we dig into some of the challenges that you all see the cyber defenders facing out there, you and your colleagues at Booz Allen? What sort of things are on your radar?
[16:29]
Joe Gillespie
Yeah, certainly. I mean, as I mentioned, with threat actors, adversaries well funded, having access to these same generative AI capabilities that have been emerging rapidly, it's just changing the way that we need to think about defense. The variety and the volume of attacks that come and the evolution of threat techniques. It's really, really accelerated. And so we're having to deal with adversaries who are, on the one hand, you're seeing just an uptick in just anomalous activity or some of the less sophisticated actions, because people, it's easy to sort of have an unrestricted large language model, something that you're hosting locally. It's not hosted by one of the big tech providers. You know, they don't typically have guardrails on them, so you can get them to script something up for you, and you can just sort of launch attacks relatively easily. So there's that and there are even models that are optimized for threat actor behavior. So the script kitty type activity, we've seen some of that, but that's a little easier to defend. A lot of that is about known vulnerabilities. And so if we're doing our hygiene things correctly, a lot of our clients are able to thwart those pretty easily. But we've also seen an uptick in sophisticated nation state level APT activity and a lot of them have been in the news. So none of this will be a surprise. But you know, the, whether you look at sort of Volt Typhoon, Salt Typhoon, how they have, you know, tunneled into critical infrastructure, you know, in a really stealthy way, and they've just lived there, right? Using living off the land techniques, flying really low and slow. You know, these are, these are hard to detect, hard to thwart. And so AI is the answer to these. While it is driving some of the problems. Problems and what our adversaries are doing, it's an arms race, right. So our ability to wield that on the defensive side is how we undermine these threats we're seeing emerge.
[18:38]
Dave Bittner
You know, I think it's fair to say a lot of us feel kind of oversaturated when it comes to the marketing messages with artificial intelligence. I think to the point that there's a lot of eye rolling and I think that makes it a challenge to separate that marketing side from the reality and the, the actual impact that AI can have on missions. What are you seeing when it comes to that? I mean, what is the reality of the impact that you're seeing when applying AI to the mission?
[19:11]
Joe Gillespie
Yeah, that's a great point. So it comes in a couple forms and I totally agree with you about sort of the marketing and the rhetoric because, you know, chat interfaces are so accessible, you know, executives and leaders tend to lean on that and say, well, I was able to ask this question and it gave me an answer. Those are effective, as I mentioned before, in sort of the assistive capacity if there's a lack of knowledge. So it helps from like training and up armoring humans if we just want them to be a little more effective in their job. But when we want real efficiency gains and we're trying to be able to fight at the speed of AI, that's where the marketing material kind of falls away. And there's this emerging field of agentic AI where agents can be constructed backed by these large language models. And when you pair them together and you're able to compose them into workflows to accomplish Business processes at the end of the day, there's some process we're trying to execute, there's something we're trying to conduct, there's some data, and then we're trying to conduct some kind of process or algorithm against it, whether it's a decision making thing, visualizing it, et cetera, and then there's some output that we want to produce from that. So when we can construct agentic workflows that are optimized against the business processes and the business outcomes that we want to achieve from a cyber perspective, then we're able to unleash the potential. And that's what I've seen over the last several months, where we've seen a surge in truly business and mission impact from a cyber perspective is injecting these agents that can really work at the speed of AI.
[20:55]
Dave Bittner
You've mentioned a couple times the speed, the pacing, the velocity of this threat. What is the reality there? I mean, when you look at the challenges that government faces, the challenges that industry faces, it seems to me like this velocity issue really kind of supercharges the challenges.
[21:16]
Joe Gillespie
It certainly does, yeah. And the pace is there in two ways. On the one hand, it's the pace of evolution of AI. So there's just constant changes. And I mean every week there are new announcements that are just groundbreaking new releases that come out from big tech providers, from open source startups, just from across the board, we just see tremendous a pace and a change. And so when we are doing our best to keep keep our clients up to speed, and it's really, really challenging because if you keep your head down in mission for just a week or two, something revolutionary has happened. And so staying abreast and being able to wield the latest, especially in missions of national importance, where there are a lot of regulations and there are limitations and guardrails for what you're allowed to employ, that's certainly a challenge and a pacing issue. The rate of evolution and can we inject it into our most sensitive missions fast enough? On the flip side, when I talk about pace and sort of the speed of AI, there's also sort of the speed of machines as AI comes closer and closer to being able to truly approximate and emulate decisions humans would make. And I would argue when you string many of these models together that are optimized for making little decisions across an entire business process, we're there, we are there. Now we can make end to end decisions and we can check the decisions that are made and we can basically we make decisions that are as good or better as humans, but because we're doing it inside of machines, it's easier to parallelize that and we can apply more and more processing power to it. And when you add the power of sort of infinite cloud computing, it's just tremendous how fast we can make these decisions. And that's the true power here. Especially on the defensive side, you know, when we can have the equivalent of, you know, millions of brains all working together as one to address a problem and look in the nooks and crannies, we're able to find threats that would just be much harder to do at scale and impossible for a human to do at scale.
[23:42]
Dave Bittner
Well, let's talk about the signal to noise issue. You know, that we often hear, you know, the analyst who's sitting there getting a fire hose of information and the capability of AI to generate tons and tons of good information. Are we in a situation where the AI can actually contribute to reducing that fire hose of information to pre filter all of the stuff that's coming from all those incoming signals?
[24:16]
Joe Gillespie
Yes, but I would even reframe it a step further. I think where we've had the most success, right, in sort of the evolution of cyber defense, you know, we've had a lot of success as we move toward sort of proactive threat hunting. And most of the most insidious threats are not caught because some alert was splashed on a dashboard and then someone found it. It was found by a proactive threat hunter who had a hypothesis about how an adversary, what TTP they might employ against, you know, a given target. They hunted for that. They found it. So I, I, the, the beauty of employing these large language models and, and composing them into these agentic workflows is that you can actually, there's this old adage, right, in order to get a better answer, you need to ask a better question. So rather than having the AI models sift through the haystack and find the needles, what, what we found has been very effective for our clients is if you instead spend time and help them this, this agentic system. Understand the system in question first and contextualize it, understand its purpose, its nature, understand the state of the system, and then you start to do this hypothesis driven threat hunting. And rather than only being able to do what a human threat hunter can do, because you're using the power of AI and super scaled processing, you can now threat hunt all your hypotheses, everything that a threat actor might conceivably do and get very predictive, but proactive with those predictions. Now you're able to spearfish or hunt through all these different hypothesized threat hunting scenarios. And that's where we've been super successful in detecting threat adversary behavior while generating very minimal false positives. We recently conducted a prototype effort with a high priority client on the US government side. And we did exactly what I just described. We used AI and these large language models to construct a set of agents that first introspected the system, understood its accreditation status, but also its live running status. And then after developing hypotheses, these agents then said, okay, we want to look for these things. And they tailored a set of hunt analytics. We were able to find, as I mentioned before, these living off the land, these slow and low techniques by real threat actors moving in the environment. And then we were able to thwart them in real time. And we generated almost no false positive. So I do believe that this is the antidote to that. You know, the screen sort of just the decay and the weariness of too many alerts, too much data streaming by. Instead, you know, let's swarm tackle it with AI, ask better questions, and then the answers we get back will have far more precision.
[27:21]
Dave Bittner
Is it fair to say that you're, you're kind of taking that velocity problem and turning it on its head, that these systems can go in and do that threat hunting at a scale that humans simply aren't capable of?
[27:34]
Joe Gillespie
Absolutely. The fact that adversaries are sort of using the machine speed and their ability to go fast with AI against us, this is how we defend. We use machine speed to defend. And this is what it looks like. We understand their techniques as they evolve and we're proactively hunting for them. And it really is special. We absolutely are doing the mirror image. And it's really about who can employ AI better, faster, apply it to the mission more rapidly. And then on the other side of sort of the accelerated pace, it's who can employ the latest things that have emerged out of academia and operationalize those and use them. Right. So are we more effectively using them on the offensive or defensive side that that's who's going to win that battle. And it's the never ending battle. Right? It's typical for cyber, it's just never ending.
[28:27]
Dave Bittner
I'm curious, where do you suppose we're headed here? It strikes me that we are still in early days with these tools. You mentioned that you're doing exploratory things, you're beta testing things, we're checking to see if these things work. How do you Suppose the future is going to look for us here.
[28:48]
Joe Gillespie
Yeah, I think the future is ubiquity and I think the only question is how quickly we get there. I think that ultimately we need, especially on the defensive side, we need swarms of agents, swarms of agentic AI systems that are hunting for, identifying and thwarting adversaries as they attempt to move, because the adversary will have swarms of agents. So similar to how others have predicted in the kinetic space that the future is drone versus drone combat, unmanned versus unmanned. I think similar is true in the non kinetic space. The future of sort of this, this combat in the cyber landscape. It is agents fighting agents. And the question is who can construct the better agents and who can employ them more quickly, more rapidly and apply more processing power to them. And I think, you know, as a nation, I think we're, we're in a great place because, you know, we're the thought leaders, we're driving innovation still in the world, right? And we have, we have the compute innovation, you know, the latest that we're seeing in terms of quantum, et cetera. And so as these things continue to emerge, it's just about rapidly applying them to the mission and staying ahead of the fight.
[30:04]
Dave Bittner
That's Joe Gillespie, senior Vice president at Booz Allen. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Blackcloak's award winning digital executive protection platform secures their personal devices, home networks and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 24, 7, 365 with Blackcloak. Learn more at blackcloak.IO.
[31:03]
Jack in the Box
This episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use Indeed's sponsored jobs to hire top talent fast. And even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.
[31:38]
Dave Bittner
And finally, Jenny Sterle's tenure as Director of the Cybersecurity and Infrastructure Security Agency has been marked by a unique blend of leadership passion and a hacker's mindset. Reflecting on her nearly four years at the helm in an interview with Wired's Lillihy Newman Easterly described her mission as solving the most complicated problems out there while building relationships and fostering a collaborative cyber defense ecosystem. Her Rubik's Cube motto, if you're curious, you will find puzzles, and if you are determined, you will solve them, aptly symbolizes her approach to the complex challenges of cybersecurity. Easterly's efforts have helped CISA grow into a vital agency, tackling threats like China's salt typhoon espionage campaign and ransomware attacks. She championed public private collaboration, urging companies to prioritize collective defense over self preservation. As she noted, we are America's cyber defense agency and the American people are getting an incredible return on investment. However, her departure comes as CISA faces uncertainty under the new administration, with potential budget cuts and reorganization looming. Despite the challenges, Easterly remains optimistic about the agency's legacy, emphasizing the need for continued focus on China's cyber threats and national infrastructure security. Easterly's leadership was driven not just by expertise but but also by a creative spark that made her stand out, whether jamming on her electric guitar, solving Rubik's Cubes, or donning her iconic Dragon embroidered denim as she transitions out, Easterly leaves behind a resilient CISA and a legacy of dedication to securing America's digital future. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapid, rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Heltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. Do take care. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and Data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect Prepare and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at AI.domo.com that's AI.domo.com.