CyberWire Daily – "The Cloud That Spies Back"

Date: December 17, 2025
Host: Dave Bittner (N2K Networks)
Guest: Duron Davidson (Cyberproof Israel)

Episode Overview

This episode delivers a wide-ranging update on crucial cybersecurity news—the rise of state-sponsored cyber espionage campaigns, major vulnerabilities in leading tech products, advances and risks in AI-driven cyber offense, and a detailed interview with Duron Davidson on transforming security operations centers (SOC) through "agentic" automation. The show captures both the landscape's urgency and the promise of AI-driven and agent-based security transformation.

Major News Highlights

1. Russian GRU Cyber Espionage Campaign

[00:55 – 02:31]

Amazon's Threat Intelligence reports a multi-year (2021–2025) Russian GRU state-sponsored campaign.
Targets: Western critical infrastructure, especially energy companies, telecoms, cloud and network infrastructure in North America, Europe, and the Middle East.
Tactics: Initially software vulnerabilities, later misconfigurations in cloud-edge devices (routers, VPNs, AWS instances) for stealthier, persistent access.
Impact: Compromised devices used for network spying, credential theft, lateral movement.
Mitigation: Campaign was disrupted, affected customers notified, but risk persists from cloud/supply chain weak points.

Quote:
“Compromised devices were used to capture network traffic, steal credentials and move laterally into victim environments. Amazon says it has disrupted activity and notified affected customers, highlighting the ongoing risk to critical infrastructure from cloud and supply chain compromises.” (Dave Bittner, 01:58)

2. Israel’s Cyber Defense Chief Warns of Growing Threats

[02:32 – 04:00]

Maj. Gen. Aviad Dagan (Israel Defense Force): Claims cyber threats to Israel and US are "far more severe" than public reports.
Concerns: Focus shouldn't be only on data breaches; real potential for critical infrastructure damage.
Example: Iran’s attempted 2020 attack on Israel’s water system as a near disaster.
Call to Action: Avoid complacency. Continued collaboration with US Cyber Command is critical.

Quote:
“Israel must assume future cyberattacks will be significantly more destructive than those seen so far and cautioned against complacency despite Israel's strong cyber defenses.” (Dave Bittner, 03:23)

3. Major Product Vulnerabilities

[04:01 – 05:40]

Fortinet: Two critical authentication bypass vulnerabilities in multiple products; full admin access possible via forged SAML messages.
- Attacks began within days of patch release; organizations urged to patch immediately and review SSO usage.
Hitachi Energy: Critical vulnerability in RADIUS protocol on legacy devices; can allow response forgery if Message Authenticator is off (no patch, only mitigations).

4. AI in Offensive Cyber: Rapid Progress and Concerns

[05:41 – 07:45]

Trend: Fully autonomous AI attacks no longer sci-fi—studies show AI models rapidly improving in offensive cyber abilities.
Industry Action: Google, Anthropic execs to testify before Congress. OpenAI warns frontier models could make attacks easier and more frequent.
Research: Stanford AI agent outperforms many human bug hunters.
Urgency: Experts stress hardening defenses and restricting adversarial access to advanced AI.

Quote:
“AI could enable cyberattacks at unprecedented scale and sophistication.” (Dave Bittner, 06:34)

5. MITRE DEFEND Expands to Operational Technology (OT)

[07:46 – 08:51]

Action: MITRE updates its cybersecurity ontology (DEFEND) to better address OT—controllers, sensors, physical processes in critical infrastructure.
Goal: Shared knowledge, better mapping of adversary behaviors and essential controls for industrial systems.
Funding: U.S. DoD and NSA.

6. Texas Sues Major Smart TV Companies for Privacy Violations

[08:52 – 10:05]

Defendants: Samsung, LG, Sony, Hisense, TCL.
Allegation: Illegal surveillance via automated content recognition (ACR)—TVs track and transmit viewing data without meaningful consent.
National Security: Additional concern about Chinese manufacturers due to China's data laws.

Quote:
“Consumers are unaware their televisions function as surveillance tools.” (Dave Bittner, 09:40)

7. Apple User Locked Out by Gift Card Fraud

[10:06 – 11:40]

Incident: Longtime Apple user loses access to all Apple services (photos, purchases, devices, dev account) after a $5 gift card mishap and automated security lock.
Fallout: Even legitimate proofs of purchase could not restore access. Highlights risk of fraud flags, ecosystem fragility, and need for better backup practices.

Feature Interview: Duron Davidson on "Agentic SoCs"

[13:11 – 26:41]

Main Theme

Agentic Security Operations Centers (SoC): Davidson discusses evolving MDR (Managed Detection and Response) and SoC capabilities using AI-powered, agent-driven automation in cyber defense—redefining the SOC, the analyst role, and organizational approaches to automation.

Key Discussion Points & Insights

The Limits of Earlier Automation

[13:25 – 15:32]

Historic approach: SOAR (Security Orchestration, Automation, and Response) promised to solve manual pain points—alert fatigue, slow responses, inconsistent execution.
Reality: As Davidson says, “it did not... regardless of how much we were able to automate, even end-to-end automation, we still ended up having a lot of these alerts that were that needed manual investigation by analysts to make a decision.” (Davidson, 14:30)
Conclusion: True scalability and efficiency required more intelligent, autonomous agents—thus the pivot to "agentic" models.

What Is an Agentic SoC?

[15:32 – 16:46]

Vision (by 2027): Fully autonomous security operations; agent-based detection, investigation, triage, and response. Human analysts act as final approvers and rule validators.
Today: Most organizations are at “semi-autonomous” SoC status.

Quote:
“Agentic SoC... would be fully autonomous... that will take care [of] the security life cycle of an alert driven by AI.” (Davidson, 15:42)

Which Behaviors Will Be Most Impactful?

[16:46 – 18:12]

Focus: Replacing repetitive, error-prone L1 and L2 manual tasks, especially around threat intelligence gathering and mapping.
Highest Value: Automating TTP (Tactics, Techniques, Procedures) mapping to frameworks like MITRE, and closing detection gaps.

Quote:
“It's definitely the, the repetitive tasks of L1s and L2s as well as around threat intelligence... mapping those threat intelligence to specific TTPs... those are the things that would be impactful the most first.” (Davidson, 17:24)

Evolving Analyst Roles

[18:12 – 19:50]

Shift: Analysts become "consultants" and "trusted advisors" to customers—interpreting agentic outputs rather than chasing alerts.
Developer Role: Analysts may also become SME-driven creators of new agents and orchestrators of agent systems.

Quote:
“Our analysts will become much more consultants... they will become the trusted advisor that will help customers understand the output of the agentic analysis.” (Davidson, 18:50)

Essential Safeguards

[19:50 – 21:51]

Least Privilege: Agents limited to the minimal data scope needed to avoid cross-contamination and error.
Human Oversight: "Human in the loop" for verifying agent outputs—timing and oversight level depends on criticality and use case.

Quote:
“Any agent that we are deploying has or inherits the least privileged access... We also have human in the loop that is verifying the output of those agents depending on how critical it is and how real time it is.” (Davidson, 20:18)

Organizational Advice: Starting the Agentic Transformation

[21:51 – 24:07]

Critical First Step: Recruit the right technical and security talent that can architect, build, and secure agentic systems.
Build Test Environments: Flexible, complex sandboxes for testing models across applications; saves cost and identifies best-fit models for diverse needs.
Learn from Others: Work with organizations that have already navigated this transformation; expect a complex, iterative journey.

Real-World Agent Examples

[24:07 – 26:41]

Current Deployments: Agents for threat profiling, TTP mapping ("gap guard"), threat hunting (auto-building rules), and automated detection engineering/alerting.
Result: Allows for tailored, use-case-driven MDR services—move away from “cookie-cutter” models to flexible, customer-specific solutions.
Market Trend: More organizations orchestrating multiple agent types via central MDR agents.

Quote:
“In the past we had to build cookie cutters because that was the only way to sell. Today... customers are expecting to have a much more flexible agentic service.” (Davidson, 26:10)

Memorable Moment: The Physical Limits of AI Data Centers

[28:03 – 28:59]

AI Era Infrastructure: Hardware racks for AI workloads now weigh as much as compact cars—pushing limits of legacy data center floors and facilities.
Contrast: The "future is shiny and heavy," while older data centers still house non-AI data.

Quote:
“AI racks now tip the scales at up to 5,000 pounds, roughly equivalent to parking a compact car where a filing cabinet used to be. Floors crack, elevators groan and doorways revolt.” (Dave Bittner, 28:32)

Timestamps for Key Segments

GRU Espionage Campaign: 00:55–02:31
Israel Cyber Threat Landscape: 02:32–04:00
Fortinet & Hitachi Vulnerabilities: 04:01–05:40
AI Offensive Capabilities: 05:41–07:45
MITRE DEFEND for OT: 07:46–08:51
Texas Smart TV Privacy Suit: 08:52–10:05
Apple Gift Card Lockout Case: 10:06–11:40
Feature Interview (Duron Davidson): 13:11–26:41
- Automation limits: 13:25–15:32
- Agentic SoC explained: 15:32–16:46
- Most impactful agent behaviors: 16:46–18:12
- Analyst evolution: 18:12–19:50
- Safeguards: 19:50–21:51
- Getting started: 21:51–24:07
- Examples in the field: 24:07–26:41
“Fat Racks Crack the Stacks” Data Center Commentary: 28:03–28:59

Episode Tone and Takeaways

The episode balances urgency with measured optimism—highlighting nation-state threats, risks of new tech, and the ongoing arms race between adversarial innovation and defensive adaptation. Davidson's segment is both practical and forward-looking, emphasizing that while automation is progressing rapidly, human expertise and responsible oversight remain indispensable.

For More

Find episode links and full daily briefings at: TheCyberWire.com

CyberWire Daily – "The Cloud That Spies Back"

Date: December 17, 2025
Host: Dave Bittner (N2K Networks)
Guest: Duron Davidson (Cyberproof Israel)

Episode Overview

Major News Highlights

1. Russian GRU Cyber Espionage Campaign

[00:55 – 02:31]

Amazon's Threat Intelligence reports a multi-year (2021–2025) Russian GRU state-sponsored campaign.
Targets: Western critical infrastructure, especially energy companies, telecoms, cloud and network infrastructure in North America, Europe, and the Middle East.
Tactics: Initially software vulnerabilities, later misconfigurations in cloud-edge devices (routers, VPNs, AWS instances) for stealthier, persistent access.
Impact: Compromised devices used for network spying, credential theft, lateral movement.
Mitigation: Campaign was disrupted, affected customers notified, but risk persists from cloud/supply chain weak points.

2. Israel’s Cyber Defense Chief Warns of Growing Threats

[02:32 – 04:00]

Maj. Gen. Aviad Dagan (Israel Defense Force): Claims cyber threats to Israel and US are "far more severe" than public reports.
Concerns: Focus shouldn't be only on data breaches; real potential for critical infrastructure damage.
Example: Iran’s attempted 2020 attack on Israel’s water system as a near disaster.
Call to Action: Avoid complacency. Continued collaboration with US Cyber Command is critical.

3. Major Product Vulnerabilities

[04:01 – 05:40]

Fortinet: Two critical authentication bypass vulnerabilities in multiple products; full admin access possible via forged SAML messages.
- Attacks began within days of patch release; organizations urged to patch immediately and review SSO usage.
Hitachi Energy: Critical vulnerability in RADIUS protocol on legacy devices; can allow response forgery if Message Authenticator is off (no patch, only mitigations).

4. AI in Offensive Cyber: Rapid Progress and Concerns

[05:41 – 07:45]

Trend: Fully autonomous AI attacks no longer sci-fi—studies show AI models rapidly improving in offensive cyber abilities.
Industry Action: Google, Anthropic execs to testify before Congress. OpenAI warns frontier models could make attacks easier and more frequent.
Research: Stanford AI agent outperforms many human bug hunters.
Urgency: Experts stress hardening defenses and restricting adversarial access to advanced AI.

Quote:
“AI could enable cyberattacks at unprecedented scale and sophistication.” (Dave Bittner, 06:34)

5. MITRE DEFEND Expands to Operational Technology (OT)

[07:46 – 08:51]

Action: MITRE updates its cybersecurity ontology (DEFEND) to better address OT—controllers, sensors, physical processes in critical infrastructure.
Goal: Shared knowledge, better mapping of adversary behaviors and essential controls for industrial systems.
Funding: U.S. DoD and NSA.

6. Texas Sues Major Smart TV Companies for Privacy Violations

[08:52 – 10:05]

Defendants: Samsung, LG, Sony, Hisense, TCL.
Allegation: Illegal surveillance via automated content recognition (ACR)—TVs track and transmit viewing data without meaningful consent.
National Security: Additional concern about Chinese manufacturers due to China's data laws.

Quote:
“Consumers are unaware their televisions function as surveillance tools.” (Dave Bittner, 09:40)

7. Apple User Locked Out by Gift Card Fraud

[10:06 – 11:40]

Incident: Longtime Apple user loses access to all Apple services (photos, purchases, devices, dev account) after a $5 gift card mishap and automated security lock.
Fallout: Even legitimate proofs of purchase could not restore access. Highlights risk of fraud flags, ecosystem fragility, and need for better backup practices.

Feature Interview: Duron Davidson on "Agentic SoCs"

[13:11 – 26:41]

Main Theme

Key Discussion Points & Insights

The Limits of Earlier Automation

[13:25 – 15:32]

Historic approach: SOAR (Security Orchestration, Automation, and Response) promised to solve manual pain points—alert fatigue, slow responses, inconsistent execution.
Reality: As Davidson says, “it did not... regardless of how much we were able to automate, even end-to-end automation, we still ended up having a lot of these alerts that were that needed manual investigation by analysts to make a decision.” (Davidson, 14:30)
Conclusion: True scalability and efficiency required more intelligent, autonomous agents—thus the pivot to "agentic" models.

What Is an Agentic SoC?

[15:32 – 16:46]

Vision (by 2027): Fully autonomous security operations; agent-based detection, investigation, triage, and response. Human analysts act as final approvers and rule validators.
Today: Most organizations are at “semi-autonomous” SoC status.

Quote:
“Agentic SoC... would be fully autonomous... that will take care [of] the security life cycle of an alert driven by AI.” (Davidson, 15:42)

Which Behaviors Will Be Most Impactful?

[16:46 – 18:12]

Focus: Replacing repetitive, error-prone L1 and L2 manual tasks, especially around threat intelligence gathering and mapping.
Highest Value: Automating TTP (Tactics, Techniques, Procedures) mapping to frameworks like MITRE, and closing detection gaps.

Evolving Analyst Roles

[18:12 – 19:50]

Shift: Analysts become "consultants" and "trusted advisors" to customers—interpreting agentic outputs rather than chasing alerts.
Developer Role: Analysts may also become SME-driven creators of new agents and orchestrators of agent systems.

Quote:
“Our analysts will become much more consultants... they will become the trusted advisor that will help customers understand the output of the agentic analysis.” (Davidson, 18:50)

Essential Safeguards

[19:50 – 21:51]

Least Privilege: Agents limited to the minimal data scope needed to avoid cross-contamination and error.
Human Oversight: "Human in the loop" for verifying agent outputs—timing and oversight level depends on criticality and use case.

Organizational Advice: Starting the Agentic Transformation

[21:51 – 24:07]

Critical First Step: Recruit the right technical and security talent that can architect, build, and secure agentic systems.
Build Test Environments: Flexible, complex sandboxes for testing models across applications; saves cost and identifies best-fit models for diverse needs.
Learn from Others: Work with organizations that have already navigated this transformation; expect a complex, iterative journey.

Real-World Agent Examples

[24:07 – 26:41]

Current Deployments: Agents for threat profiling, TTP mapping ("gap guard"), threat hunting (auto-building rules), and automated detection engineering/alerting.
Result: Allows for tailored, use-case-driven MDR services—move away from “cookie-cutter” models to flexible, customer-specific solutions.
Market Trend: More organizations orchestrating multiple agent types via central MDR agents.

Quote:
“In the past we had to build cookie cutters because that was the only way to sell. Today... customers are expecting to have a much more flexible agentic service.” (Davidson, 26:10)

Memorable Moment: The Physical Limits of AI Data Centers

[28:03 – 28:59]

AI Era Infrastructure: Hardware racks for AI workloads now weigh as much as compact cars—pushing limits of legacy data center floors and facilities.
Contrast: The "future is shiny and heavy," while older data centers still house non-AI data.

Timestamps for Key Segments

GRU Espionage Campaign: 00:55–02:31
Israel Cyber Threat Landscape: 02:32–04:00
Fortinet & Hitachi Vulnerabilities: 04:01–05:40
AI Offensive Capabilities: 05:41–07:45
MITRE DEFEND for OT: 07:46–08:51
Texas Smart TV Privacy Suit: 08:52–10:05
Apple Gift Card Lockout Case: 10:06–11:40
Feature Interview (Duron Davidson): 13:11–26:41
- Automation limits: 13:25–15:32
- Agentic SoC explained: 15:32–16:46
- Most impactful agent behaviors: 16:46–18:12
- Analyst evolution: 18:12–19:50
- Safeguards: 19:50–21:51
- Getting started: 21:51–24:07
- Examples in the field: 24:07–26:41
“Fat Racks Crack the Stacks” Data Center Commentary: 28:03–28:59

Episode Tone and Takeaways

For More

Find episode links and full daily briefings at: TheCyberWire.com

The cloud that spies back.

Powered by Wave AI

Summary

CyberWire Daily – "The Cloud That Spies Back"

Episode Overview

Major News Highlights

1. Russian GRU Cyber Espionage Campaign

2. Israel’s Cyber Defense Chief Warns of Growing Threats

3. Major Product Vulnerabilities

4. AI in Offensive Cyber: Rapid Progress and Concerns

5. MITRE DEFEND Expands to Operational Technology (OT)

6. Texas Sues Major Smart TV Companies for Privacy Violations

7. Apple User Locked Out by Gift Card Fraud

Feature Interview: Duron Davidson on "Agentic SoCs"

Main Theme

Key Discussion Points & Insights

The Limits of Earlier Automation

What Is an Agentic SoC?

Which Behaviors Will Be Most Impactful?

Evolving Analyst Roles

Essential Safeguards

Organizational Advice: Starting the Agentic Transformation

Real-World Agent Examples

Memorable Moment: The Physical Limits of AI Data Centers

Timestamps for Key Segments

Episode Tone and Takeaways

For More

Summary

CyberWire Daily – "The Cloud That Spies Back"

Episode Overview

Major News Highlights

1. Russian GRU Cyber Espionage Campaign

2. Israel’s Cyber Defense Chief Warns of Growing Threats

3. Major Product Vulnerabilities

4. AI in Offensive Cyber: Rapid Progress and Concerns

5. MITRE DEFEND Expands to Operational Technology (OT)

6. Texas Sues Major Smart TV Companies for Privacy Violations

7. Apple User Locked Out by Gift Card Fraud

Feature Interview: Duron Davidson on "Agentic SoCs"

Main Theme

Key Discussion Points & Insights

The Limits of Earlier Automation

What Is an Agentic SoC?

Which Behaviors Will Be Most Impactful?

Evolving Analyst Roles

Essential Safeguards

Organizational Advice: Starting the Agentic Transformation

Real-World Agent Examples

Memorable Moment: The Physical Limits of AI Data Centers

Timestamps for Key Segments

Episode Tone and Takeaways

For More