B (14:45)

Thank you for having me back. And we're talking about a topic I find really important, which is kind of thinking about how our adversaries are integrating AI. And I'm really glad to see Congress Taking up this mantle, I think I saw Representative Olis during the hearing say, if we don't get this right, we're screwed. And, I mean, that was my big takeaway is like, that's true. Right? We have to really be thinking about this and understanding it. And by understanding it, though, I mean knowing what's accurate, what might be hyperbolic, but then what we can actually do to counter it, because it's not a runaway train, we can do things that really help put us in a better security position.

A (15:31)

Well, you used the word hyperbolic, and I'd love to start there, because I see folks talking about the importance of AI dominance, and I have to say I'm not certain what that means. What does it mean to you?

B (15:46)

It means that the US Stays ahead and is the leader of the kind of frontier models, the type of AI development that's at that cutting edge. Because when we keep our market dominance, keep our AI dominance, to me, that means we're the market leaders. We are able to ensure that the AI that goes out there conforms to the free speech and all other ethics that we hold dear as a country, and that we know that we're how it can be exploited, how it can be used for safety, and how to combine that. And things aren't coming at us as a surprise.

A (16:29)

And where do you suppose we stand today in terms of maintaining our leadership?

B (16:34)

Yeah, I think that we're easily four to six months ahead of a lot of other groups, countries, especially kind of China that's developing it. What you've seen China do a lot is kind of rapidly develop after we develop certain types of functions or advances in their own models, and whether that's from kind of typical Chinese model of figuring out things, stealing things along the way, or just when you know something's possible, sometimes it's easier to, like, get to that point. Either way, the US Is still ahead, and it's really important to keep us ahead as we look at what we might be facing coming down the road.

A (17:15)

Well, speaking of what we might be facing, you head up the Ransomware Research center with your colleagues at Halcyon. What are you anticipating this coming year when it comes to ransomware?

B (17:27)

So I think right now we would say that AI hasn't fundamentally changed ransomware tactics, but it's changed kind of the economics of ransomware. Right. It's lowered the barriers and it's accelerated some discrete tasks, some workflows. I think that's where you're going to see some of this improvement and some more of these discrete tasks. So in the hearing, Google talked about the use of AI in certain points of the ATTCK chain that really did enable certain components to be a little more autonomous, to act a little more autonomously and do that kind of in real time. To also thinking about the discrete tasks that are available with initial access, I feel like that's where we've seen a lot of the technology go, where you can kind of imagine how it is really beneficial to adversaries like think making a lot more believable. Phishing emails, deep fakes. So I think in the next year, what we'll likely see is deep fake social engineering really start to overtake just the traditional identity tech, a traditional social engineering. And we're also going to see actors then start to experiment with some of these more niche things that were talked about in the hearing. I call them niche, I call them experimentation because that's what they are. There's a high failure rate for this kind of stuff that's going on right now. It's really kind of starting to piece together and automate. Things are already known. So yeah, we'll probably detect it along the way. So it's easy to say kind of dismiss it now. But the reason you experiment, the reason you do lots of failures is so you can get to success. And I think that's what we're going to see over the next year is those reps that attempts to really start to get better and figure out how you can change the sophistication, make things actually more advanced using AI.

A (19:24)

Yeah, it's a really interesting point. I mean, I guess from your point of view, where are we when it comes to the maturity of the ransomware marketplace? I mean, is there still room for innovation or are we at a state of refinement?

B (19:41)

Well, I think refinement was probably more where we're at over the last year. And you and I have talked about this before. Over the last year, ransomware has gotten so fast and that's where we've seen a lot of the innovation. And that primarily wasn't because AI was there, it's because there's more virtualization. The ransomware actors just have more experience, so they're able to get faster. There's a lot of different things there. And that the quickness of ransomware attacks now already necessitates a change in security postures. So believing that you used to have days or weeks of dwell time of an actor, so they're on your system, you could get an alert, you could look at that alert in the Morning try to kick them out. That's not possible now. Now really all these things are happening in 24 hours to hours. And that means that you really have to automate a lot of your security tasks. The way in which you defend against AI enhanced threats is much the same. Like you really need automated defense, you need defense in depth to be able to identify these attacks in real time. Because right now and for the foreseeable future, what is more likely to happen is just more, right, more attacks from more actors who maybe wouldn't have been able to do it otherwise, or advanced actors figuring out ways to automate parts of their processes, create agents that help them do their activity so that they can do more attacks or they can do those, you know, just a slight bit faster. But I think what we're at now is looking at not having an attack. You recover from an attack, you could have set your security posture, you wait for the next one. But if you have more and more attacks, that's really problematic. And that's likely where we're going with some of these integrations of AI Speaking.

A (21:32)

Of more and increased velocity, certainly an area of development is the quantum threat. Do you suppose that is going to affect ransomware operators ability to do what they do when these tools become more readily available?

B (21:48)

Yeah, I think we're a little bit of ways out from some of the quantum assisted tools becoming available to the wider swaths of cyber criminal groups. When I think about the quantum, I certainly am thinking first and foremost about China and some of the other nation states. But you know, eventually when you get to those points where I think I would really worry among the ransomware group overall is not just kind of the, hey, it makes this technically a little bit easier or our ability to move is a lot faster. But even the information that's been stolen along the way, if it was encrypted, or if the information they're stealing is encrypted, maybe isn't as useful the ability to then go through data to identify high value data that we thought we were all protecting, that could come into play. But once again, I still feel that's a much farther out issue than what we're looking at in terms of the advancements fueled by AI.

A (22:46)

Well, looking at the big picture again, you know, heading into or well into 2026 as we find ourselves already, what's your advice for the defenders out there when it comes to approaching ransomware this coming year?

B (23:01)

Really defenders should expect the shorter lead times, more convincing social engineering and faster iteration. And that I think just shows focusing on the basics, but focusing on some of the basics. Well, the rapid patching, strong identity controls and resilient detection and response processes. That's still what is most important. And I think overall when you're looking at this, ensuring that your creating and thinking about like how do I do this detection and defense in real time? So that's really the advice I'd give to defenders overall. But I'd go a step further where now if we're on the AI topic, which is a lot of organizations are thinking about or starting to develop their own in house AI models or maybe have employees that are pulling together valuable data into their own models on their networks if more security is not placed around that. So take an in house AI model or the kind of discrete ones that maybe employees are creating on their own. That is a huge target of opportunity for ransomware actors when they get onto a system or any adversary really, they get onto a system. Maybe you used to have to go around and look for the valuable data or maybe it was in different places. But what we're all doing is consolidating that into very easily findable places. And so we really have to think about the security and extra security we're putting around the AI tools on our own systems to better protect our information.

A (24:38)

That's Cynthia Kaiser from Halcyon.

C (24:54)

The world moves fast. Your workday even faster. Pitching products, drafting reports, analyzing data. Microsoft 365 Copilot is your AI assistant for work built into Word, Excel, PowerPoint and other Microsoft 365 apps you use, helping you quickly write, analyze, create and summarize so you can cut through clutter and clear a path to your best work. Learn more@Microsoft.com M365 copilot.

A (25:28)

And finally, a 20 year old Best Buy employee in Savannah, Georgia is learning that retail crime dramas rarely end with a plot twist in the defendant's favor. Police say Dorian Allen helped suspected shoplifters walk out of the Abercorn street store with more than $40,000 in merchandise from snack foods to $700 PlayStation consoles. His explanation? Online blackmail. According to the Savannah Police Department, Allen claimed a mysterious hacker group emailed instructions on which customers to wave through, threatening to leak nude photos if he refused. Investigators say he could not identify the hackers, describe them or produce the emails. Store video allegedly shows weeks of point of sale manipulation totaling 143 items. Allen now faces theft charges while these supposed hackers remain, for now, safely imaginary. And that's the cyber wire for links to all of today's stories Check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco. Attackers don't go through your tools, they go around them. In our interview with Jared Atkinson, CTO at Spectrops, he reveals how attackers look to exploit our identities, steal tokens, and quietly snowball their access across active directory, cloud apps and GitHub. We talk through attack paths, why least privilege keeps failing, and how one misconfiguration can hand over the keys to your organization. Want to see risk as attackers do? Then check out the full interview now on TheCyberWire.com SpectreOps.