Dave Bittner (8:08)

Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off.

Rob Boyce (9:17)

Are you frustrated with cyber risk scores backed by mysterious data, zero context and cloudy reasoning? Typical cyber ratings are ineffective and the true risk story is begging to be told. It's time to cut the bs. Black Kite believes in seeing the full picture with more than a score. One where companies have complete clarity in their third party cyber risk using reliable quantitative data. Make better decisions, reduce your uncertainty. Trust Black Kite.

Maria Varmazes (10:01)

Advanced Persistent teenagers or AP teens have rapidly become a significant enterprise risk by demonstrating capabilities once limited to organize ransomware groups. Rob Boyce, Global Lead for Cyber Resilience at Accenture, joins Dave to discuss advanced persistent teenagers. Here's their conversation.

Dave Bittner (10:19)

It is always my pleasure to welcome back to the show Rob Boyce. He is the global Lead for Cyber Resilience at Accenture. Rob, welcome back.

Rob Boyce (10:27)

Thanks Dave. It's always a pleasure being here.

Dave Bittner (10:30)

So I want to talk today about something that you've been tracking. These are apts, but the T's aren't what we think they are. What do the T's mean in this.

Rob Boyce (10:41)

Particular case, it means teens stiff.

Dave Bittner (10:44)

So we're talking about advanced, persistent teenagers.

Rob Boyce (10:47)

Correct.

Dave Bittner (10:48)

Now I'll just say at the outset that I have two of these, but I don't think it's the kind of apts that you're talking about. So fill us in, what do we mean when we're talking about AP teens?

Rob Boyce (10:58)

Yeah, sure. Of course. I think what we continue to see in media and movies, et cetera, is this grandiose portrayal of these super sophisticated, well funded threat actors that are coming from nation states that are set on the downfall of our society, when in truth the average person that we're seeing plays an adversary in this space are really just normal people. And we've been doing a lot of research going really back to 2018 and this hypothesis of individuals getting into this ransomware game or as being a threat actor at large, becoming younger and younger. And we've started seeing now a trend of individuals who are really average age between 17 and 25, more focused within country, so targeting more domestically, not entirely domestically, but more domestically and attacking of course, both private and public sector. And so it's really become fascinating for us to see this bit of an evolution of what we, you know, what we're being told is real. You know, the picture that we're being painted versus what is really happening within our threat landscape.

Dave Bittner (12:14)

Are there particular use the phrase gateway drugs for these teens getting into this? I mean, does this start with, you know, trying to get the high score on your favorite online game?

Rob Boyce (12:25)

You know, it's, it's actually interesting because we're, we always categorize threat actors by different motivation types, right? We're seeing the ones who are financially motivated, politically motivated, et cetera. And what we're finding here is yes, there's always of course a financial motivation for these individuals, but what we see here is actually more ambition to be infamous, more around notoriety, more around I'm better than my peers and I'll be able to cause more of a disruption than somebody else. And in my opinion, this actually even makes them a little bit more dangerous because they don't necessarily have the same level of maturity as we've seen of someone who's been in this game for a while or maybe who has the, the nation state overlords that keeping track of what they're doing, there's a lot less maturity that we're seeing in this space as well. So it's really a fascinating group to continue to track as we can see them becoming more and more relevant in this space.

Dave Bittner (13:21)

So really following along with this uptick in influencer culture, I guess it almost seems so.

Rob Boyce (13:29)

Yeah, it almost seems so. And I think. I don't.

Dave Bittner (13:31)

I think.

Rob Boyce (13:31)

I'm sure you're familiar with some of the unmaskings we've seen recently. Whether it's scattered spiders or lapsis or black bastard. This is where it's really come, where we've really seen our hypothesis coming true, where they've, you know, been showcasing who these individuals are. And then of course, we find that a lot of them are within that age range that I mentioned. We also somewhat, in our spare time, I guess, really do some deep dives in some of the threat actors that we're seeing to try and expose them and, you know, provide packages to law enforcement and such. And we're seeing more and more again of these individuals in this space. And the thing is, because they're a little less mature, they're a little sloppy too. And so being able to uncover who they are is becoming a little bit easier for researchers like us to be able to identify them as well. And we've started identifying individuals from places where we've never really seen a lot of activity. Like Jordan and Yemen are a few places where we've seen a little bit more of this type of activity recently originating from, which is also another fascinating point to me, just the location of where these individuals are located.

Dave Bittner (14:38)

It strikes me that it's also kind of, you know, what's old is new again. I mean, you know, think about the first generation of the old phone freakers and, you know, that sort of thing. I mean, there was definitely having come up in that time, there was a strong teen contingent back then. And I guess that, as you say, immaturity, that feeling of invincibility.

Rob Boyce (15:00)

Yeah, I thought about this as well, and I thought, hey, I remember watching hackers where they were all high school students or reading 2600 magazine that seemed to be targeted towards the younger generation. And there's a huge distinction to me, though, between those individuals and these. And those individuals previously were ones who spent a lot of time being curious about technology, digging into it, really trying to understand the way it worked. And now I'm finding that these individuals have a slightly easier your path to become threat actors just with the tools that are available on the dark web. Being able to go into dark web marketplaces, buy initial access, buy the tools that you need, maybe even trade a little, or become an affiliate for a ransomware gang. Just think the barrier to entry seems a lot lower now for individuals to be able to become hackers or become threat actors in many cases. And so it is similar, but I find that the, you know, the philosophy behind it and also the work that's required to become an expert in this space is entirely different now.

Dave Bittner (16:07)

So what are your recommendations for defenders? You know, if the, the ratio of true, you know, nation state actors versus teenagers who have a little too much time on their hands isn't what we thought it might have been, does that shift how they come out, that come at the defense of their organization?

Rob Boyce (16:27)

Yeah, a little bit, actually. So this is what's interesting to me is I've had a lot of conversations recently with organizations and the first thing that they're always concerned about is these sophisticated nation state threat actors. And then of course, what I'm trying to redirect them towards is that is important. For sure, that is real and probably honestly more real than many people realize. But that is a small subset of the threat actors that are targeting you on a daily basis for most organizations and those individuals like the AP teens who are really focused more on lower barrier, at least theory of entry into an organization, the easiest way to be able to move laterally, the easiest way to gain access. It forces organizations to think about doubling down on getting the foundational strategies right. And what I mean by that is I think if you could ensure that you had a good understanding of your company's presence on the dark web, meaning do I have credentials that are being sold or stolen? Am I being targeted? Is there malware or similar being targeted towards me or that would impact my systems? Understanding your vulnerability landscape, and we have been struggling with scanning and patching for quite some time. And now the exposure landscape is much more than just vulnerabilities. So understanding the total exposures within your organization and having a good answer for identity management, especially around privileged access, I think if you can get those three things correct and have good programs around those three, you will really be able to have a much easier time limiting your risk to these types of threat actors, for sure.

Dave Bittner (18:08)

All right, well, Rob Boyce is global lead for Cyber Resilience at Accenture. Rob, thanks so much for taking the time for us.

Rob Boyce (18:15)

Anytime, Dave. Always a pleasure to be here. Thank you.

Maria Varmazes (18:19)

That was Dave Buettner sitting down with Rob Boyce, global lead for Cyber Resilience at Accenture, to discuss advanced persistent teenagers or AP teens.

Dave Bittner (18:42)

What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity Attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, Entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to SpectorOps IO today to learn more. Spectrops see your attack paths the way adversaries do.

Maria Varmazes (19:44)

In a move that's part sci fi, part seafood sustainability, Google's secretive X Lab has unveiled Tidal X, an underwater AI system designed to transform fish farming. Equipped with smart cameras and machine learning, Tidal X monitors farmed fish like salmon in real time, tracking their movements, behavior and even individual fish health. Think fishel recognition like, yeah, facial recognition for fish? Yeah. So why does this matter? Overfeeding in aquaculture wastes food and pollutes the water. While underfeeding or missing early signs of disease can hurt both fish and farmers, TitleX aims to strike a balance, offering farmers insights to feed just the right amount, reduce waste, and catch health issues early, all without disrupting the watery ecosystem. After five years in stealth mode, the project is now swimming into the spotlight with the goal of making aquaculture more efficient, sustainable and scalable. Global as global demand for seafood rises, tech like this could be the key to meeting it responsibly. So yes, the fish are getting their close ups and it might just help save the planet. And that's the Cyberwire. For a link to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com N2K Senior Producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman Our Executive producer is Jennifer Ivan, Peter Kilpe is our publisher and I'm Maria Varmazes in for Dave Bittner. Thanks for listening. Foreign.

Dave Bittner (22:41)

Looking for a career where innovation meets impact? Vanguard's technology team is shaping the future of financial services by solving complex challenges with cutting edge solutions. Whether you're passionate about AI, cybersecurity or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas drive change. With career growth opportunities and a focus on work life balance, you'll have the flexibility to thrive both professionally and personally. Explore open cybersecurity and technology roles today@vanguardjobs.com.