Using AI to sniff out opposition. - CyberWire Daily

Summary9 min read

CyberWire Daily: Using AI to Sniff Out Opposition (April 8, 2025) Hosted by N2K Networks

Introduction

In the April 8, 2025 episode of CyberWire Daily, N2K Networks delves into the intricate interplay between artificial intelligence (AI) and cybersecurity, exploring how AI is being leveraged both defensively and offensively. The episode covers a spectrum of pressing cybersecurity issues, including governmental surveillance concerns, emerging threats from advanced phishing groups, and the evolving landscape of ransomware. Additionally, the episode features an insightful interview with Matt Radelek, VP of Incident Response at Varonis, who discusses innovative strategies for building resilient cyber teams through gamification and AI integration.

Major Cybersecurity News Highlights

AI Surveillance Concerns: The Doge Team and Federal Monitoring

The episode opens with alarming revelations about the Trump administration's utilization of Elon Musk's Doge team. According to a Reuters exclusive, Doge is reportedly employing AI to monitor federal employee communications for signs of disloyalty to Trump or Musk. This surveillance extends to platforms like Microsoft Teams and utilizes Signal, a disappearing messages app, raising significant transparency and ethical issues.

Notable Quote:
Dave Buettner [00:02]: "The Trump administration's use of Elon Musk's Doge team continues to raise serious cybersecurity and transparency concerns."

Ethics experts caution that this could constitute an abuse of power and infringe upon federal data retention laws. Furthermore, Doge has restricted access to critical government systems, such as the Office of Personnel Management's cloud, effectively limiting access to over 100 staffers. This tight control over federal IT infrastructure has sparked fears of political targeting and diminished democratic accountability. Ongoing legal battles and federal court orders are pressuring Doge to increase transparency, but watchdog organizations argue that current measures remain insufficient.

Global Trade Wars Intensify Cybersecurity Risks

President Trump's declaration of a national emergency and the implementation of sweeping tariffs have ignited a global trade war, which inadvertently amplifies cybersecurity vulnerabilities. Starting April 9, a 10% baseline tariff was imposed on all imports, with elevated rates for nations like China, the EU, and India. This escalation has led to soaring hardware costs, supply chain delays, and a growing dependence on outdated systems, all of which heighten the risk of cyberattacks.

Key Points:

Increased reliance on outdated systems raises susceptibility to cyber threats.
Compliance challenges and shrinking budgets compel enterprise leaders to rethink security strategies.
Emphasis on cloud solutions and prioritization of core security investments are becoming paramount.

Google's Android Security Bulletin: Critical Vulnerabilities Addressed

Google's April 2025 Android Security Bulletin highlights multiple critical vulnerabilities, including two zero-day exploits actively being used in targeted attacks. These flaws, affecting the Linux kernel's ALSA USB audio driver, pose severe risks by enabling information disclosure and privilege escalation via malicious USB devices. Urgent patches have been released by Google and Samsung, urging users to update their devices immediately to mitigate these threats.

Notable Quote:
Dave Buettner [00:14]: "Google's latest Android update addresses 20 days scattered spider continues its phishing and malware campaigns."

Scattered Spider's Advanced Phishing and Malware Campaigns

Despite multiple arrests, the cybercrime group Scattered Spider persists in its sophisticated phishing and malware operations, targeting high-profile firms such as T-Mobile, Pure Storage, and Louis Vuitton. Transitioning from basic Rickrolling tactics, the group now employs an updated Spectre RAT with enhanced obfuscation and command capabilities. Researchers at Silent Push have identified five distinct phishing kits utilized by Scattered Spider, noting their integration with multiple brands and hosting on Cloudflare to evade detection.

Key Points:

Scattered Spider exploits SMS phishing to steal credentials and bypass multi-factor authentication (MFA).
Utilization of publicly rentable subdomains complicates tracking efforts.
Silent Push has developed tools like the Spectre RAT decoder to aid defenders against these threats.

Ransomware Trends: Increasing Incidents but Declining Profits

Ransomware attacks surged in early 2025, affecting a record 2,040 victims within three months, with significant impacts on schools and healthcare providers. However, the profitability of ransomware operations is decreasing. According to Alan Liska, a threat intelligence analyst at Recorded Future, ransomware profits dropped from $1.25 billion in 2023 to $818 million in 2024. This decline is attributed to fewer victims paying ransoms and a strategic shift towards data theft instead of encryption, with cybercriminals leveraging stolen data to extort payments for its deletion.

Notable Quote:
Dave Buettner [00:14]: "Ransomware's grip is slipping."

ToddyCat Exploits Critical Flaws in ESET Products

The Chinese-linked Advanced Persistent Threat (APT) group ToddyCat has exploited a critical vulnerability in multiple ESET products to deploy stealthy malware. This DLL search order hijack flaw permits arbitrary code execution with administrative access. ToddyCat utilized this vulnerability to inject TCESB, a sophisticated tool designed to bypass security monitoring and manipulate kernel structures. ESET has patched the issue since January, urging users to update their systems promptly.

Oracle's Second Breach: Legacy System Compromise

Oracle has privately confirmed a breach in one of its legacy systems, a stark contradiction to previous public statements denying such incidents. The breach involved unauthorized access to old client login credentials, including encrypted passwords, and the exfiltration of data dating back to 2024. The threat actor Rise 87168 demanded $20 million and deployed malware targeting Oracle's identity manager. Oracle maintains that its cloud systems, rebranded as Oracle Classic, remain unaffected. However, experts criticize this rebranding as a misleading attempt to obscure the breach, leading to an FBI investigation and a class action lawsuit.

Ivanti Connect Vulnerability: Over 5,000 Appliances at Risk

Over 5,000 Ivanti Connect secure appliances remain exposed to a critical remote code execution vulnerability (CVSS score of 9.0). This stack-based buffer overflow flaw is actively exploited by a Chinese threat group deploying backdoors via Ivanti VPNs. Despite Ivanti issuing a fix in February, initial misdiagnosis of the issue has allowed ongoing attacks. Users are urged to patch or upgrade to supported versions immediately to mitigate the risk.

Crush FTP Vulnerability Exploitation Confirmed by CISA

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed the active exploitation of a critical vulnerability in Crush FTP (CVSS score of 9.8). This authenticated bypass flaw allows unauthenticated attackers to fully compromise unpatched Crush FTP version 10 and 11 systems. Discovered by Outpost24 and disclosed under a 90-day embargo, the vulnerability was prematurely exposed when another group, Volnchek, released a separate CVE without coordination. This led to public exposure and widespread exploitation, highlighting challenges in coordinated vulnerability reporting.

Key Points:

Over 1,500 unpatched instances observed with active exploitation.
Shadow server noted the use of proof-of-concept code in the wild.
Despite fixes in multiple Crush FTP versions, the public disclosure conflict underscores the complexities in vulnerability management.

Industry Voices: Building Resilient Cyber Teams through Gaming and AI

In the Industry Voices segment, host Dave Buettner interviews Matt Radelek, VP of Incident Response at Varonis, to explore innovative approaches in cybersecurity team building. Radelek advocates for recruiting gamers to cultivate resilient cyber teams, drawing parallels between gaming skills and essential cybersecurity competencies.

Key Insights:

Gamers as Ideal Candidates:
Radelek emphasizes that avid gamers possess inherently valuable traits such as teamwork, adaptability, and strategic thinking. These skills are directly transferable to cybersecurity roles, where collaboration and quick adaptation to evolving threats are crucial.

Notable Quote:
Matt Radelek [11:59]: "Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001."
Gamification Strategies:
By implementing gamification techniques, organizations can create engaging "questlines" that motivate employees to achieve and level up their skills. This approach not only enhances employee retention but also fosters a culture of continuous improvement and skill development.

Notable Quote:
Dave Buettner [14:11]: "When you recruit gamers and you purposely recruit gamers and you give them this quest line, this ability to achieve and level up their skills that you can keep them motivated."
AI Integration in Cyber Teams:
Radelek highlights the transformative impact of AI tools in augmenting human red teams. AI can significantly enhance the efficiency and accuracy of threat detection and response, empowering cybersecurity professionals with advanced capabilities.

Notable Quote:
Dave Buettner [25:12]: "The gains that we're seeing from having the AI analysts be the first ones to look at the alerts are incredible."
Career Progression and Employee Engagement:
Establishing clear career progression ladders akin to game levels can provide employees with visible pathways for advancement. This transparency encourages employees to set and pursue professional goals, aligning their personal growth with organizational objectives.

Notable Quote:
Dave Buettner [22:52]: "If you can start someone at a more junior role, but show them how in five years they could be in a completely different..."
Balancing Gamification with Business Needs:
While gamification offers numerous benefits, Radelek cautions against overdoing it. It's essential to maintain a balance to ensure that gamification enhances rather than detracts from core business functions.

Notable Quote:
Matt Radelek [21:50]: "How do you dial in the right amount of gamification and the core business functions that you need to accomplish?"
Embracing AI Tools Earlier:
Reflecting on past experiences, Radelek expresses a desire to have integrated AI tools sooner. AI-powered solutions have proven to provide substantial ROI and bolster defensive capabilities, making them indispensable assets for modern cybersecurity teams.

Notable Quote:
Dave Buettner [25:12]: "I wish I would have done more automation and more AI faster."

Radelek concludes by underscoring the importance of equipping cybersecurity teams with advanced AI tools, likening them to "superpowers" that enhance their ability to defend against sophisticated threats effectively.

Additional Cybersecurity Developments

Attack Path Management in Identity Security

The episode highlights the critical role of Attack Path Management in mitigating identity-related breaches. Poor directory hygiene and technical debt create easy targets for threat actors, who exploit privileged account compromises to seize control of critical assets. Solutions like Bloodhound Enterprise by SpectorOps are instrumental in visualizing attack paths from an adversary's perspective, enabling security teams to proactively secure their environments.

AI-Driven Phishing: Hoxhunt's Joker Surpasses Human Attempts

AI continues to reshape the phishing landscape, with cybersecurity firm Hoxhunt developing an AI phishing agent known as JKR Joker. In March, Joker outperformed human-crafted phishing attempts by 24%, marking a significant improvement from the previous year's 31% lag. This advancement positions AI as a formidable tool in creating precise, scalable phishing campaigns that rival the effectiveness of traditional spear phishing.

Notable Quote:
Dave Buettner [30:56]: "It's not just phishing, it's precision phishing in bulk."

Surge in Phishing Sites and Smishing Scams

The Anti-Phishing Working Group (APWG) reported a global increase in phishing sites and smishing (SMS phishing) scams. These fraudulent campaigns exploit various vectors, including deceptively targeted toll collection texts, demonstrating the expanding tactics of cybercriminals in leveraging AI for broader and more convincing attacks.

Key Takeaway:
While AI enhances the scale and precision of phishing attacks, the necessity for human judgment remains paramount in effectively defending against these sophisticated threats.

Conclusion

The April 8, 2025 episode of CyberWire Daily provides a comprehensive overview of the dynamic and evolving cybersecurity landscape. From governmental AI surveillance concerns and the persistent threat of advanced phishing gangs to the strategic integration of AI and gamification in building resilient cyber teams, the episode underscores the multifaceted challenges and innovative solutions shaping the industry. As cyber threats become increasingly sophisticated, the fusion of human ingenuity with advanced AI tools emerges as a critical strategy for safeguarding digital infrastructures and maintaining organizational resilience.

For more detailed insights and updates on today's cybersecurity stories, visit CyberWire Daily.

Loading summary

Transcript30 lines

[00:02]
Dave Buettner
You're listening to the Cyberwire network, powered by N2K.
[00:14]
Matt Radelek
Secure access is crucial for US public sector missions, ensuring that only authorized users can access certain systems, networks or data. Are your defenses ready? Cisco's security service Edge delivers comprehensive protection for your network and users. Experience the power of Zero Trust and secure your workforce wherever they are. Elevate your security Strategy by visiting Cisco.com Go SSE that's Cisco.com Go SSE Is Doge using AI to monitor federal employees? Google's latest Android update addresses 20 days scattered spider continues its phishing and malware campaigns. Ransomware's grip is slipping. Toddy Cat exploits a critical flaw in ESET products. Oracle privately confirms a legacy system breach. Over 5,000 Avanti Connect secure appliances remain exposed online to a critical remote code execution vulnerability. CISA confirms active exploitation of a critical vulnerability in Crush FT in our Industry Voices segment, we're joined by Matt Radelek, VP of Incident Response at Varonis, on turning to gamers to build resilient Cyber teams and AI outfishes human red teams it's Tuesday, April 8th, 2025. I'm Dave Buettner and this is your CYBERW Intel Briefing. Thanks for joining us here today. It's great to have you with us. The Trump administration's use of Elon Musk's Doge team continues to raise serious cybersecurity and transparency concerns, according to a Reuters exclusive. Doge is reportedly using AI to monitor federal employee communications for perceived disloyalty to Trump or Musk, including scanning platforms like Microsoft Teams. Sources say the team communicates using Signal, a disappearing messages app that may violate federal records laws. Ethics experts warn this could be an abuse of power and a breach of federal data retention rules. Doge has also restricted access to key government systems, such as the Office of Personnel Management's cloud, locking out over 100 staffers. Only two people now control sensitive personnel data for millions of federal workers. Critics say this level of secrecy and control over federal IT infrastructure could enable political targeting and undermines democratic accountability. Lawsuits and a federal court order are now pushing Doge to release documents, but watchdogs say transparency remains dangerously low. Meanwhile, President Trump's declared national emergency and sweeping tariffs have launched a global trade war that itself poses major cybersecurity risks. Starting April 9, a 10% baseline tariff will hit all imports, with harsher rates for China, the EU and India. Enterprise tech and cybersecurity leaders face soaring hardware costs, delays and increased reliance on outdated systems, raising the risk of cyberattacks. Compliance challenges end of life vulnerabilities and shrinking budgets will force leaders to rethink strategies, lean into cloud options, and prioritize core security investments. Google's April 2025 Android Security Bulletin addresses multiple critical vulnerabilities, including two zero days actively exploited in targeted attacks. Both impact the Linux kernel's ALSA USB audio driver and pose serious risks to Android devices running multiple versions. The first vulnerability allows information disclosure via an out of bounds read, while the second enables privilege escalation through memory corruption triggered by malicious USB devices. These flaws may bypass standard device locks and resemble methods used by surveillance firms. Google and Samsung have released urgent patches with fixes included in the 20250405 security level. The continued targeting of Android underscores the ecosystem's security challenges, but with Google reporting a significant rise in zero day attacks, users are urged to update devices immediately to avoid exploitation. Despite multiple arrests, Scattered Spider continues its phishing and malware campaigns in 2025, targeting major firms like T Mobile, Pure Storage, and Louis Vuitton. The cybercrime group has ditched its Rickrolling antics, focusing instead on advanced tools like an updated Spectre rat, which now features new obfuscation and command capabilities. Researchers at Silent Push detailed five phishing kits used by the group, noting the latest integrates multiple brands and is hosted on cloudflare. The criminals exploit SMS phishing to steal credentials, bypass mfa, and deploy malware for persistent access and data theft. Notably, Scattered Spider is now using publicly rentable subdomains, making their operations harder to track. Silent Push has released a Spectre RAT decoder and command and control emulator to help defenders. Despite a law enforcement crackdown, the group's evolving tactics remain a serious threat to organizations worldwide. Ransomware attacks surged in early 2025, hitting a record 2,040 victims in three months, with schools and healthcare providers especially affected. Yet despite the chaos, ransomware's grip is slipping. As Alan Liska, a threat intelligence analyst at recorded Future, outlined in a blog post, profits dropped from one and a quarter billion dollars in 2023 to 818 million in 2024 as fewer victims pay ransoms. And when they do, they pay less. Cybercriminals now favor data theft over encryption, hoping to extort payment for deletion. Still, organizations are resisting, and law enforcement crackdowns are fracturing major ransomware groups. Newer, lesser known gangs like arkhana and Babuk 2.0 are stepping in, often recycling old code and tactics under fresh branding. Meanwhile, global crises from cyber espionage to trade wars are pulling attention away from ransomware threats. Russia's tighter control over hackers may also be curbing major attacks. While ransomware isn't disappearing, its dominance and profitability are clearly being tested. A critical flaw in multiple ESET products has been exploited by the Chinese linked APT group toddycat to deploy stealthy malware, Kaspersky reports. The vulnerability, a DLL search order hijack, requires administrative access and enables arbit code execution. Toddycat used this flaw to load tcesb, a sophisticated C tool that bypasses security monitoring and manipulates kernel structures. ESET patched the issue in January and urges users to update. The group has targeted military and government entities across Europe and Asia since 2020. Oracle has privately confirmed a breach in a legacy system, contradicting earlier public denials. Hackers accessed old client login credentials, including encrypted passwords and exfiltrated data, some of which dates to 2024. The threat actor rose 87168, demanded $20 million and deployed malware targeting Oracle's identity manager. Oracle insists Oracle Cloud wasn't affected, calling the breached system Oracle Classic. However, experts criticize this as misleading rebranding. This is Oracle's second breach disclosure in months, prompting an FBI investigation and a class action lawsuit. Over 5,000 Ivanti Connect secure appliances remain exposed to a critical vulnerability with a CVSS score of 9.0 allowing remote code execution. The flaw, a stack based buffer overflow, is being actively exploited by a Chinese threat group which deploys backdoors via Ivanti VPNs. Ivanti issued a fix in February but initially misdiagnosed the issue, enabling ongoing attacks. Most vulnerable devices are outdated. Pulse Connect Secure nine versions no longer supported since December of last year. Ivanti urges users to patch or upgrade to supported versions immediately. CISA has confirmed that a critical vulnerability in Crush FTP is being actively exploited. This authenticated bypass flaw, with a CVSS score of 9.8, allows unauthenticated attackers to fully compromise unpatched crush FTP version 10 and version 11 systems. CISA added it to its Known Exploited vulnerabilities catalog on April 7th and urges all organizations to patch immediately. The flaw was initially discovered by Outpost24 and disclosed under a 90 day embargo. However, another group, Volnchek, released a separate CVE without coordination, leading to public exposure and exploitation. Mitre later rejected VCheck's CVE, sparking debate over vulnerability disclosure ethics. Shadow server observed over 1500 unpatched instances and noted in the wild exploitation using proof of concept code. While the flaw has been fixed in multiple Crush FTP versions. The disclosure conflict highlights challenges in coordinated vulnerability reporting. Coming up after the break, my conversation with Matt Radelek from Varonis on turning to gamers to build resilient cyber teams and AI outfishes Human Red teams stay with us.
[11:50]
Dave Buettner
Foreign.
[11:59]
Matt Radelek
Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. Are you frustrated with cyber risk scores backed by mysterious data, zero context and cloudy reasoning? Typical cyber ratings are ineffective and the true risk story is begging to be told. It's time to cut the bs. Black Kite believes in seeing the full picture with more than a score. One where companies have complete clarity in their third party cyber risk using reliable quantitative data. Make better decisions reduce your uncertainty. Trust Black Kite. Matt Radelec is VP of Incident Response, Cloud Operations and SEU at Varonis. In today's sponsored Industry Voices segment, I sit down with him to discuss their research from gamer to leader, how to build resilient cyber teams.
[14:11]
Dave Buettner
I'll say two things really. One is a is a personal journey of mine. I have an extensive background in video gaming, whether from World of Warcraft Competitive or Fortnite or Halo. All these different games where I feel like I actually learned a lot about teamwork, about being achievement oriented and about hustle. And when I face with other leaders in the cybersecurity space, I often hear people talk about like how hard it is to find talent or how many times have you heard someone say, dave, nobody wants to work anymore. Right, right.
[14:45]
Matt Radelek
That, that old chestnut.
[14:47]
Dave Buettner
I mean I just, it comes up all the time and I think you're, you might be looking at the wrong places or you might not be giving people the right quests in order to achieve. And so I find that when you recruit gamers and you purposely recruit gamers and you give them this quest line, this ability to achieve and level up their skills that you can keep them motivated. So first you choose to recruit them, then you give them, like, a path to stay motivated. And then if you arm them with some type of tools or weapons, Right. If you think of like, you know, all the different games where you can get like a cool sword or, you know, a magical bow or a magical staff or something like that, or a better shield or a faster car, that's the same kind of analogy can be used for arming your teams and the people that work for you with the tools that they need to do their job. You could help them as a person level up, but you could also give them a tool that could help level up some of their skills. And that really is the impetus of my talk, that if you target gamers and you look at that community and you nurture them and you arm them with the right tools, that they can be a superpower for you.
[15:49]
Matt Radelek
So you're not just speaking metaphorically here. You actually do want to target folks who are avid gamers.
[15:56]
Dave Buettner
Absolutely, absolutely. Like, personally, I mean, I feel like a lot of who I am as a person and my drive comes from, you know, playing games and like, being able to adapt to different strategies or to have to work well with others. I want you to imagine, you know, as I sit with you Today, I'm 36 years old. The first time that I ever led a raid in World of Warcraft with 40 people in it was when I was 13. So I had to deal with teamwork and conflict and personality resolution all those years ago.
[16:31]
Matt Radelek
Yeah, it's interesting. You know, I'm a good bit older than you, and so, you know, my exposure to early games were things like, well, Pong, Pac man, you know, Missile Command, Asteroids. But I did play up into and including the Halo games. And I think you're really onto something here. I mean, that level of teamwork for certain scenarios, you can't go at it alone. You need to collaborate.
[17:00]
Dave Buettner
Yeah. And also think about, like, I don't know if you ever played like a role playing game, Right. But in a lot of the role playing games, you get a character and that character has to level up in order to unlock new skills and new abilities. Well, that same thing could be said about hiring a junior SoC analyst. But someday, them wanting to be a malware researcher, are you going to just let that be an unscripted adventure, or are you, as a leader, going to carve that path for someone to go on some, let's call them, quests or missions and gain experience and knowledge that if they're able to match that with achievement, get them to that point where they can become a malware researcher. Because if you can do that, you can recruit gamers, you can keep them motivated, and you can utilize this drive that they have to benefit your organization and have a more resilient team. Same thing can be thought about like, you know, let's kind of imagine we're assembling a group of people to go and take down a particular actor. Like, I have a strong background in incident response. The different threat actors have different tactics, techniques and protocols. You're going to bring in different experts based on the threat actor that you think you're going to encounter or that you know you're encountering. That's the same thing with like getting together a group of people to take down a dragon.
[18:13]
Matt Radelek
So how do you propose going about attracting these folks to CyberSecurity?
[18:20]
Dave Buettner
I think one, the most fundamental thing is that it's our job as leaders to build that questline and that sense of achievement. You have to show people that that first job that they're getting, if it's junior, can lead to something and that that more senior job that they have or that more senior position can also like help them to develop skills and level up. In doing that, you're, you're helping people that have that sense of achievement feel like they're on a journey for something and convincing your company to be able to support that as well. Like, hey, if you spend a certain amount of time in a role and your metrics are good, you'll go from Analyst 1 to Analyst 2 as an example. It's just a great way to retain people and also to find and motivate talent.
[19:02]
Matt Radelek
It strikes me that it also intersects with something you kind of alluded to, which is the difficulty in finding cybersecurity talent. You know, this is kind of a sideways way to bring entry level people in because you're looking for pre existing talents that they have that they learned and earned from playing games from a different mode, but that they can then apply to their cyber skills. Correct?
[19:33]
Dave Buettner
Correct again. Especially when you think about these entry level security roles or security monitoring roles, you're thinking of personality traits a lot more than technical knowledge, skills and ability. Now you may have to put together some type of entrance exam. We have a technical interview that even we at Varonis give to junior people. So they do need to have some technology and networking, maybe a little bit of active directory and identity based experience that can't be totally and completely unknown to it. But that's a much broader audience than those with cybersecurity experience.
[20:06]
Matt Radelek
And how do you get leadership at an organization to buy into this sort of strategy?
[20:12]
Dave Buettner
First you gotta, you gotta carve that path. You gotta show that it's working already. Two, I think a lot of times it's about having goals from a retention standpoint and a promotion standpoint. You know, if you're able to have a high percentage of attainment and keep people, especially at a cybersecurity company or even at a, you know, a business that's great for business, right? Like, turnover means you have to train people. You're gonna probably have to pay a recruiter's fee or a finder's fee. And, you know, everybody wants like, you know, employee loyalty that's still valued in the job place. And so I think as a leader, if you propose, hey, I'm going to do these things, I'm going to increase retention, I'm going to be able to target and have more junior people that can progress over time. So that's going to help us with cost control and it's going to lead to higher employee satisfaction and employee loyalty. You know, like Bronus was, for instance, just named a great place to work. Yet again, like, all these things contribute to the overall image and brand of the company. And don't forget about the last thing I said, though, Dave. It's also the job of a leader to find them tools. So, like, when I think about that in today's context, Is your SoC AI powered? Are you using this, like, for lack of a better word, this magical potion that you can buy on the market to make everyone stronger and faster and smarter? Or are you still using legacy toolkits that aren't AI powered? I think that's a very core question for every security leader to answer. And when you gamify it, when you put it in the lens of a gamer, you can really excite gamers about it. They're like, oh, that's why you're doing it. It isn't so that we don't hire 10 more people. It's so that I work 10 times as efficiently and I'm able to provide better customer service and for the company at a better bottom line.
[21:51]
Matt Radelek
How do you dial in the right amount of gamification and the core business functions that you need to accomplish? I guess I'm wondering, is there a peril of making it just a little too cute? Does that make sense?
[22:09]
Dave Buettner
Yeah, absolutely. Absolutely. So that's a, that's a great question. I was asked that before. A lot of Companies have like, core skills and core traits. One of them might be accountability. It might be adaptability or learning agility. It might be achievement oriented. You've heard all these terms before, I'm sure, if you've ever sat through a performance review, and I'm sure many of your listeners have, well, don't come up with new ones. Use your company as one and help people understand how that leads to improvement. That if they improve their learning agility and they demonstrate that they can learn faster, how the company benefits from that. Or in the gamer's world, how if they go from a 70 in learning agility to a 80 in learning agility, what that stands to do for them in their career.
[22:53]
Matt Radelek
Can you give us some examples of some of the kinds of things that you found success with?
[22:58]
Dave Buettner
Yeah, I think one of them is this idea of a career progression ladder. So, you know, if you can start someone at a more junior role, but show them how in five years they could be in a completely different. Like they can go from SOC analyst to incident handler. And how if they're, if, you know, if they, if they get really advanced, they could even go down a management track and start to lead people and develop what are called power skills where they get to learn more about, like, giving feedback and delegation and some of the things that come with being a manager versus just being a technical achiever. And that, that's a path that you could paint for someone in a transparent way when they sign up for your company, even if it's three to five years down the road, it's okay to say that. I mean, you know, a lot of promotions have to be earned from simply like, leveling up and experience and time on the job. But carving out that path is a great way to cease to let someone know they're on a journey, they're not just in a role.
[23:50]
Matt Radelek
Right. And just even letting them know that those possibilities are out there, I mean, it gives people something to shoot for.
[23:57]
Dave Buettner
Yeah. And those that want to overachieve will do it faster. Yeah, they'll want to work harder and they'll want to move through that rank faster. And that'll drive very healthy conversations between them and their manager about, hey, how do I get to, you know, incident handler in three years instead of five? That's a, that's a super healthy conversation for somebody to have with their supervisor. And if it's within a guidelines or a framework, it's not so abstract either. They could say, well, look, you know, there is a way that could happen. I can't promise that could happen. But if you did these five things and your, you know, your, your metrics were good, you got good reviews, I could see it happening in three years instead of five years.
[24:34]
Matt Radelek
I suspect you, you probably have to be careful that you're not too rigid about this as well. I mean, there's. They're going to be some really good contributors to your team who don't need this kind of motivation.
[24:45]
Dave Buettner
100%. 100%. And then there are going to be people that I also have found are happy in the role that they're in and they want to develop, but they don't want to develop quite as fast as you might want them to develop. And that's okay too.
[24:58]
Matt Radelek
No, that's a really, that's a really good insight. Any words of wisdom in terms of lessons you've learned along the way of, you know, harder lessons? You know, maybe. Are there any things that didn't quite work out the way you'd hoped that they would have?
[25:13]
Dave Buettner
I wish I would have done more automation and more AI faster. The gains that we're seeing from having the AI analysts be the first ones to look at the alerts are incredible. And if I would, if I, if I really focused on one thing for your audience. There are things out there now. There are AI powered solutions, AI enabled SoC or Favoronus, AI enabled data security that is going to not just give you ROI from that software and that better defense, but your people are going to be so much better because they have the help of this AI society assistant or AI SOC helper. We call ours Athena. AI of Varonis. Like with Athena's help, your analyst doesn't need to know our technology. They can just use natural language to interact with it. With Athena's help. When our managed data detection and response team gets an alert, they already know lots and lots that they otherwise would have had to do a manual investigation about that alert. Like the user, the device involved, the user agent, the data that they were touching, the type of account that it is, the past history on that that otherwise would take many, many more queries. We same type of technology to help find data. And I only wish I would have given my team these types of tools sooner and faster. And now we put a lot of impetus on making them better because of the efficiency gains and the accuracy gains we see it give our people. So I as a leader feel like that's a big part of my job now is to give everyone these weapons that they need to succeed again, metaphorically speaking, maybe I call them tools, but I give them all these superpowers or these potions that come with a lot of these AI enabled tools toolkits.
[26:55]
Matt Radelek
That's Matt Radelek from Veronis. We'll have a link to their report from gamer to Leader how to build resilient cyber teams in our show. Notes what's the common denominator in security incidents, escalations and lateral movement? When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to Spectrops IO today to learn more. SpectorOps see your attack paths the way adversaries do and finally move over chess grandmasters. AI has now leveled up to outhustle human red teams in the world of fishing. According to cybersecurity firm Hoxhunt. Their AI phishing agent, codenamed JKR Joker beat human crafted phishing attempts by 24% in March. That's a glow up from last year when Joker lagged 31% behind. Think of it as a Skynet meets email moment. Joker adapts like a social engineering ninja, customizing bait with user specific context like job roles and locations. It's not just phishing, it's precision phishing in bulk. Hoxhunt says this could make mass phishing campaigns as effective as today's spear phishing attempts. Great. The Anti Phishing Working Group also reported a global spike in phishing sites and smishing scams, including hilariously off target toll collection texts. So while humans still bring creativity, AI brings scale. 24. Seven hustle and zero need for coffee. Experts say defending against AI driven threats will still require one vital element human judgment. We'd have more good judgment if it weren't constantly busy cleaning up after bad judgment. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Fitner. Thanks for listening. We'll see you back here tomorrow.
[30:56]
Dave Buettner
SA.
[31:26]
Matt Radelek
Looking for a career where innovation meets impact? Vanguard's technology team is shaping the future of financial services by solving complex challenges with cutting edge solutions. Whether you're passionate about AI, cybersecurity or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas drive change. With career growth opportunities and a focus on work life balance, you'll have the flexibility to thrive both professionally and personally. Explore open cybersecurity and technology roles today@vanguardjobs.com.