A

You're listening to the Cyber Wire Network, powered by N2K.

B

Threat actors are now targeting backup systems and one of the main things and we're seeing it with storm 0501. We're seeing it with Scattered Spider. We're seeing it with a lot of not just random ransomware events, but actual threat groups doing this. And the reason is, is that if you own the backups, you own the business. Because if you own the backup data, there's no way they can recover.

A

Hello and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolan. And before I introduce our guest of the hour, if this is your first time joining us, welcome to the show. Make sure you hit that subscribe button so you're notified when we drop new episodes. And if you're already a subscriber, thanks for coming back and spending some time with us. Subscribe. We encourage you to give us a rating. Drop a comment below. Let us know what you think about the show. Now this time we have a familiar face joining us today. And that friendly face is Joe Hladic, head of Rubrik zero Labs. His team recently released a report titled Identity Crisis Understanding and Building Resilience Against Identity Driven Threats. Now, we talked about the different types of identities, how you manage and secure them, and how organizations are approaching their agentic AI adoption. As always, it is a blast getting to chat with Joe. I hope you enjoy the episode. Let's get into it. Well, Joe, welcome back to the show. Before we dive into the meat of the conversation, what is something that's not related to cyber that you're completely obsessed with recently? I'll go first. Mine is going to be the it's not that Serious album by Demi Lovato. She just released it, you know, at least at the point of recording this. It was just about a week ago and I can't stop listening to it. I have no skips on the album and that is my obsession right now. What is yours?

B

That's a good one, Caleb. I'd actually have to say I recently read through the Three Body Problem trilogy by Sushin Lo. It's actually a show on Netflix now, which isn't too bad. It's not a direct adaptation, but it's pretty good. But overall, it's probably one of the best sci fi novels and like sort of real portrayals of like human nature during some type of extraterrestrial invasion. It's really, it's really good. So, yeah, that's, it's actually existentially scary in the sense too, because it focuses more on the human than a lot of like the cheesy sort of sci fi side of things. But so it's always in the back of my mind. It's like it's got a lot of real science in it and it's just fascinating.

A

So how far into the trilogy have you made it?

B

I finished it.

A

Oh, very nice. And is the Netflix, the Netflix adaptation, is it a TV show? Is it a movie?

B

It's a show.

A

Okay, okay. Very nice, very nice. Well, for anyone looking for a new Netflix show, you have your recommendation here. If you're looking for a book, here's a new series for you. Love it.

B

I do recommend if you're a sci fi person.

A

Awesome. Awesome. So Rubrik zero labs just put out a new report. This is as of last week. It's titled Identity Crisis Understanding and Building Resilience Against Identity Driven Threats. Boy, that is a big topic. I know we've talked a little bit about this in the past as well, but just give me a high level overview of the findings. What stood out to you? Was there anything that surprised you in the report?

B

Actually, I don't think so, Caleb. It was more validation and verification of a lot of the assumptions that I've had and that I think the industry as a whole has sort of assumed. So I mean I can give you just a, you know, a couple of quick statistics that are in the report that I think will directly sort of support everything I was just saying. So like 90% of it and security leaders surveyed agreed that identity driven attacks are the top threat to their organization. And I think one of the main reasons to that is most environments nowadays, and I said this before, alluded to it at least in my last, in the last big Zero labs report in April, where the perimeter is no longer the network identity is the new perimeter. Right. You've heard me say that previously. So as a result of that, it's because of environments being hybrid, you have on prem assets, you have cloud assets and not just one cloud, but many different cloud environments, SaaS, applications and then the, the, the introduction of a new wave of identities, mostly non human identities in that regard has, has significantly grown. So for instance, I believe non human identities outnumber human identities something like 82 to 1. And so that's quickly going to become a hard problem to manage mainly because we're used to dealing with human identities and managing access and monitoring the activity of a, of a human. But what's really going on when of every human identity there's 82 non human identities. Right. And they can consist of different, like API keys to service accounts and things of that nature, so. Or AI agents, which we'll get into. So when you have that sort of spike in exponential growth of, of a non human identity space, what's really the, the threat landscape at that point? Is it really the human or from a threat actor's perspective, are you going to start targeting the, the footprint that is vastly larger and by as a result of that, harder to monitor and detect real threat activity when you have such a wide variety of different types of identities and not a singular technology can necessarily monitor all of those identities like a human identity. Right. Because there's just different variations. Like you need a way to monitor your APIs in your API access. You can't do that's not the same thing as monitoring other non human identities like an agent, an AI agent. That's a different thing. So you have to figure out all different ways to monitor, detect and respond to these types of things.

A

Right. So organizations are kind of juggling all of these different priorities in terms of different types and styles of identities, if you will. And it seemed like from the report there wasn't necessarily one, one type of identity that bubbled up to the top. That was, you know, the consensus of this is the biggest concern. I'm sure that resonates with our audience. Everybody's really kind of juggling everything at once. But if the situation is that everything's all on fire at once, which one do you prioritize that?

B

I don't think that's an easy question to answer. In many ways I think it's going to depend on the organization because like a bank for instance, is not going to prioritize the, their identities the same way as a retail organization just because the nature of the environment that they operate within is entirely different. The rules, regulations are entirely different that they have to follow there. I mean, there are some, you know, similarities along the way, but ultimately the crown jewels are entirely different. So for one, I think you have to take that into account whether if you're a ciso, a security engineer or a consultant working for a number of different companies, you have to understand the organization first and then understand what makes that organization minimally viable. So when that business or organization goes down, loses and continuity ceases, what is the quickest way to achieve or get back to continuity and back to not necessarily full business operation, but viable business operation? And I think that's a distinction we need to make because right now it's just recovery operations. Is more like, oh, back to full business operation. That's not necessarily the best way to go about it. Because when we talk about prioritization, to get everything back online is not easy. It takes a lot of time and there's a lot of things that could be. There's a load order, a restore order, so to speak, an order of operations. So that I think in terms of prioritization is what organizations need to figure out for themselves. What is the order of operations for recovery? If I have a major application and there are a set of identities, human and non human, there's a set of connections to different databases via APIs and stuff like that, one of the most important things to probably do at that point is have a really solid asset mapping tool and map out your dependencies. Because if you have a major, if you're an E commerce business, for instance, your main business is the website.

A

Right.

B

So what are the key things to get that website back online in a minimally viable state as quickly as possible? So by having that order of operations in place, understanding the criticality of each asset that's associated with that website, you can then prioritize, okay, well, I only need these three non human identities to talk to these three databases or whatever the case is, get those databases online, get those data identities secure and operational, been prioritized that way. That way you're not restoring the website in full capacity and maybe ignoring the dependencies that don't really, that aren't critical to your operation and will slow you down so you can get back to business maybe in a day or two or a few days rather than a few weeks. And I think when we talk about prioritization, it's more of a holistic approach of understanding what makes your business minimally viable in order to just operate.

A

Right, right. You talked a lot about recovery there. And I want to read a couple of stats from the report about recovery that really stood out to me. So the first one was that confidence in recovery time seems to be decreasing. And 28% of respondents believed that they could fully recover from a cyber incident in 12 hours or less, compared to 43% in 2024. So don't quote me on my math, but that looks like about a 15% drop or a drop of 15%. And then another stat was of those who experienced a ransomware attack in the past year, 89% paid a ransom to recover their data or stop the attack. That's a really high percentage. And really, what do those stats combined together really tell us about the state of Resilience in the enterprise or in large organizations.

B

I think I highlighted the challenge in my last answer. So everything, I think that the stats that you just highlighted are exactly why businesses are paying the ransoms 89% of the time. Because when they go, because they're, they're not proactively doing this, mainly because it's not just a time investment, there's a money investment. You may have to purchase and procure tools to do this. You may have to have a third party consultant firm who has the expertise to do it, to come in and understand what your dependency mappings are for all your business critical applications and things of that nature. So you may not even have the expertise in house to actually to conduct this type of assessment and understand what's critically viable.

A

Right.

B

So that's one problem. And then when you face the attack, if you're not prepared, you haven't gone through that exercise, you're going through it during the ir. So once the investigation completes, forensics is done, they've understood like what, what the impact is, what the blast rate is, whatever you want to call it. And then we're going through remediation and recovery. That's the part where, well, now I wish I had the assessment and I understood like what it would take to get this, this business application back online. And a lot of times it's just that people don't know that like it's not something you think about necessarily until the time comes and you're in the situation the house is on fire and you're like, oh, you know what? I wish I had a sprinkler system inside my house. You know, it's like you don't really consider that until your house is burning because it's not a thought that crossed your mind. And resilience is a, is a newer sort of term for a longer existing thing. Like to me, resilience is a combination of a lot of different components and teams. For instance, ir, it legal like it involves a collective of organizations to operate and collaborate together, which lot of times in normal business operations they're not used to doing right. So a good example would be how often does IT and communications and PR really work together? Not that often, but they probably would work together more closely during an IR because it is working with security to do the remediation and then communications team is dealing with the external stakeholders that want to understand what's happening with your environment. So now you have teams that have never really interacted before, don't have relationships. So there's a Lot of things that happen. It's, it's not a simple, straightforward thing. So when we talk about 89% are paying the ransom, it's because they want to get back to business operation as soon as possible. Now I think that number will go down if, and I don't want this to necessarily sound like a, a promotion or anything, but one of the main issues is that threat actors are now targeting backup systems. And one of the main things, and we're seeing it with storm 0501, we're seeing it with Scattered Spider, we're seeing it with a lot of, not just random ransomware events, but actual threat groups doing this. And the reason is, is that if you own the backups, you own the business. Because if you own the backup data, there's no way they can recover and you can just threaten that will turn your business off because, because we own your backups. You know, a lot of times they do turn, basically shut the business down in a multitude of ways and then they own the backups anyway. But that's where the whole just double extortion comes into play. But that's the real problem. And why does that happen is because a lot of people. This goes back to my, our April discussion with hybrid cloud environments and data sprawl. People are using cloud native tools. It's as simple as that. When you rely on a cloud native tool that doesn't necessarily have the security features built into it or the protections or the abstraction layers that need to exist for things like authentication and authorization, those things, it becomes an easier target. And that's, it's really that.

A

Right, Right. I want to shift gears a little bit and talk a little bit about some other elements in the report that stood out. And we're going to talk about everybody's favorite identity right now. AgentIC AI and AgentIC deployments. So the report outlines that 89% of respondents have fully or partially incorporated AI agents into their identity infrastructure. That number stood out to me because I think it's a little surprising and maybe a little bit of an overestimate that some of the survey respondents are reporting. So what are your thoughts on, on the response from that survey? Is my gut instinct, right. That maybe people are over reporting how much they are. They are deploying AI right now in an agentic form.

B

I think what we have to really understand here is there are multiple functions, like a lot of different functions within a business. Right. Especially a larger enterprise. Then when we see a number that large where we're seeing like, oh, you know, my Business is going all in with agentic AI. Well what does that actually mean? Because from a security perspective I don't really see it happening. Like at least from a defender offender thing right now. It's like proof of concept. Like I know like my team, we've done a lot of research in terms of agentic AI and we have like a white paper coming out soon and there's like we're doing a lot of, we're focusing heavily on that because that's going to be you know, the backbone of a lot of future attacks. What I think Caleb is the, is more of marketing operations, sales operations. I think there's a larger footprint of AgentIC AI being deployed in ways that are not necessarily focused in a security context but more of just a general build business like operational context for instance, like you know, engineering. I could see that engineering making a large adoption of agentic AI just because of, that's where software is headed. Engineering is one of the first places that should adopt it because that's going to be the future. So you're going to see I think a large footprint of agentic AI in various or diverse parts of the business. But from a security perspective like a defender, we're a little more wary. We like it's not. Wary is probably not the right word. Put it this way, if I'm a threat actor and I'm going to attack your environment, I have a very talented team behind me and I'm running the operation. Why? If I've spent years as a nation state performing reconnaissance, understanding and learning everything about the target that I'm about to attack, why would I then all of a sudden go to an agentic AI framework? There needs to be a viable reason to do that. Until there is one, I don't think we'll see one an attack at scale. And the reason is, is because AIs still hallucinate. Humans to me in my opinion are still a lot more trustworthy. Especially when we're talking about a threat actor operation. They've built software or malware in that case they maybe compromise certain identities or first stage type of identities to further down exploit for lateral movement, stuff like that. Like I, there's a lot of trust you'd have to put into software, which is basically what AI is to take over a lot of those op sensitive operations that like one little mistake could burn your entire operation and like all of a sudden millions of dollars that your nation state has put into it is lost. I think that's too much of a risk for a lot of threat actors to actually do. Now on the other hand, if you're a less capable, less, and I will say less talented threat actor, right? Maybe more in the criminal sphere, you don't have the backing of the nation state, you don't have millions of dollars backing you in software development and, and all of that to do the reconnaissance. Maybe agentic AI is more viable for you because now you can, you know, delegate a lot of those tasks that you needed to get done to an AI that could help you and assist you do to, to execute the attack. Now it probably won't be at the level of a nation state, but it probably is still is, is maybe equally dangerous. But again, I think that's where the viability comes. Right? I'll use Brickstorm as an example. But the Brickstorm attack and attacking the hypervisor there are certain like thread attack vectors always exist. The, the attack vectors are always dictated by the architecture of your environment. Okay. So those vectors always exist. All the defenses that you put into place, the security controls, defenses, whatever, are there just to slow things down when an attack does happen so you can catch it, stop it and eradicate it. Okay. Prevention is possible, but it's not guaranteed. But that's effectively how it works. Now when we think of that perspective of like these threat vectors always exist because it's based on the architecture. Well, those threat vectors only become viable to a threat actor when it's feasible to do. It's not extremely complicated when they have tools to deploy that enable that attack to happen. But like the vector is there. So like that's how I see this, is that agentic AI is a technique that I think is going to be used, but until it becomes that hits that viability for threat actors to actually use that scale, that's an inevitability. But I just don't know when that timeline is right.

A

Well, that was actually going to be my next question for you because over half of the respondents in this survey thought that they that in the next year 50% or more of the cyber attacks that they deal with are going to be driven by agentic AI. And I know you've spent several years in the incident response world, so based off of that estimation, do you think that's overestimation, underestimation right on the nose. I mean you kind of just where we're talking about that. But do you think that threat actors are going to start leveraging AI that soon in terms of releasing agents and what does that environment look like?

B

I think the viability might be discovered in it. Like I'm a little hesitant to jump on the bandwagon, say like we're going to see a nation state level attack using agentic AI this year, within the year. I think that's a stretch.

A

Maybe we will.

B

And I'm wrong. I mean that, that's always a possibility. But again I, I'm more of a risk averse type of person when, from an offensive perspective because you have to. Like when you, as a threat actor you're, you still have operational security. Operational security is one of the most important things as a threat actor because you don't want to be caught, especially if you're, if you're performing espionage. The whole point is to be quiet and subtle and to do that is to have as much control over the operators that are performing the, the, or executing the attack as possible. That's why I'm hesitant that agentic AI is really going to be leveraged in that space because of that. Because it's too much of a risk until it's proving not to be. On the other hand, where that's not considered a risk, I think we might see ransomware type of attack, criminal based attacks, destructive attacks, maybe like I could see it especially used in a warfare environment for lack of a better example like Ukraine, Russia type of situation. I could see agentic AI being leveraged heavily in those types of situations where everybody knows they're at war. Okay. It's not like a secret, but I think in terms of the higher level advanced type of attacks that involve things like espionage, I, I'm a little hesitant to see it used for that. But so yeah, I'm, that's how I see things. It's not that it's going to become more prevalent. I think it's, it will be become more prevalent in certain use cases until proven otherwise.

A

Right. A healthy level of skepticism, but always good to prepare for things ahead of time as best you can.

B

And that's from a defender's perspective. Like that doesn't mean we shouldn't prioritize and focus on it.

A

Right.

B

In fact it's the opposite. Like we should put a lot of our energy and focus into it to understand how agents can be exploited, how they're vulnerable, how they can be tampered and manipulated with. Because ultimately they're going to be the backend controllers of everything. So when we talk about command and control, you know, when we talk about the stat of 82 to 1 non human identities to human identities, that's a big command and control space to deal with and we have to understand it in order to defend it.

A

Right, Right. Well, Joe, thank you for joining us. I mean, you know, folks can learn more about all of these themes in the new Rubrik zero labs report. It's titled the Identity Crisis Understanding and Building Resilience Against Identity Driven Threats. I thought it was really interesting. I really appreciate you kind of unpacking some of the high level findings. But of course folks can go read more about it online and in the report. Where can folks find you and learn more about the incredible work you're doing. Other than that, the best place to.

B

Go is zero labs.rubric.com that's where we're posting all of our content, white papers, blogs. The annual report, like our our big identity report that's coming out will be posted there as well. That's the best place to find us.

A

Awesome. Awesome. Well, thank you for joining us again and until next time.

B

All right, thanks, Caleb.

A

Now for those of you watching on YouTube, you will see we had a little bit of a costume change and that is because everything prior to this moment in the conversation was recorded before Anthropic's report around agentic AI attacks was published. Joe's comments do not directly conflict with the report and his position remains the same. But thank you, thank you for listening. Until next time.