A

You're listening to the Cyberwire Network, powered by N2K. You know phishing is still going to work. I don't think we're ever going to get away from our end users being targeted. So it's going to look different again as MFA is everywhere as AI agents become a broader part of the corporate environments. But people still have to log into their computers one way or another and that is going to consistently be be an area of opportunity for threat actors.

B

Hello and welcome to another episode of Data Security Decoded. I'm your host Caleb Toland and if this is your first time joining us, welcome to the show. Make sure you hit that subscribe button so you're notified when new episodes go live and if you're a returning subscriber. Thanks for coming back to spend more time with us. Leave us a rating. Drop a comment below, let us know what you think about the episode. Your feedback really helps me understand what you want to learn more about and is the best way to support the show. Now today I am joined by a familiar face, Allison Wykoff from the PWC Threat Intelligence team and her team released a report titled annual threat dynamics 2026 and it addresses resilience in an identity driven AI accelerated threat landscape. We're going to skip the Perimeters dead lecture and today is all about the human to non human identity ratio and identifying the behavioral traits of a state sponsored saboteur before they get too deep into your network. Let's get into. I really am excited to hear about this report that you guys put out and I want to read a quote from there. So the quote is as organizations adopt zero trust, adversaries will iterate with techniques to spoof device posture, abuse non human identities and target AI driven automated workflows. So for the practitioner whose board thinks, you know, we have mfa, we're safe, which realistically we both know that many organizations don't even have MFA. I think it's something like 50%. What should the SOC team be looking for in terms of session token anomalies today to start catching that kind of malicious behavior?

A

So you know, I think when we talk about intrusion activity, generally speaking, like as an industry we've gotten a lot better in terms of understanding that it's not if but when and also when there is an intrusion, it's not. There's so many opportunities to detect it within or stop it within your network. So you know, whether you have something on the endpoint, whether you have found it via like phishing, there are, there's so many Opportunities within once, by the time the adversary gets in and achieves their actions on objectives. Now time is of the essence, depending on what type of intrusion we're talking about. But you know, when I think about MFA and what we have been seeing like MFA is still best practices. We are seeing adversaries starting to work around it, which we knew, right. We had been talking, we've been talking about MFA for like way too long. And we did say when there is more of a critical mass, we are going to see threat actors work around it. But generally speaking, fortunately we're not seeing a massive ton of it, which is good and bad. That means the old stuff still works, right? Right.

B

And so something I want to ask you about too is the NHI explosion. I mean there's different reports out there. Some of them say up to 82, some even say, I think I've heard hundred, where NHIS are outnumbering humans that number to one. Regardless, it's a huge number. And these aren't just service accounts anymore. So as organizations release AI agents, another non human identity, into their environment, it's going to skyrocket even further. So what are some of the most common misconfigurations in these automated pipelines that regional actors are exploiting to gain that lateral movement?

A

So I think it's probably helpful to have people really understand what we're talking about when we're talking about the non human identities. These are the service accounts, the APIs, like you said, the AI driven agents. And like you said, they are becoming a faster growing part of these types of things and they're not seeing as much scrutiny as we would like. But you know, the thing is these are designed to keep systems running, which means they typically have persistent access and elevated privileges. That's why they're so enticing to the adversaries. But it does create a gap, I think. You know, the thing that we have to remember with these accounts is they move a lot like what, you know, an admin account that we historically have seen targeted looks like. So there's lateral movement. But I think, you know, as automation continues to expand and we see more of these, we are going to have to see some of these defensive tools catch up with this.

B

Are there any specific like misconfigurations that you're seeing that threat actors are leveraging today? That or anything like any stories from the battlefield that you see in terms of how threat actors are leveraging these tools?

A

You know, fortunately we haven't seen like a whole, whole lot of it. I would say, when we talk about AI, really what we're seeing is that is lowering the barrier of entry for a lot of threat actors. And we knew this. Right. But the conversation that we're having about AI today is a lot different than the one you and I even had. The last time we spoke was about a year ago. And really everyone's using it and we knew they were right. It's really speeding things up in terms of how it's being used. Everything from reconnaissance to we know they're five coding their malware as well. I mean, who isn't vibe coding right now? Right. With all of these great tools available, Right?

B

Absolutely. And so I want to touch on something you mentioned earlier when we were chatting a little bit about mfa, and it's really this issue around identity. Since we know so many bad actors now are using legitimate stolen credentials to creep across and blend in the network, it seems like this, like, noisy ransomware that we've seen historically has kind of disappeared. So if both like a data thief and a state sponsor saboteur are using the same type of valid admin account, what are the high fidelity behavioral indicators that separate a ransomware attack from a threat actor? Aiming for sabotage?

A

Yeah. So, you know, it's tough, right? Because what we're seeing now, or what we've been seeing for years when it comes to ransomware activity, is that the threat actors are taking data off the network. So historically, when people thought about data exfiltration, they aligned it solely with the espionage centric actors. But again, extortion is a huge part, sometimes the only part of ransomware compromises right now. You know, I think the big thing is detecting that exfiltration, though, if you haven't detected them when they got in or as they move around your particular network. And then from there, you know, it's what are they taking? Right. So that can be a good indicator of who specifically is in the network.

B

Something that really stood out to me when I was taking a look at the report you put out was that healthcare and medtech providers are some of the biggest targets for threat actors. That's something that we've known for a while now. But these geopolitical conflicts, where nation states are waging a cyber operation in tandem with high intensity kinetic conflict, that's really exacerbating this attack vector. So from an architectural standpoint, what is the most effective way to air gap these critical environments without breaking the automation that healthcare workers are relying on every day for their, you know, productivity?

A

Yeah. So I think, you know, the challenges with these These types of organizations, these sectors, one is, you know, they, they really are, they sit at the intersection of critical operations, sensitive data, highly connected systems, like you said. So it's, it's tough from an exposure to standpoint. There's not like a silver bullet or a fancy tool that you can buy to solve this problem, you know, and when there are organizations like these that have some sort of event, we see the effects because it is just rippling. But I think when we're looking at these in particular, we have to look at just how complex is the ecosystem of devices. And it's usually very complex. That's one of the challenges. What are your third party vendors? Who are your third party vendors and your cloud services? So we've been talking about this actually a lot in light of what we saw over the past year. What we have seen with a lot of organizations that have critical operations that rely on some of their, rely very heavily on third parties, is having backup third parties. So we ran a tabletop exercise with an organization, I think it was last year, where it was a ransomware event and we ran it in terms of some sort of outage to their third party and they fared very well in it because they had a backup because this was a very important third party to a lot of critical parts of their operations.

B

Right, right. It goes back to mapping your dependencies, which is so important for any business that's trying to maintain continuity through a crisis like that. We had a really great conversation with Hayden Smith back in, I think it was December, where we talked about mapping those dependencies, especially when it comes to mitigating third party risk. So if anybody listening hasn't taken a listen to that one, it was a really great episode over the holidays. So go check it out. But one other thing that was prevalent in your report that I'm just hearing so much more about across the industry is post quantum readiness. And so a question I kind of have is, is this like a future problem or is this something that we really need to start talking about seriously right now? And there's this concept of harvesting now, decrypting later in terms of what threat actors are doing with data in like pre quantum world? So can you kind of unpack what that means and then why this is a problem right now that we need to address?

A

So that's a great question. In layperson's terms, what the report says and what we're concerned about in terms of quantum is there has been all this collection of encrypted data with all of the different intrusions that we've seen, whether it be a ransomware event or an espionage centric event. And you know, right now a lot of this can't be decrypted, but quantum in particular will make that, you know, a moot point. And so this is where we're talking about quantum readiness as a concern. I know it's, there's a lot of buzz around it, but, you know, we really have to think about, like, are we ready for that? Will this data remain sensitive over time? Is it something that ages out? So, you know, if you do lose something that's encrypted, maybe you're not as concerned about it, but if you know what it is, again asking yourself that question, is this going to be sensitive in X amount of years? I would love to tell you I will know when this will actually be seen in practice. But if I had that kind of crystal ball, you know, I would probably be having a much different kind of conversation. But identity systems are so central to security architectures that that's, those are the types of compromises that are really unique in terms of recovery, recovery challenges, and particularly because most of those systems are encrypting that sort of data. So it's, there's a lot of forward planning that needs to be involved and that, and that when we're talking about quantum, that's actually what we're talking about. So for me, it makes it a little less daunting when these types of questions come up.

B

Right, absolutely. And so with that forward planning, what are some of the steps you think organizations could be taking right now to prepare for that quantum readiness? And so that they're not just like, you know, caught completely blind when the eventual quantum ready day comes.

A

Right. So I think, like, let's just continue on with the identity example. Right. So organizations are moving towards not just restoring systems, but re establishing trust across their user base, their devices, their automated process, their automated processes. And this is really what is required for some of that forward planning, specifically around identity. Right. So like, identity is, I don't want to say the new hotness, because identity has always been, you know, a really great way to get into an organization. But you know, as you mentioned, our report, really, that was one of the big findings this year. And we're not unique in that everyone over the past 18 months, two years, has been saying threat actors are logging in, they're not getting in. So focusing this readiness solely on identity right now is a really great place to start.

B

Absolutely. And to kind of piggyback off of that many organizations treat identity as more of like an IAM problem and backup is a storage problem. But your report advises that organizations prioritize identity governance up to even the board level to harden resilience. So if an identity system is compromised in a conflict scenario, what does a recovery look like for that in practice? And how do we ensure that we're not just restoring an adversary's backdoor that they already had set up?

A

Right, so it's, you know, rebuilding a system from a known trusted baseline specifically to avoid that sort of thing. So if compromised systems are restored too quickly, you might bring back the risk that you were trying to mitigate in that particular instance. So like recovery taking place in a more controlled environment where every component users, privileged accounts, service accounts, the trusted device relationships are carefully validated before being reconnected to a production system is what we recommend. This is a lot of prep though, right? This isn't as easy as past recovery type recommendations that industry is mentioning. So it's, it's everything from secure backups, documented processes, and a really clear understanding of system dependencies. And that, that I think is probably the toughest bit of it. But identity underpins everything in an organization, so restoring it securely is, is really foundational to a lot of this recovery.

B

So as we're kind of starting to wrap up a little bit here for the listeners who see their organization sector in your high risk motivation table, which again, I just, I thought it was so fascinating to see the breakdown there. What are the three specific hygiene metrics that they should report back to their CISO this week that actually correlate to reducing the blast radius of an attack?

A

So like, the practical takeaway is really like where do you fall within, you know, a sector? But I know like generally we love to talk about threats in sector specific ways and it is absolutely applicable, but it's not a one size fits all approach to an organization. Like, look at the manufacturing sector. If you look at the wide swath of companies that are considered manufacturing, they all have very different threat profiles. So really focusing on what is the thing that you create, what is the thing that is most valuable to you, and what kind of threat actors would be interested in that sort of thing. So if we continue on the health care example, these are more exposed to financially motivated attacks. But you know, you've got sectors like government, energy, telecommunications that face higher level of, you know, the espionage centric attack. So regardless of industry though, the good news is like the general hygiene still is like the best way to defend against all of these Attacks, So, you know, you've got the identity hygiene. So reducing unnecessarily admin accounts, regular reviewing access, like we've talked about that ad nauseum, we still need to do it because that is still a great way to get into an organization. Second is the segmentation piece of things, or blast radius control, as you were saying. And so in just ensuring that a single compromised entity system, whatever it be, is not going to expose your entire environment. And then third, and these are, this is a tough one too, visibility across all of your entities. So service accounts, automated workflows, I would love third parties or, you know, your vendors in there as well. And then practice, practice incident response readiness is so important. I know we have drilled that in as an industry, like pretty heavily, but expanding what that readiness looks like. So not just an incident within your network, an incident with, you know, maybe a specific type of account, maybe with one of your third parties, and really working through what an incident and recovery looks like with something like that.

B

So what are two inconvenient truths about identity resilience that security teams really need to start coming to terms with?

A

You know, just identifying all of those service accounts I think are always tough. And particularly now that we've got AI really being incorporated into every single network. What are those AI agents look like and how do we secure them? I think that is the new frontier when we're talking about identity Phishing is still going to work. I don't think we're ever going to get away from our end users being targeted. So it's going to look different again as MFA is everywhere, as AI agents become a broader part of the corporate environments. But, you know, people still have to log into their computers one way or another. And that is going to consistently be an area of opportunity for threat actors.

B

Absolutely. I'm the oddball in my family. Everybody else is in health care. My sister was a nurse. My, my parents are both respiratory therapists. And when I talk to them about security stuff, they're like, oh, you know, I, I get these emails with these monthly training things like phishing is a thing, but like, there's actually no phish involved in it. And I said, yeah, yeah, that's important. You should pay attention to those. Don't just skip through it. It's very important, especially in the industry that you're in. So that, that's a, that's a very good one. Well, Alison, my last question for you is, what is the single most important message that you want to leave with our listeners today?

A

It's not all as scary as you know, you might be reading. A lot of the basic hygiene that we've been talking about for years is still going to combat the majority of the threats that we're dealing with.

B

Absolutely. And I love leaving it on a positive sentiment. So, Alison, thank you so much for your time again. It was great to have you on for a second time. Thank you so much. And until next time, thanks. That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and leave us a review on either Apple Podcast or Spotify. Your feedback helps me understand what you want to hear more about. And if you want to reach out to me directly about the show, shoot us an email@data-security decoded2k.com thank you to Rubric for sponsoring this podcast. The team at N2K includes senior producer Liz Stokes and Executive producer Jennifer Ibin. Content strategy by Mayan Plout Sound design by Elliot Peltzman Audio mixing by Elliot Peltzman and Trey Hester Video production support by Bridget Krikey Wilde and Sorrel Joppy. Until next time, stay resilient.

A

Sam.