A

Threat actors increasingly are spinning up cloud instances to launch attacks. And if a bank auto blocks entire IP ranges tied to a recent campaign, they may end up cutting themselves off from legitimate services that they rely on. In some cases, that self inflicted disruption could cause more harm than the attackers would have been able to cause if they'd just gone undetected in the first place.

B

Hello and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolan and if this is your first time joining us, welcome to the show. Make sure you hit that subscribe button so you're notified when new episodes go live. And if you're already a subscriber, thanks for coming back. Give us a rating. Drop a comment below, let us know what you think about the show. Your feedback is invaluable to us now. In this episode, I had the pleasure of sitting down with Troy Wells, an intelligence officer for the Americas region at FS isac. Troy has extensive experience in cyber threat intelligence, strategic risk and national security. Having served in the army at the FBI Cyber Division and at cisa. We had a great conversation about cloud migrations, resilience strategy, and how AI agents are reshaping the way banks approach security. I've left you waiting long enough. Let's dive in. Troy, thank you for joining us on the podcast and I'd love to, you know, go a little bit into your background. So you spent most of your intelligence career in the public sector, starting in the army as an intelligence officer. Now you're managing intelligence at America's FS isac. What inspired you to make this transition from national security to banks and financial institutions in the private sector?

A

Yeah, well, thanks, Caleb, and I really appreciate you having me on today. So I started my career in the army where it was always mission first, protecting people in critical national interests. The principles were pretty simple. Success depends on teamwork and trust, and resilience comes from collaboration. As an intelligence officer, I learned early on to always be asking questions like what do I know that others need to know? And how do I make sure they find out? So after I got out of the Army, I spent a little time in consulting, helping organizations build and improve their security. Operations centers, SOCs and fusion centers. That gave me a new perspective, shifting from the national and multinational level to to seeing how an enterprise handles security challenges day to day. From there, I joined cisa, the US Cybersecurity and Infrastructure Security Agency. Doesn't exactly roll off the tongue. I hope they changed that, to be honest. Where I focused on protecting the US Financial services sector. And that's where it really clicked for me that the US financial system is, it's, in a way, it's the beating heart of the global financial system. But know a heart doesn't survive without the body. It's all interconnected and you can't protect one without, you know, protecting the other. Right. So joining FSISAC was a natural next step for me. It's really about just the bigger picture of if you want to protect the financial sector, whether it's the US or globally, you need to protect the whole system. Right. So continuing service here at the FS isac, my mission, it didn't end when I left the army. It just evolved. And the same principles, they still apply. Success depends on teamwork and trust. And no single bank or institution can defend alone. Resilience comes from collaboration and shared intelligence. So. And as my job title is once again intelligence officer, I'm still asking what do I know that others need to know and how do I make sure that they find out?

B

Awesome. So you've had really incredible experience both across the private sector and the public sector. And so I'm sure you've heard a lot of this from your peers. But a sentiment growing in popularity in security is the that prevention alone is often not enough. So in your opinion, how should financial institutions balance preventative controls with detection and response strategies?

A

So that's a great question, Caleb. I actually had just celebrated my twin's fifth birthday at a fire station, which I didn't know until recently you could do that and would strongly recommend.

B

Congratulations, first of all. There.

A

Thank you. Yeah, it was a good time. So fire safety, anal fire safety analogies are really coming to mind for me right now. So prevention, detection and response in cybersecurity really aren't that different from the basics of fire safety. Prevention is like doing everything you can to stop a fire from starting in the first place. Things like teaching kids not to play with matches, keeping flammable materials stored properly, or making sure your wiring is up to code. In cybersecurity, that's the equivalent of patching systems, using multi factor authentication and training employees to spot phishing attempts to. But prevention, of course, alone isn't enough. Just like every home and building needs smoke detectors, financial institutions need strong detection capabilities. That means monitoring systems, using threat intelligence and sharing information through organizations like the fsisac. So you're not only seeing the sparks in your own house, but you're also learning if fires are starting in the neighborhood and then finally response. Even with good prevention and detection, you have to plan for the possibility that a fire breaks out. Right. That's why we practice fire drills and why firefighters rehearse their playbooks. They all call it playbooks, of course, but that's, you know, that's essentially what it is. In the financial sector, that means having a tested incident response plan, running tabletop exercises, and aligning cyber response with business continuity and crisis communications so you can contain damage and restore operations quickly. So summing it up, prevention, detection, and response aren't separate. They're complimentary. Together, they create resilience, which is ultimately about keeping people safe, protecting critical assets, and maintaining trust in the financial system.

B

Cyber resilience is incredibly important, and I know it's such a growing topic throughout all industries. And another one that's really popular right now, AI. You know, we had to talk about it. So AI agents are a huge topic across practically every vertical. It's not, you know, unique just to financial services, but what are unique opportunities and risks that AI poses for financial institutions, and how should they approach adopting these new technologies while remaining secure?

A

All right, so I guess we can check that one off on the cybersecurity podcast Bingo Card. Right? So AI is definitely on everybody's mind right now, including ours here at the FS isac. So first, I'd like to distinguish between AI models that can help you research, organize, and correlate information versus AI agents which can use that information to act on your behalf. I like to think of AI models kind of like using a calculator in math class. It can speed things up tremendously, but ideally, it's speeding up things you already know how to do. If I'm sitting in calculus class, but my knowledge doesn't extend past algebra, the calculator is fairly useless for me. I don't know what input to put into the calculator, and I have no idea if the calculator is giving me the wrong answer. Well, the same goes for AI models. You still need to understand the proper inputs, the steps, and you need to be able to quickly recognize when the output doesn't make sense. What makes AI models scarier than calculators, though? Among the many things, is that, in a way, it's too polite. It will take Troy's, you know, maybe my nonsense, incoherent inputs treat them as if they make sense and then provide answers that can seem very reasonable to the untrained eye on the point of AI agents. So they are different from AI models. AI agents are more like having a really smart, motivated, and fast intern helping you out they can do a lot of work quickly, but they're inexperienced. You have to give them clear instructions, set guardrails on their actions, and make sure that if they misunderstand something, it's an inconvenience, but not a major problem. You also of course need frequent check ins, line by line reviews with their output, and a commitment to continuous training, to training them in the first place. And continuous training, just like interns, AI agents won't be competent on day one. And they require ongoing supervision and feedback to become useful. Now on in terms of opportunity, AI can already help analysts sift through massive volumes of data, spot anomalies in real time, and even correlate threat indicators across systems in ways that would take humans hours or days. And AI agents in particular can automate repetitive work, triaging low level security alerts, drafting first pass reports, or helping customer service teams handle routine inquiries. That efficiency lets people focus on higher level strategy and judgment, which is where the humans are going to add the most value relative to AI. Now some at this point might be thinking, well, with that much kind of like hands on and supervision required, you know, in order for me to use AI, is it really worth using the AI because you're just kind of raising the, the threshold of like, you know, at what point does it make sense to use AI versus doing it, you know, manually or the old fashioned way? Right, and I would say that that's exactly right because that threshold in my opinion should, should never have been lowered in the first place. I think we should always be looking at it with that additional kind of scrutiny. And if the appropriate amount of scrutiny means that the AI is not quite worth it compared to doing it manually or the old fashioned way, that's okay, right? That that sort of calculation should always be happening. So additionally, on the risks of AI, AI models can be manipulated with poisoned data, or of course produce biased or misleading outputs due to potentially poor training data, or more prominently these days, bad prompt engineering, which is a whole nother issue. AI agents, if left unsupervised, can hallucinate or just make decisions built upon decisions, upon decisions that are leading in totally the wrong direction. Right? And you can have huge unintended consequences. So yeah, and then attackers are also weaponizing AI for all the things that you've probably already heard about, crafting highly convincing phishing emails, automating reconnaissance, and testing defenses faster than before. So for a sector like the financial services sector, which is really built on trust, even a small AI driven mishap can create outsized regulatory, reputational or financial risks. So circling back to kind of the bigger question is how should organizations adopt this responsibly? Four main points I would focus on, which is first, treating AI as an augmentation tool, not a replacement for human judgment. As a, you know, right now I'm a leader of intelligence analysts, but I can tell you I came up as an analyst myself and I will always be an analyst first, and you can't AI away the analysis.

B

Right.

A

So you can't replace human judgment with a tool.

B

Right.

A

Second, establish governance early. Define what data is being used, who is accountable for outputs and how results are validated. So the accountability piece is huge. And that's why again, it's, you should treat it as a tool, but you know, somebody's, somebody is responsible for the outputs of that tool, for how it impacts operations, impacts your work, impacts your customers, clients, members, et cetera.

B

Right.

A

Third, apply the same security rigor to AI that you would any other critical system. Testing, monitoring and red teaming models to look for vulnerabilities. And to that point too, I've noticed a kind of a trend of some folks are, seem tempted to treat AI agents as users rather than tools. And I think that's, that's a, a very, very important thing, that they should treat them as tools and run them through kind of that, the, the normal processes you would. For tools rather than users. Right? Users you're naturally going to have, I think, you know, because they're, they tend to be human beings, so you're going to have more trust for them.

B

Right.

A

But the tools, you know, you don't care if their feelings are hurt.

B

Right?

A

And that's kind of how you should treat AI agents, especially, you know, from the security perspective. So, and speaking of security perspective, so my fourth point is in most cases, I believe security teams should be the ones to pilot AI and AI agents. First. They're best positioned to, to stress test the tools, identify gaps and put guardrails and guardrails in place before rolling them out enterprise wide. So that way when the rest of the business adopts these technologies, if they adopt them, they're doing it on a secure foundation with lessons learned already baked in. So in short, an AI model used appropriately is like a calculator. It speeds up what we already know or it should speed up what we should already know. Right. AI agents are like really awesome interns. They can add huge value, but only with appropriate oversight and training. The institutions that succeed in using AI will be those that balance innovation with discipline, making sure AI is used to strengthen not weaken the security and resilience of the overall financial system.

B

Right, yeah. And I definitely think the point that you made there towards the end about how security teams need to be the ones that are piloting AI, that is so, so true. And you know, all organizations to some extent are going to be adopting AI, whether it's they know about it or they don't. And that's a really good way to combat that issue that's going to emerge for everybody who's not proactively thinking about how they introduce AI into their systems. You know, nip that shadow AI idea in the bud and be the first people to champion that technology. So that's a great point. Now, kind of looking back a little bit on your career too, your time with the FBI and CISA and now at FS isac, what are some of the lessons about threat actor behavior that are most relevant to banks adopting modern cloud based infrastructures today?

A

Oh, so yeah, that's definitely a big one. So because the move to multi cloud environments, well, cloud and multi cloud environments has brought tremendous flexibility to the financial sector, but it's also created some new challenges. So we've seen incidents where a simple misconfiguration exposed highly sensitive data. For example, in 2024, a major US healthcare provider left millions of patient records exposed due to a misconfigured cloud database. And even earlier this year we had a major tech firm disclose that a cloud server misconfiguration exposed tens of thousands of customer records. So these examples highlight that cloud risk isn't hypothetical, it's very real. It can happen to anyone, even major healthcare or tech companies that are well resourced and that do take their risk security very seriously. So how do organizations build resilience against these issues? Three main things that come to mind are first, they need strong cloud security posture management, things like continuous monitoring, automated remediation of risky settings across, you know, aws, Azure, Google Cloud, et cetera. And then second, they have to get a handle on data sprawl by classifying and tracking sensitive data, limiting who can access it and enforcing data retention policies. I can tell you this is, this is something at the FSIS act we see a lot of this where something gets a member will have something exposed on some software as a service platform somewhere out there. And initially they're like, okay, it's not a big deal because only this type of data should be in there. But then later on they find out that it is a big deal because data had been mislabeled or just not labeled and the wrong kind of data was in the wrong place. Right. So that the stuff that was exposed was actually much more sensitive than it should have been. So yeah. And then the third point on building resilience against these, these potential cloud issues is that resilience needs to be baked into the architecture from the get go. Redundancy across clouds, exercises to simulate outages and integrating cloud risk into business continuity planning are a really good place to start. So there's also an important nuance around threat intelligence. Now that is very near and dear to my heart. Of course, as companies move to the cloud, they need to be extra careful with the IOCs that they ingest and what they choose to automatically block versus monitor. Threat actors increasingly are spinning up cloud instances to launch attacks and, and if a bank auto blocks entire IP ranges tied to a recent campaign, they may end up cutting themselves off from legitimate services that they rely on. In some cases, that self inflicted disruption could cause more harm than the attackers would have been able to cause if they'd just gone undetected in the first place. So the overarching answer is really balance, validate and contextualize intelligence, use automation wisely, keep humans in the loop, don't you know, automatically block things.

B

Right.

A

And don't just assume that because it's cloud and it's new and it is, you know, quote unquote, better, you know, which may or may not be the case. Right. That it's also. That it also means less due diligence, less attention has to be paid to security, et cetera.

B

Right.

A

Because that's, that is the wrong attitude.

B

Right, right, absolutely. And I'd add one little extra point there at the end too to say another thing that you need to consider before, you know, you make some massive type of cloud migration is having a recovery strategy in place too, so that when something potentially does go awry with your cloud based data, then you have a recovery ticket in your back pocket that you can pull out to kind of help you save the day. So I agree with all of that for sure. And speaking of cloud and how you mentioned there are so many cloud based attacks happening day in and day out. So from your perspective, looking at emerging threats like that, what do you think are some of the top three that will impact the financial sector in the next 12 to 24 months?

A

Well, it's, it's always, you know, a risky business, the glass ball. Right. And crystal ball rather, and predicting the future. But I'd say I'm pretty boring in that I'd say none of the major threats that we're tracking right now are brand new necessarily. But what makes them emerging over the next 12 to 24 months is how they're evolving in scope, scale and sophistication. So the first threat I'd focused on is identity based attacks. Phishing and credential theft have been around for years, but groups like Scattered Spider and others are pushing this further with you know, sim swapping, NFA bypass and social engineering against IT admins and help desks. Once attackers have valid credentials, they look like legitimate users, which makes detecting them very challenging. What's emerging about this is how seamless and convincing these identity attacks are becoming. So we see at the FS isac we'll see ATT and CK infrastructure like phishing domain or something or a credential harvesting domain get spun up, right? And within like an hour or two it has been used to great effect, right. And, and then they're changing the name, going on to their next victim that they're going to target, right? It's the same domain, they're changing the name, right? Or same IP address, but they're changing the name. And yeah, they are moving very, very quickly. That's definitely stands out. So the second emerging threat is supply chain and infrastructure compromises. So again it's not new, right? I know like when I first showed up to assist a while ago, like my first week on the job is when solar winds broke, right. So you know, big supply chain issues have been a thing for a while, right, but so we've seen these things before but things like the recent arcane door campaign just, it's showing a new level of sophistication attackers and in this case it's, I should note it's, this is still very much emerging. So things I say right now, you know, within the next couple of days or certainly weeks could, you know, our understanding could change on these things. Right? But attackers as we're tracking now exploited zero days in Cisco ASA firewalls and potentially firepower threat defense appliances deployed custom malware implants, modified firmware to maintain persistent persistence even across reboots and even disabled blogging to avoid detection. That is an escalation targeting the infrastructure layer itself. For financial institutions, that's particularly concerning because compromised edge devices give adversaries significant privileged long term access and that can cascade across the sector. So major, major, major thing for us to watch the third threat, I would say unsurprising to probably everybody is AI enabled threats. So AI again isn't new at this point. But the way ADVERSARIES are starting to operationalize. It very much is new. We're seeing early use of AI for some of these things. I mentioned earlier, the, you know, convincing phishing emails, automating reconnaissance, probing defenses at, you know, machine speed. Right. But I think the overarching issue, kind of the meta issue there is, it is dropping the barriers to entry very fast. Right? So a bait, a person that could not have gotten involved in ransomware attacks before, now they can, right? You know, they lack the technical ability, training, experience to do that sort of stuff. Well, now they can do it.

B

Right.

A

And the people that may have, may have been able to do it at a basic level are now able to operate at a maybe intermediate level and the intermediate folks operating at advanced level and the advanced level operating at like, you know, 24, 7 OPS APT level. Right. Like it's, it's pretty wild just how, how much it's helping the bad guys. And then of course, you know, yes, it can help the good guys too. But like, you know, all the recommendations I said earlier, right. Pilot it with your infosec team or your security team, etc, the bad guys aren't doing that. They don't have to worry about any of that. They don't have to worry about regulation and you know, they, they, them piloting, piloting it, it's just them using it. Right. And then the things that work, they'll do more of. And the things that don't work, they'll stop doing that.

B

Right.

A

So they by nature of kind of being the bad guys, they can innovate faster and try new things out faster and move on from things faster. So bigger picture. While none of these three threats that I mentioned earlier or have mentioned came out of nowhere, what's emerging is the speed and sophistication with which they're evolving. I think that makes the next 12 to 24 months very important for resilience and collaboration across the financial services sector as well as across sectors and countries and the globe.

B

Right, right. It's very interesting that you bring up those three in particular because we've had some really interesting recent conversations on all of those like scattered spider and identity based attacks. You mentioned that. Actually the most recent episode that we put out with Joe Hladic, for those of you listening, if you haven't listened to that one already, go check it out. That's all on scattered spider and identity based attacks, supply chain attacks. We also talked with Allison Wykoff who is over at PwC running threat intelligence there. We talked a lot about that as well. And of course AI, we bring it into every episode. So like you said, it's nothing new, but we've been talking about that and really important to make sure that people are keeping an eye on these things. So, Troy, it has been fantastic having you on the podcast. Thank you so much for joining us. Before we go, where can organizations find you and learn more about the incredible work that you're doing?

A

Yeah, thanks Caleb. I really appreciate that and it's really an honor and privilege to be on you today. And I would also plug those same episodes. I myself listened to them and found them quite insightful. So definitely recommend going out and giving them a listen. The best place to find these really through FSISAC. So our website FSISAC.com highlights the work that we're doing to help the financial sector protect itself and collaborate more effectively on cyber and increasingly fraud threats. For current FSISAC members, especially those with Intel X, we are publishing a steady cadence of threat intel reports, hosting communities of interest and running global exercises that bring together experts from across the sector, just to name a couple things. And if you're listening from a financial institution and you're not yet engaged with fsisac, I definitely encourage you to check us out and see how we can support you and your security and resilience efforts. Personally, I'm Also active on LinkedIn where I share some of our public reports. I try to be better about sharing perspectives, although I it doesn't come naturally to me. I'm working on it and updates on emerging threats as well. So at the end of the day, the real value comes from the community itself. Isaac really isn't just about what my team or any of our other excellent teams here are producing. It's about our members working together, sharing intelligence and building resilience collectively. That's where the impact is really happening and that's where people can find me and the work that I'm most proud of. So again, thanks Caleb, really appreciate it today.

B

Thanks again, Troy. And yes, so, right, check out the other ISACs as well. There's one for financial services. There's also many others under the kind of critical infrastructure umbrella as well, so check them out even if you're not in financial services. But Troy, again, thank you so much for your time and until next time, awesome.

A

Thank you, Caleb.