Loading summary
A
Hello everyone, this is Tom Uren. I'm here with the Grak. G', day, how are you?
B
G', day, Tom. I'm fine, and yourself?
A
I'm well. This edition of Between Two Nerds is brought to you by Sondera. They wrap harnesses around AI agents so they can't go rogue. Find them@sondera AI. So you forwarded me this paper and it's by Vladimir Daran. Denis Yastchuk. So they're both associated with the Ukrainian ssscip, which is their cybersecurity authority.
B
Right.
A
So they've got hands on experience and high stakes cyber stuff that's been going on for the last several years. And the title is Rethinking Exploitation in Cyber War. Reassessing the Role of Software Exploits in Wartime Cyber Operations. So the summary that I've got here at least, is that they are arguing that Western cyber strategy systematically overweight software exploits relative to what wartime operations actually run on. So I think it's an interesting paper because it actually has metrics from Ukrainian experience about how often exploits zero days are used in a real wartime environment.
B
Right. So it's not even just zero day, it's any exploit at all.
A
Right.
B
So even end days and known and unpatched existing vulnerabilities. Part of what makes their findings robust is that they compare it to like the dbir, like the database of incident response by I think Verizon.
A
The Verizon Data Breach Investigations Report.
B
I had all the right letters. The dbir. Right, okay. So yeah, the Verizon DBIR report that also looks at like how many breaches were the result of phishing or exploits, whatever. And they both came out at about 20% were from exploits.
A
Right, right.
B
And I think that that feels right
A
to me right now. If I was to push back, I would say that those are both reports that deal with the, I'm going to say unwashed masses in the sense that this is something that you're doing for mass exploitation. Right. In a war, like there's a lot of stuff you want to do, like a vast swath of stuff. And similarly, DBIR deals with everyday cyber criminal stuff. Right.
B
One of the caveats that they bring out.
A
Yeah, right. That makes sense in terms of it's a special case where they're particular pressures. And so you would expect that in some sense those special pressures reveal more because you're under pressure, but maybe they also reveal just a particular case. I mean.
B
Right. My feeling is that given that these wartime pressures create a breakdown in numbers that matches the Peacetime stuff from the dbir. And it's very similar to the M Trends report, which is another of these big sort of survey things. I think that it might be wartime, just makes it bigger, but it doesn't change the composition necessarily. Right. So it might increase the volume but not fundamentally alter the way that it works.
A
I don't know if this is true, but maybe for the particular high impact or high importance targets, it's a different story. Of course, it's a lot harder to get firm data on that different story. But that I think is one argument that leaves at least a question in my mind.
B
Right. So the way that you're going, and I agree with this, is that this would be like saying snipers do not exist because if you take the average of all of the soldiers and how good they are. Yeah. There's literally no one who can do a headshot at more than, you know, 100 yards.
A
Therefore we've got a few anecdotal stories about a general being hit from, but it's irrelevant.
B
I mean that's just, that's not going to happen is what I'm saying. It's like it might have happened in the past at some point, but it's just not a thing that exists. And you could look at the numbers and the numbers will show. Yeah. So yeah, like that's like. I'm willing to accept that there is this like elite group of high end operators doing high end stuff with their special tooling, but I would also say that as the great unwashed masses, they don't care about me or you, whatever.
A
Right, right, right. I mean to me it's not clear. Right. It's not certain that they are zero day maestros because there's just no firm data about it. Probably I would guess that sometimes they are because they have to be, but I don't know that the mix. How different the mix would be because I would think that if they don't have to be, they won't be. Because why would you. Seems like a lot of work if you can just avoid it by doing something else. Right.
B
So one of the particularly interesting things from this paper is they find that all of the exploit use that there is is an initial access. So it's at the perimeter. So that there is some exploit use. But when it exists it's always for gaining that initial foothold that initially getting in. Sometimes it's used for privilege escalation from there. But it's very much like step one exploit. If you're going to exploit you're going to do it at step one, but then after that it's all living off the land sort of stuff. It's like just once you're internal, it's credentials, it's network shares, it's much more just exploiting the network topology as you move around from system to system.
A
How many examples do they have? Do you know, like how many incidents they used?
B
46.
A
Right.
B
And the criteria that they used was it had to be a thorough enough forensics investigation that they knew what was happening. Right. So they didn't take like an incident occurred. That's all we know. Like that didn't. They needed something where they could see like enough of a track record to go like exploit was used here but net login was used there. So they could then.
A
So there is some sort of selection there. And in fact it would make me think that they're selecting for breaches that are actually more important because you, if it's not an important breach, you're not going to spend time coming up with an investigation and a report right in
B
a wall if they included that many mom and pop shoe stores in their data set.
A
So it makes you a bit more confident that this applies more broadly, but not necessarily. I think my previous comment still stands. Right?
B
Yeah, I do agree and I think part of the problem is. I don't know how much I agree right, in that it's the. Is this small amount of people who do use O day that do exist, is it a fraction of 1% and they only use it a fraction of 1% of the time or is it like 10% and they use it 90% of the time but they're just so good, we never see them. And so it's like all.
A
Yeah, yeah. To me it does seem unknowable. I think it would be likely that the percentage would be different, but.
B
And I think it would be target dependent and then that becomes sort of like. I think there's just so much stuff that it's very hard to say. Like what is the average intelligence operation? Right.
A
Yeah, that's right. What is the average of compromising Xi Jinping, Vladimir Putin and Kim Jong Un? There is no average, it's all.
B
And the Shanghai University of Technology, some things are like, you have to be super high end. Other things, you can email someone a router and be like, hi, we're sending you that free router you wanted. Please plug it into your network and they'll be like, oh cool, free router, right. So I think it's very hard to quantify But I think that the numbers they get at are not, I don't think they're meaningless. I don't think that you could look at this and be like this doesn't, this doesn't tell us anything because there's this unknowable, like this unknowable quantity out there that just throws everything off. I think that, that, that would be an unfair.
A
Yeah, the way I describe it is that there's an unknowable category that will probably always be unknowable. And this doesn't necessarily speak to that, but it speaks to the knowable category, which I think is a lot larger.
B
Right. Like the things that they're getting at, you know, like there's this 20% of these intrusions used in exploit and then almost all of them only use it at the edge. And then afterwards it was all internal and all. I think Rob Joyce spoke about it as well. The way that these top tier operators succeed is that they know the network better than the defenders do. That's not suggesting to me that we succeed because we have better exploits. He's saying we understand the environment better and we're able to exploit that environment and take advantage of it. Not buffer overflow, everything that looks at us funny. Right. And from my experience doing pen testing, that's the sort of like crunchy on the outside, two in the middle is, has always been the case.
A
Right.
B
I've never encountered a good segmented, like well defended place. That's obviously a bias and you know, the clients that I had back when I was doing it, but I do think that that's probably still the general experience.
A
Yep. So the paper then moves on to talk about, I guess a conceptual model where the acronym is ACCORDIA and that stands for access control organization, research, development, infrastructure. So what's the point of that model? What are they trying to get at?
B
In a way what they're doing is that they're pushing back against the Max Meats recipe, I guess. So Max Meats wrote a book called no Shortcuts, which is about how a state can set up a military cyber organization. And he has this acronym of like these are the things that you need to be good at to be a military cyber thing. And it's PETIO P E T I O. So it's people, exploits, tool set infrastructure and organizational structure, which I think is kind of cheating.
A
So I guess this paper, it's like firmly focused on the exploits bit that's sort of trying to take exploits down a notch.
B
Right, right. It's trying to Dismantle exploits as a central pillar. And I completely agree with that. So I mean I might go further and say that like people tools, infrastructure and organization are literally necessary for any competent organization. The people process technology framework sort of covers that. And then the thing that's unique to cyber would be exploits. And I don't think that that's the right thing to pick. And so I think that the Vlad and Dennis paper here is going after the right pillar there because it's like you need all these generic things to be a good organization. That's a given. But what is it that makes you a uniquely cyber organization? And what is it that sort of is special in cyber? And they're not trying to put forward a recipe in the same way, they're trying to sort of restructure the thought process about how do you do effective cyber to go away from like, oh, we need exploits to. You need to think about these things overall. Like this is what's going to.
A
Exploits are a means to an end and the end is access. And they're focusing more on access than exploits.
B
Right. So they would say that like phishing or any of the credential theft, like shipping someone a free router that has a backdoor in it and letting them plug it in, finding out that they're using a pre backdoor Chinese IP camera and then logging into that war dialing any of these things would be access. And that's what you need. And I agree. But I'm not sure that I don't know if access is a useful tool to understand that. In the same way that like infrastructure or tool sets are like a thing that you understand that you need, whereas access is like the thing that you need to acquire.
A
Right. So I think the other week I mentioned the resources, priorities and processes model of a company and I guess in that framework you would use your resources to acquire access. Like it's something that you can either buy or invest in or. But it's not a separate.
B
Like you don't R and D and access.
A
Right.
B
Like R and D can contribute to things that get you access. But you could also section 702 for example, could be an access right where you say Google has all of the emails that we want anyway, we just need a way to make them give it to us. And you could either try and hack Google all the time, which is one option, or you could show up with a piece of paper that says you have to give it to us because
A
we said so if you're the U.S. government, right. And you convince lawmakers. I guess the thing about access is it's a product of the organization rather than it's a thing it produces.
B
I think it seems like it's an output, not necessarily an input.
A
Yes, it feels like it's right for cyber espionage or cyber operations, because it is a thing that you must have. Right. I mean, if you're a mining company, I guess you need access to iron ore or copper deposits or whatever, but
B
then once you've got that, you just stay there and you exploit it. Whereas I think access is continually renewing and it's unique for each thing.
A
I mean, I definitely think that you need something to manage access that feels like an organizational function. And so even in the case of 702, for example, to get that, you need to convince lawmakers that that's something that they should legislate for. And you need someone to deal with your service providers. And you need to say, what is it that you actually like? There's a whole lot of machinery that goes around that even though it's not actually a thing that you're.
B
It's something exploit.
A
Right? That's right.
B
Yeah. There's like, there's going to be all sorts of stuff which is just legal scaffolding around that. Right. Like, if I come to you and I say I need these emails, well, I've got a huge amount of emails that might fit that. But which ones do you actually need? Because I can't give you, like, I shouldn't have to give you everything that might possibly match. Like, how do we narrow it down to be what you actually want? And then there's frameworks for that. And then there has to be things like, once I get it, how long can I keep it? And then if I'm doing that, I need infrastructure to, like, manage where did I get it from, who has access? There's a whole bunch of stuff around it that needs to exist.
A
Like, you need an organization to manage that. But it seems to me that it's a concept rather than a thing that you acquire.
B
Yes.
A
Like it's. You need a capability to gain access and that.
B
Right.
A
And manage it and change it and direct it and so on. But that organization delivers capability rather than the platonic access.
B
It's a nebulous concept and it's difficult. And I think that that's part of the problem with it, is that it does feel right. Like, yes, you do need access, but it also feels wrong in that you need to acquire access. Like, that is your job. That is the thing that you have to do. It's not a thing that you intrinsically possess. It's a thing that you need to acquire in the execution of your role.
A
Right. Yeah. To me feels very much like you need people and resources and processes to get it and keep it and make sure it's working how you like and adjust it. But it's not something where you would turn up on your first day as an organization and you'd go, there's your access, you're all good. Here's your bucket of access. Yeah.
B
Floor one access.
A
Here's your iron ore. You can mine that forever. It's an evolving thing where the organization creates it in a way it's like it's self. I don't know, whatever.
B
Yeah. The other stuff that they have which like just running very quickly, like they've got organization, which we agree is sort of like. Yes, R and D. Which I think is. Yeah, we accept that that's important. Infrastructure again. Yes, like we agree analysis. This is like the special one I think that they bring to the table because it's one that everyone sort of everyone who does this knows about. And it's not a pen tester thing because pen testers are very much like they're a single incident. Like a pen tester breaks in and they're done. But an organization that needs to maintain access needs to think about this long term stuff. So once you've gained access, that's step zero. That gets you in the door, but then you still need to stay there. And that's what's more difficult because I'm going to go out on a limb and say with absolutely no basis in fact other than this feels true, is that the things that get caught get caught not because of defense tools, but most of the time because of changes in the network and the environment which will then disrupt an existing installation. Right. So you've gone out and you've installed all of your Windows 10 implants and then they do a fleet upgrade and suddenly your stuff doesn't work anymore or the one box that you're using, it has a hardware failure and they replace it and now you no longer have access because you have to do something.
A
So the way I'd think about that is if those defensive tools are working properly, they prevent you from getting on. And once you're on, it's the changes that catch you.
B
Right? Right. Yeah. So I would say that the focus on this analysis, which is the monitoring the network and understanding the part that we were saying with the Rob Joyce, like knowing the network better than the defenders do. That's the analyst's job. They have to learn how all of this works. Then they have to be sort of aware of the things that are happening. Like there's going to be a maintenance cycle, or there's a scheduled upgrade, or, you know, these things are being retired. Like, there's a lot of work that goes into staying in one place. So I would say that the, like, the thing is, access is a red queen problem. Right. Like, you need to run as fast as you can just to stay in one place. Like, once you've gained it, you need to work extra hard just to maintain and stay undetected. So even, like, even after you get in, that's when the job starts. And it's this other part that never gets mentioned, this analysis role which takes over. So I absolutely praise to them for bringing that up as one of these central pillars.
A
Yeah. So I always, in these discussions think about the SIGINT cycle, which is. I can't remember the details, it's on Wikipedia. But it's like you collect stuff, you analyze it, you decide what you want to do. And part of that is being in the right place to collect stuff in the first place. Is it what we want? What does it mean? What else do we want to know? And so that then informs what collection you do next. And it's not a cycle where you move around. The organization is doing all those things.
B
You're always doing all of them at the same.
A
Yeah, yeah. And the.
B
So is this different from. Is this different from the intelligence cycle?
A
No, it's the same, except I think there's a few different words that are a bit more signals intelligence specific rather than.
B
Right. Because I think the tasking, like the tasking, the planning, the execution, the analysis and the dissemination, which then feeds back into the task.
A
Yeah, the decision stuff signals into.
B
That's the general idea. Yeah.
A
So for signals intelligence or cyber espionage, I guess it would be part of the execution. And why it might be a cycle is have we gained access to the right person or organization?
B
Right, right.
A
And so that's a cycle because it's like, what did we get out of this computer? Is it the right computer? Is there a better computer? Are we even on the right track
B
looking at these emails? We thought that we needed to be looking at what this guy was doing, but it turns out he's just a front for someone else. We actually need to get to that guy.
A
So now that we know, it's like this person never puts anything in email, communicate, you know, stuff like that all sorts of stuff which is unknowable until you get there. Like sometimes I think about does that make an organizational structure where you have all those different functions and you break them out. And so instead of Petio or I guess accordio is not purporting to be an organization, a way of doing things. It's a just take the SIGINT cycle and break that out into functional groups. I don't think it quite works, but I think there is some element of truth that there's specialized functions where it makes sense to have people working together, even if they're working on different targets.
B
This reminds me of is we had a BTN episode where we discussed I'd found those job requirements for offensive cyber roles. And one of them was just like network analyst, where the job was basically, once we've gained access, you learn what's going on and understand it better than anyone else and you predict what's happening. That is the job that you have. And I think that they went to the effort of breaking that out as an actual role. And yet it never gets mentioned outside of. I guess this paper, for example, shows how important it is and how underappreciated it is as well. The literature just overall, people don't think about it that much.
A
Right. Yeah. So you can analyze a network from outside as well. So it's not just sure. So that could be where in a network do we want to be to get what we want, not just once we're on a network.
B
Yeah. And I guess there's other things as well, which it's sort of the supply chain concept here, which is that if I want to break into Retania's intelligence agency, but they're very, very hard to get into. However, their H Vac company that has a nailed up VPN so it can control all of the ACs in their. Their office building that's very easy to break into. And then I can use those VPNs to piggyback into the ACS. And then from there I can maybe do something to get onto their networks. So a network analysis there would say, like looking at all this stuff, what are different ways that we might be able to get access through some of these nodes that are attached rather than going through the front door at this organization itself.
A
Yeah. So I feel like the paper where it refers to Recordio is talking about access as we have access to this thing right now. Whereas I think when I think of access, I think of that example where it would be no one is going to come up Organically of, you know, with the. A hairbrained scheme to get in through the H VAC contractor. Unless there's in a bureaucracy that's not going to happen. Like that doesn't just organically like. So you need an access organization who says we've got this high priority problem. Ruritania. They're really high priority right now. How are we going to get to it? You bring all these people together and then someone will come up with the harebrained scheme.
B
Right.
A
And so that to me feels like what Access. An access organization. One of their jobs would be. Is our standard practices of just hack the planet or fish or whatever aren't working. What's next and is it important enough to do anything about what's the risk we're going to wear. So I think it makes sense as this is kind of unique organization to. Or a unique function for intelligence gathering. Is it unique for intelligence gathering? Are there other organizations where you have to.
B
Not with access. I think. I think you could take quite a lot of organizations and say what's unique about them is that sometimes they have to get together like a firefighting team and deal with an emergency in a unique and creative way. But it's unlikely that that unique and creative way is going to be breaking into an H VAC company to piggyback over their VN to get access to the AC inside the Retania intelligence organizations that you could find out if they're planning anything that's not likely to be outside of a second or an intelligence organization that's not likely to come up.
A
Yeah. Go back to the role of exploits. If that's like exploits is subsumed in that organization.
B
If you need an exploit, you need an exploit. If you need. Need a phishing thing, they need to like. I think so. I think part of the problem with the PET is the. The emphasis on exploits misses that you need this access capability in the broader sense that we're talking about, which is possibly what Styren and Yaschuk are getting at is that like you do need to be able to do this and saying it's just exploits is misdiagnosing what you need. Like it's getting it wrong.
A
Bit myopic.
B
For me personally, some of the stuff I quite like about this paper is it sort of. It dives into these actual incidents and what's actually going on and how things actually play out. And it sort of. It confirms the impressions that I've got. Like just in. In reading all of the stuff like it. It's. It seems like, this is what's happening. So for them to come out and say, like, based on actual detailed analysis, this is what's actually happening. I quite like that confirmation because I have felt that part of the interesting thing about wartime cyber is just how much of it is for the unwashed masses, how much of it is just a sort of attritional, conscript level cyber, I guess, to sort of, you know, go out there and do fishing, go out there and do like these just normal, straightforward things that always work and just build off of that, as opposed to, like, now that we're at war, we have to use these special exquisite, bespoke, carefully made capabilities that are our special wartime cyber tooling. Like, that doesn't happen. Right. Like that's. I mean, not that it never happens, but that's not the thing that's going on most of the time. Most of the time it's just this sort of thing of like, we need to get access to people's signal. I know, let's start sending them things saying, this is like signal safety officer, you need to scan this QR code and then we can pair a device to their signal account and steal stuff that way, as opposed to, like, let's write an exploit that can take over a signal messenger.
A
Right, right. Like, to me, it feels that that is partly a result of it's unlikely that any single hack will be really consequential. And so therefore you've just got to do a whole lot more of them and you kind of make up for in scale that it will. You can make a difference, a significant difference. And I guess it also increases your chances that you will hit a jackpot, like.
B
Right, right. It's a bit of a shotgun approach. Right?
A
Yeah.
B
The odds of hitting something are better if you've just got a lot of stuff in the air anyway.
A
Yeah, yeah. And I guess especially if you don't have the time to say, here's number one priority target, or maybe you hive off people to do that work. But that's a different kind of work. You've got a, here's our number one priority. But then we want as much as we can get using the, I guess you'd call it commodity techniques or bulk techniques that would work.
B
Conscript cyber, Corvette cyber.
A
Well, I mean, I think the beauty about the paper is that it's, from your point of view at least, is that it manages to reinforce your preconceptions. So it's the perfect paper.
B
So it's. It's an excellent paper. Very well done.
A
Bravo worth reading.
B
Thanks. Thanks a lot, Tom.
A
Thanks, Rod.
Podcast: Risky Business Media
Episode Date: July 13, 2026
Hosts: Tom Uren & The Grak
Main Topic: Rethinking Cyber Power – The Real Role of Exploits in Wartime Cyber Operations
This episode centers on a Ukrainian research paper titled Rethinking Exploitation in Cyber War: Reassessing the Role of Software Exploits in Wartime Cyber Operations by Vladimir Daran and Denis Yastchuk from Ukraine’s cybersecurity authority. Hosts Tom Uren and The Grak analyze the paper’s argument: Western cyber strategy overvalues software exploits (“exploits”), when real-world cyber operations (especially during conflict) rely less on “special” exploits than commonly assumed.
The hosts wrap up agreeing that, based on credible Ukrainian war data, exploits are overrated as the bedrock of real-world cyber power. Instead, initial access matters, ongoing network understanding, adaptability, and organizational factors (including analysis and resource management) are far more critical—both for offense and defense. Bulk, scalable strategies (“conscript cyber”) dominate, with bespoke, high-end capabilities rarely decisive.
[29:41] Tom: “The beauty about the paper is that… it manages to reinforce your preconceptions. So it's the perfect paper.”
[29:51] Grak: “It's an excellent paper. Very well done.”