Summary6 min read

The Defender's Advantage Podcast

Episode: Takeaways from the 2026 M-Trends Report

Date: April 15, 2026
Host: Luke McNamara (Google Threat Intelligence Group)
Guest: Chris Linklider (Practice Leader, Mandiant)

Episode Overview

In this episode, host Luke McNamara sits down with Chris Linklider to discuss the key findings and themes in the 2026 M-Trends Report—a comprehensive annual analysis from Mandiant detailing the latest in cybersecurity threats, attacker behaviors, and defensive best practices. Together, they explore shifting entry vectors, technological evolutions in ransomware, the persistent relevance of perimeter exploits, and the growing challenges around identity (both human and non-human) in organizational security programs. Practical guidance and reflections on security fundamentals weave throughout, offering listeners concrete takeaways for both strategy and operations.

Key Discussion Points & Insights

1. Shifts in Initial Access Methods

Voice Phishing (Vishing) Overtakes Email Phishing
- For the first time, vishing has surpassed traditional phishing as the most common initial access vector in breaches.
  
  “...for the first time ever, voice phishing or vishing has sort of surpassed regular phishing or email phishing as a point of of entry in terms of a vector.”
  —Chris Linklider [02:47]
- This pivot is a result of years of investments in email security and user awareness, making traditional phishing harder for threat actors.
Decline in Email-Based Phishing
- The report indicates a continuous, multi-year decline in the effectiveness of email phishing, attributed to increased investment in awareness training and stronger MFA mechanisms.
  
  “...we’ve invested in a lot of user awareness training…we’ve rolled out MFA...I think organizations, even that rolled out MFA four years ago have come back around and really sort of shored up the processes...”
  —Chris Linklider [06:04]
- As barriers increase, adversaries have shifted to less-defended avenues, such as social engineering via voice or social media channels.

2. Ransomware Evolutions and Extortion Tactics

More Efficient Ransomware Operations
- Threat actors have progressed from simple automation scripts to targeting hypervisors for rapid, widespread destruction.
  
  “...threat actors quickly pivoted into the hypervisor...they can just simply go into the console that controls the hypervisor and they can just wipe everything out all at once… we’ve seen organizations lose 10,000 servers in under 30 minutes with these...attacks against hypervisors.”
  —Chris Linklider [10:09]
- This shift not only maximizes impact but also destroys forensic evidence, complicating investigations and delaying recovery.
Recovery Denial and Multifaceted Extortion
- Ransomware attackers are increasingly employing recovery denial techniques, targeting backups and core infrastructure to make restoration—and thus negotiation—much harder for victims.
Ransomware Remains Prevalent
- While tradecraft is evolving, ransomware/extortion remains the most dominant threat category witnessed in engagements and incidents, with the added layer of data theft and double/triple extortion.

3. Operational Tempo: The Shrinking 'Handoff Window'

Rapid Attack Progression
- The window between initial compromise and full exploitation (handoff between Initial Access Brokers and ransomware actors) is shrinking drastically—from about eight hours to as little as 22 seconds.
  
  “And we noted at least one example this past year where there was a 22 second handoff...”
  —Luke McNamara [11:36]
Challenges for Responders
- Most defenders still struggle to respond within eight hours, let alone seconds. The only way to realistically address such speed is through automation—bringing with it substantial risk of self-inflicted outages.
  
  “If you automate something that sucks, it’s just going to suck faster.”
  —Chris Linklider [14:57]
- Cautionary tale: An organization locked themselves out of their entire network by over-zealously containing DNS servers, highlighting the dangers of insufficiently planned automation.

4. The Enduring Relevance & Risk of Perimeter Exploits

Perimeter and Edge Infrastructure as Persistent Weak Points
- Exploits against edge infrastructure (e.g., network appliances, hypervisors, VPNs) remain the #1 entry vector for breaches—regardless of vendor or product.
  
  “...exploits on the outside the edge. The perimeter still remain the number one sort of entry method. It’s by far and away for the last two years the number one method.”
  —Chris Linklider [19:21]
Vulnerability and Patch Management
- Quick and efficient patching and vulnerability management on edge devices is crucial.
- Defenders must recognize that all products, even top-tier solutions, contain vulnerabilities.

5. EDR Blind Spots and Advanced Persistency Tactics

Limitations of EDR (Endpoint Detection & Response)
- EDR is vital but has blind spots, particularly in environments like hypervisors, network appliances, and other infrastructure where EDR isn’t deployable.
- APT and financially motivated actors are adapting malware and persistence strategies to evade traditional endpoint detection.
Novelty and Basics: Balancing Priorities
- While novel and advanced threats draw attention, Chris underscores that fundamental security hygiene—asset management, well-documented processes, and visibility—is often what determines whether an incident is catastrophic or containable.
  
  “Some of those very basic technology and security operational things are the things that may take a major incident and make it something minor.”
  —Chris Linklider [16:42, 16:57]

6. Emerging Focus: Identity and Lifecycle Management

Human and Non-Human Identity Abuse
- With the drop in phishing, adversaries are increasingly exploiting non-human identities (service accounts, automation bots) alongside traditional human identity attacks.
  
  “We’re starting to see threat actors abuse non human identity as much or more as we’re seeing them abuse human identity. And I think that’s a problem that we’re going to be solving well into 2026 and 2027 and, and probably beyond that.”
  —Chris Linklider [25:28]
Employee Lifecycle Weaknesses
- Many compromises stem from weaknesses in onboarding/offboarding, device provisioning (especially with third-party outsourcers), and identity verification.
  
  “I would encourage anybody...to really sort of think about it from an end to end life cycle of how do we onboard and even offboard people...”
  —Chris Linklider [24:02]

Notable Quotes & Memorable Moments

On the shift to vishing:

“I sort of suspected that, but...it was really good to see that all of the data...backs that up.”
—Chris Linklider [02:47]
On declining phishing (positive note):

“...it’s so rare that we have something positive to talk about in security. But we’ll start with that.”
—Luke McNamara [04:56]
On the risks of automation in incident response:

“If you automate something that sucks, it’s just going to suck faster.”
—Chris Linklider [14:57]
On importance of basic security operations:

“In some organizations, they can tell you the number [of servers] and...do that in under 10 minutes. And in some organizations, we spend weeks trying to solve that problem.”
—Chris Linklider [16:57]

Timestamps for Key Segments

[02:47] – Vishing surpasses email phishing as initial breach vector
[04:56] – Multi-year decline in email phishing and payoff of investments
[09:15] – Evolution of ransomware attacks: from basic scripts to hypervisor-level destruction
[11:36] – Hand-off window between adversaries dramatically shortens (22 seconds)
[13:05] – Perils and risks of overly aggressive/automated incident response
[16:42] – The enduring value of core security basics and asset management
[19:21] – Continued dominance of perimeter/edge exploits, patch management urgency
[22:00] – EDR limitations and advanced actor tactics (living off non-traditional infrastructure)
[24:02] – Identity lifecycle management and vishing resilience
[25:28] – Rising concern: non-human (machine/service) identity exploitation

Final Takeaways

The threat landscape in 2026 is rapidly evolving, with attackers shifting entry points in response to defender investments and controls.
Automation and speed in both attacks and defenses are on the rise—but “speed for speed’s sake” without strong fundamentals introduces catastrophic risks.
Organizations must be vigilant about both their cutting-edge defenses and the “basics”: solid asset inventories, careful lifecycle management, and rapid patch/vulnerability management, especially at the perimeter.
Identity—both human and non-human—has emerged as a focal point for attackers and requires comprehensive policy, process, and control consideration for effective defense.

For further insights, listeners are encouraged to read the full M-Trends 2026 report [linked in the show notes].

Loading summary

Transcript23 lines

[00:02]
Chris Linklider
I think one of the things we've seen ransomware operators do is become technically way more efficient. If you go back a few years, it was very common for a threat actor to get into sort of a corporate enterprise. They would do a significant amount of reconnaissance. They would figure out where all the endpoints are. They would write sort of host list scripts of, you know, here's every host in the environment and. And then they would write a script that sort of used some tool to connect to each individual system and push out the malicious ransomware and then sort of encrypt the endpoint. Very effective, right? Especially when we didn't have tools to defend against that activity. Even though it was kind of a crude way to push software, it was pretty effective.
[00:57]
Luke McNamara
Welcome to another episode episode of Mandiant's Defender's Advantage podcast. I'm your host, Luke McNamara. Joining me today, I have the pleasure of welcoming on Chris Linklider, one of the practice leaders here at Mandiant. Chris, good morning to you.
[01:11]
Chris Linklider
Morning, Luke. Thank you. Thank you for having me on the podcast.
[01:14]
Luke McNamara
Yeah, and back on the podcast too. I know you were on here earlier at one point, but today we're talking about mtrends. This came out last month as of when we're recording this. But. But we're going to dive into some of the takeaways, some of the aspects. So I have a bunch of questions for you about this, of course, but I'm just curious, what are some of the things that stood out to you the most when you picked up this year's edition? And maybe also when this report comes out every year, is there like a certain section that you go to to see? What is the stat doing now? How has this been updated?
[01:48]
Chris Linklider
Yeah, I mean, maybe I'd start by thanking all the people that worked so hard to put the mfriends reports together. I know you've been involved with it in the past. I've been involved with it in the past. It is a significant amount of time and effort that goes into putting the report together. So all the sort of men and women who, you know from Mandiant and from Google Threat intel that work so hard to put it together, I think a shout out to that team because it's sort of not for the faint of heart. If you want to contribute to mtrends, it gets. It gets very highly scrutinized before it gets published. So I think the natural reaction to that is the first thing I go look at is anything that I was responsible for either editing or contributing to or that my team was responsible for editing or contributing to. Just to make sure that you're always nervous when it gets published, that maybe it got changed at the last second. But that's where I immediately go. And then I think, you know, I think very little AI is used in generating M trends. I know that because I've been a part of the process. But when you said we wanted to talk about what's different from last year's to this year's, actually the first thing I did was compare the two using an LLM just to sort of see what some of the most notable differences were. And I think the one thing that sort of caught my eye was for the first time ever, voice phishing or vishing has sort of surpassed regular phishing or email phishing as a point of of entry in terms of a vector. I sort of suspected that, but it was, it was really good to see that all of the data that we collect sort of backs that up.
[03:34]
Luke McNamara
Yeah, we'll dive into that a little bit further. But I do think it is interesting when you consider, you know, here at Google now, all the different data sources we have to kind of build up an intelligence picture of what's happening in the threat landscape. I think this is still one of the most important and one of the most useful data sets because it is drawn specifically from all the breach response work that we're doing the year prior. And so there's a lot of that frontline visibility and not just seeing some aspects of adversary behavior, but how actors are evolving what they are doing once they actually breach access and make their way into a customer's environment, how they're evading detection. So I think it is useful, I think, in that regard, and it stands out, I think, amongst all the other data sets that we have.
[04:20]
Chris Linklider
I would agree. And I think it's one of the best pieces of material that's released year over year that lets organizations sort of prioritize their budget in terms of what should we be focused on in the next 12 months. There's obviously everyone has sort of a bias in terms of the things that they've seen or that their small circle of network has come across and informed them and told them to be ready for. But mtrends looks at such a large data set across so many different incidents that it's a fantastic place for leaders to go to and just say, what are the things that we need to prioritize within our programs this year?
[04:57]
Luke McNamara
Well, on that point, maybe I'll start with something that I think actually is maybe one of the more positive statistics from here. And it's so rare that we have like something positive to talk about in security. But we'll start with that. And I think it's also notable because it's a trend now that we're seeing, I think at least the last four years in a row, which is something you already referenced, which is the continuous decline of email based phishing. And is this. There's. There's probably many different factors that contribute to this. Again, I think it's worth highlighting because it's not just something we saw in one year as a blip. It is seen to be something that is continuing on that trajectory. But I'm curious if you think this is an area where, going back to what you're saying about investments in security, obviously things like phishing, awareness training, some of the technology based solutions around preventing and detecting this, there's been so much investment over the years in this. Are we seeing kind of a payoff in that which is leading to this while still a useful and important initial infection vector for adversaries not being as useful as it once was?
[06:04]
Chris Linklider
I mean, I think so, right? I think, I don't know that like a victory lap is in order, but I think the investment that organizations and people quite frankly have made have paid off. Right. We've invested in a lot of user awareness training. When I read this, I was reminded of like the very first time I got phished by my own employer and just like how embarrassing that was and how said I'll never let this happen again. But it did happen. It happens to everybody. And so what are the things we've done? We've trained humans, we've rolled out mfa. And to your point, that didn't happen overnight. That's taken years and years and years to roll out. And as we rolled it out, we probably didn't roll it out in the most effective way we could have. Right. So I think organizations, even that rolled out MFA four years ago have come back around and really sort of shored up the processes and the ways that we do MFA with the full authenticator apps. The removal of phone calls is the second factor. Things of that nature. So it's not just that we've rolled out mfa. I think we've gotten more effective in how we're using some of those things. Threat actors are going to go the path of least resistance. So as we've done a good job of sort of securing the human identity, I think threat actors are moving on to non human identity and or they're working really, really hard to circumvent the processes that we've put in place to register those MFA devices with social engineering and phishing.
[07:40]
Luke McNamara
Yeah, I think zooming out to phishing as just being one kind of method of that larger social engineering tactic and obviously, as you noted, like, we're seeing more vishing than ever before. I don't think, you know, two or three years ago, if you were to ask someone like, what would be the most common way that we would see cloud instances be breached and targeted, it would be vishing that is one of the takeaways from, from this past year's report. So, you know, whether it's that, whether it's phishing over non traditional methods like, you know, LinkedIn and social media, there's certainly ways where like that same technique is still being leverage, but just outside where a lot of the resources have been put from a technology and training standpoint, maybe one other thing to kind of dive in. So, you know, probably unsurprising to anyone in security, even that tangentially follows the space is that ransomware continues to be ransomware and extortion more broadly. You know, one of the big significant kind of categories of threat activity we're still witnessing, and that's obviously evolved over the years. We've seen more data theft kind of play into this component, what people refer to as double or multifaceted extortion. But one thing that was also kind of highlighted in this report is also the shift to recovery denial. Right. And that actors are increasingly obviously looking for creative ways to apply pressure and looking for ways where they can destroy the ability for organizations to get back up and running anything. Kind of like takeaways from either your experience over the last year or some of the key aspects in the report around this, this area of focus for actors in the extortion space.
[09:15]
Chris Linklider
Yeah, I mean, I think, I think one of the things we've seen ransomware operators do is become technically way more efficient. So if you go back a few years, I don't know, 20, 20 times, it was very common for a threat actor to get into sort of a corporate enterprise. They would do a significant amount of reconnaissance. They would figure out where all the endpoints are. They would write sort of host list scripts of here's every host in the environment, and then they would write a script that sort of used some tool to connect to each individual system and push out the malicious ransomware and then sort of encrypt the endpoint. Very effective. Right. Especially when we didn't have tools to defend against that activity. Organizations weren't really ready for it. So even though it was kind of a crude way to push software, it was pretty effective. And then as organizations I think realized how they could stop that with tools like EDR detections of some of those sort of methods being used to push the software within their organizations, threat actors quickly pivoted into the hypervisor. And I think what they realized is that for every hypervisor that exists or every hypervisor host within a an enterprise, there might be 50, 100, 200 client systems on that or server systems on that one physical piece of hardware. And rather than have to do this crude script writing to cause all of this destruction, they can just simply go into the console that controls the hypervisor and they can just wipe everything out all at once. So their point of entry is very simple. They only have to go to one place. It's very hard to detect them quickly, and they can cause a tremendous amount of damage just within seconds. I mean, I think we've seen organizations lose 10,000 servers in under 30 minutes with these sort of well thought out attacks against hypervisors. I think the other piece that's worth noting there is as an organization that does a lot of the forensic investigation as to what happened when all of those sort of disk arrays are wiped out at that hypervisor level, a lot of the evidence is wiped out with it. Right. As an organization, it's difficult for us to then definitively sort of explain the entire attack life cycle because a lot of the evidence might have been lost in the attack.
[11:36]
Luke McNamara
Yeah, I'm going to return to that thought too, especially around the EDR component of this, because I think that's another area where as you're seeing more of these campaigns and intrusions that find their way into hypervisors, into things like ESXi, that creates a problem, I think, for maybe security strategies that have put maybe an over reliance on edr or maybe a better way of saying that is just, you know, some of the blind spots of EDR where that can't be deployed. Adversaries are obviously cognizant of that and they're carrying out their operations accordingly. But before that I wanted to touch on one of the other, I think interesting stats that we highlighted in this report is how the handoff window between adversaries is decreasing. I think in previous iterations it was something upwards or around eight hours. And we noted at least one example this past year where There was a 22 second handoff and this kind of Makes its way into some of the stats around things like prior compromises, increasing how you count that and the handoff between initial access broker to an adversary. Some of these intrusions coming with kind of like preloaded custom hour of the secondary actor, coming with preloaded malware of the secondary actor to kind of ease that friction. So I'm wondering, what do you make of that and how does that have to result in organizations maybe recalibrating their incident response playbooks?
[13:06]
Chris Linklider
First of all, it's a very alarming statistic. As I was thinking about how do you solve a problem in under 22 seconds? The one thing that I was sort of drawn to and sort of had to sort of ground myself in is most organizations still can't solve the eight hour problem. Responding in under eight hours for a lot of organizations is still probably what we would consider to be really, really effective and really, really good. Obviously, as you look at needing to get under an hour, under a minute even, the only way to probably effectively respond in scenarios like that is removing the human from the loop, through automation, through AI, etc. And I think that comes with a significant amount of risk to organizations. Right? I think what we've seen, we always hear about sort of the catastrophic cyber security attack. What we don't usually talk about in our industry as much is the catastrophic outage that was caused by security trying to prevent a catastrophic security offense. So you know, I was, I was reminded we did an incident, it was in the fourth quarter last year, where an organization had been breached and post breach, we were helping them just with some, you know, getting back to normal and hardening. And so they were at this like very heightened state of alert. And their, their mindset was, you know, contain first and ask questions later. And they saw some activity within their environments and they, the individual on duty decided to contain all of the systems associated with this particular alert. And what they actually did is they had contained the system administrator who was patching all the DNS systems. So what they had effectively done is cratered their entire enterprise by containing all their DNS servers. And ironically, the only way to uncontain them is to have access to DNS. And so that organization was actually offline for the better part of 48 hours simply because they were in a heightened state of alert in terms of a response to something that they thought was malicious. So solving a 22 second sort of playbook problem is I think incredibly difficult. And I think it's one of those things where there's obviously automation, there's obviously AI But I thought back to a phrase one of my early bosses used, and I hope he listens to this because he said if you automate something that sucks, it's just going to suck faster. And so I think this is sort of a good reminder for organizations that are trying to solve this problem that if you haven't like solved the basics of things like ip, you know, address management and asset tracking and just knowing your environment and having, you know, processes well documented, trying to do something too fast is probably going to result in something catastrophic happening that might be self inflicted.
[15:57]
Luke McNamara
Are there other areas in this report or just maybe more generally where you think that same principle can be applied? Because there's certainly a lot of things, whether it's this report, whether it's a lot of the research we put out on our blog where we're highlighting a lot of the kind of cutting edge, novel techniques, novel malware that are being used. And sometimes I could imagine it would be a bit overwhelming if you're your average security defender or CISO and you're reading that. I think kind of, as you kind of noted, reorienting to some of the basics I think is important, you know, because not everyone's going to see some of these more advanced techniques and even some of the more kind of basic blocking and tackling aspects of security can do a lot to mitigate some of this risk. So like any other areas where you think that that sort of framework applies,
[16:43]
Chris Linklider
I mean, I would highlight like, you know, we have the opportunity to see a lot of organizations and how they respond to something bad that's happened to them, right? They're usually a victim. The organizations that sort of deal with that the most effectively are the organizations that have worked out some of those, you know, very basic, they sound very basic, but in many cases they're hard to do. Right? A lot of organizations, you go in and you're like, all right, like how many, how many servers do you have that we have to deal with? And in some organizations, they can tell you the number, they can tell you how they got to the number, and they can do that in under 10 minutes. And in some organizations we spend weeks trying to solve that problem of what's the denominator to this math problem that we're trying to work our way through. So I can't emphasize enough that while it's not super exciting and new and novel and fun to talk about, some of those very basic technology and security operational things are the things that may take a major incident and make it something minor.
[17:52]
Luke McNamara
Well, I want to return to the point I mentioned earlier. I was going to ask you about EDR and blind spots in EDR less infrastructure. I think as you noted, this is something that applies to those hypervisor environments where you can't easily deploy EDR technologies. I would say one of the other big trends we saw last year where this kind of weaves into the narrative is what we were seeing with a lot of the zero days and exploitation of edge infrastructure. Right. And I think part of the reason why, not just the fact that those technologies live on the perimeter, but why they're being targeted is because they're a blind spot for a lot of organizations. And I think this ties into something that has been brought up in previous M trends in recent years, which is just adversaries looking for ways that they can carry out operations that sort of evade traditional detections. And again similar to phishing. Just because there's been investments in this space, I certainly wouldn't say you don't need edr. Obviously that's sort of like a kind of basic necessity here. But how should organizations think about from a larger security strategy, especially if maybe they've put maybe too much emphasis on EDR, where that fits within their overall strategy with the attacks that we're seeing today, whether they're identity based or some of these other ones. And how do you get around this problem or how do you kind of put efforts in place to better mitigate where you can't deploy edr? I mean, is this a logging issue? Talk us through some of the strategy components here.
[19:22]
Chris Linklider
Yeah, well, first of all, this is like super fun topic I think, but I think as we've talked about entrance, one of the things that you and I were talking about before was for all the things in statistics and new and novel that's changed, the one thing that's remained constant is exploits on the outside the edge. The perimeter still remain the number one sort of entry method. It's by far and away for the last two years the number one method. So I think it calls into importance the fact that you do need to have a strong threat vulnerability management program within your organization because you don't know of the products that you've bought, whether you've bought inexpensive products, whether you've bought best in breed products. Every product is going to have challenges, every product is going to have vulnerabilities and the good ones are going to get the patches out quickly. But when those patches come out quickly, you have to respond and react quickly. If you have a device on the edge that's designed to keep you secure, whether it's an application delivery controller or VPN concentrator and that becomes a compromised endpoint, you have a problem. Right. There's that avoiding the problem is difficult. Responding to the problem is important to do it quickly. And so having a good sort of threat and vulnerability management program I think is the best way to deal with the problem on the edge. I think it gets really interesting and nuanced when you start getting into the insides of an enterprise and the areas of that enterprise where EDR can't exist. Right. You mentioned the hypervisor. I think that's a huge problem. I'm super hopeful that problem gets solved somehow, whether it's added visibility at the hypervisor level or introduction of EDR technology into those systems. Because I think that is a huge problem, especially for financially motivated threat actors. Where I think it gets really fun and interesting is there's a lot of apt out there or nation states that have learned like if they put malware on a Windows or a Mac endpoint, it's probably going to get eventually detected by EDR and an effective threat hunting program. And so we've seen some incredibly sophisticated attacks where some of these nation states will actually embed the malware into the network devices within the environment. And in some cases these network devices are hypervisors as well. Right. The network switch just sits on top of a piece of hardware that's just running some flavor of a hypervisor. Storage arrays don't work any differently. So we've seen where some of these incredibly sophisticated adversaries have actually buried their code into these places where nobody's looking. There's no tooling that's designed to go check to see if your network switch image has changed or something like that. There's things organizations can do. In reality, none of those devices should ever be talking to the outside world. And if they do, you should be detecting that. But I think it's like one of the most interesting spaces for an enterprise defender to be thinking about. Like, hey, within the context of my network, if I had to hide somewhere where there's no edr, where would it be and how would I do it? And those are I think incredibly important questions for organizations, especially organizations that might have a threat profile where they could be targeted by apt to really be asking those questions.
[22:57]
Luke McNamara
Yeah, it's something again, like as you noted, we've seen being employed by not just the financially motivated actors that are trying to increase the cost and pressure on an organization. They're extorting but some of these longstanding cyber espionage campaigns by APT actors as well. And I think we're probably going to see more of that unfortunately this year as we kind of wrap this up. You know, any sort of final takeaways or thoughts that you have from this report? Again, there's things that that have changed from what we were seeing several years ago. Beacon malware is continuing to go down. It felt like at one point that was like what we were seeing everywhere and every intrusion and breach we were responding to and that has declined. Some of these things we're seeing more of, you know, voice based phishing I think is also probably something we're going to see increase. And I think there's this general expectation across the industry that the speed and scale of these attacks that we're seeing is likely to continue to ramp up as threat actors leverage AI in the course of the operation. So as we kind of sit here looking back at 2025, any, any final takeaways or thoughts?
[24:02]
Chris Linklider
Yeah, I mean, I think, you know, one of the themes that sort of mentioned throughout the report and certainly something that we've seen as it relates to the vishing is organizations really do need to spend some time understanding sort of the life cycle of how an employee is onboarded and off boarded from their organization. We've found that a lot of these organizations that become victims of phishing or vishing or any sort of sort of social engineering method, when they really start to unpack how they bring people on board, whether it's North Korean IT workers or whether it's hacktivists or whether it's any other sort of threat actor or threat group that's out there. They start to really realize that there's a lot of insecurity in the process by which they've onboarded these people, by the process that they've issued them devices, whether that's laptops or phones or whatever happens to be sent to those folks, we find a lot of problems where organizations actually outsource a lot of these operations to business process outsourcers. And even the communication between the business process outsourcer and the victim organization is sometimes compromised by these threat actors. And so I would encourage anybody who's trying to solve this problem and sort of how do I validate that the person I'm talking to is who I think it is to really sort of think about it from an end to end life cycle of how do we onboard and even offboard people from our organization. So I think that's the One thing that struck me, I think the other thing that we're really starting to see with, and I think the phishing decline is an indicator of this. I think we're starting to see threat actors abuse non human identity as much or more as we're seeing them abuse human identity. And I think that's a problem that we're going to be solving well into 2026 and 2027 and, and probably beyond that. So those would be sort of my closing things that I just observed and I think organizations should have a stop of that.
[26:14]
Luke McNamara
Yeah, I definitely would footstep that last point. And I think that is something we are, you know, hearing more and more from organizations from CISOs, which is, you know, sort of how to think about getting your hand around the proliferation of agents dynamic that's existing right now in a lot of enterprise organizations as the adoption of AI takes off. And maybe you've done a lot of good baselining of like what normal and good looks like for when employees should be logging in at what times of the day from what locations. And now in an environment where you have a lot of non human identities that are going to become the norm of activity and noise in your environment, how do you better secure that and how do you better detect anomalies and what will ultimately be actors seeking to abuse those, leverage those for living off the land techniques. So I think that's going to be something that will certainly play its way into kind of future iterations of this report and what we see down the road. Well, Chris, again, always great to talk to you and I think this is a good summary and resource. Of course, for folks who haven't read the report, we'll include a link to the show notes definitely go check out. There's a lot of other areas that we didn't cover. There's some great articles in there, so highly recommend folks, check that out. But Chris, thank you for your time today.
[27:28]
Chris Linklider
Thanks for having me on. And I've heard rumors they've already started writing next year's report, so.
[27:33]
Luke McNamara
No doubt. Yeah, take care.
[27:35]
Chris Linklider
Thank you. It.