Subscribe
Share
Share
Embed
Featuring distinguished guests from the business world and government, Ahead of the Threat will confront some of the biggest questions in cyber: How will emerging technology impact corporate America? How can corporate boards be structured for cyber resilience? What does the FBI think about generative artificial intelligence? Listen to new episodes biweekly and stay Ahead of the Threat.
Listen to Ahead of the Threat episodes, read the transcripts, and find related material at fbi.gov/aheadofthethreat.
You can also follow the FBI Cyber Division on LinkedIn at linkedin.com/company/fbicyber.
Brett Leatherman, assistant director for the FBI Cyber Division: Welcome back to Ahead of the Threat. I’m Brett Leatherman, assistant director for the FBI Cyber Division. Later in the episode, I sit down with Joe Maddock, chief executive officer [CEO] of Sophos. Joe has a concept he calls the “cyber security poverty line.” Of the roughly 359 million businesses worldwide, fewer than 1 in 10,000 have someone in a CISO-equivalent [chief information security officer] role. Most organizations are buying security products with no strategy, no metrics, and no risk management plan.
But we talk about what that means, what his teams are seeing at Sophos on the front lines of the threat, and what it takes to actually defend the organizations that make up the backbone of our economy and critical infrastructure. That conversation is coming up.
But first, the news. Joining me today is Adam Maddock, section chief of our Cyber Technical Analysis and Operations Section.
Or you’ll hear me refer to it as CTAOS. Adam’s teams are the ones reverse engineering the adversaries’ malware and tools, building the technical picture that really drives our cyber operations and intelligence apparatus in responding to help victims when the worst day happens from the cyber front.
So, Adam, welcome to the show.
Adam Maddock, chief, Cyber Technical Analysis and Operations Section, FBI Cyber Division: Good to be here, Brett. Thanks for having me on.
Leatherman: So first, we got to talk about the shirt. I love the logo. I know what the logo means, but help others kind of hear, what does the logo on your shirt mean?
Maddock: Yeah, sure. Absolutely. The logo is for the Cyber Action Team, which is the FBI’s fly team. A fly team is a team that’s standing by ready to deploy for some sort of surge capacity to help with investigations. So, in cyber, the Cyber Action Team is standing by, ready to deploy for computer intrusion incident response.
So, if there is a company in the United States or one of our government partners or even an ally around the world who experiences a significant computer intrusion, and there’s an FBI investigative interest in supporting that victim and investigating that crime, then we’ll deploy anywhere from two to four of our operators, which is a blend of special agents, computer scientists, information technology specialists, intel analysts, and other roles, to the scene of that computer intrusion to dig through the myriad of digital evidence, including forensic images, memory samples, log files, network traffic.
So, their goal is to tell the story of what happened at that crime scene. And that assists both the victim in fixing their network and remediating after they’ve experienced an intrusion. But it also helps the FBI with our investigative mission of criminal prosecution of the threat actors, or going after our nation-state adversaries around the world.
Leatherman: Yeah, I kind of refer to them as our Tier One technical team. And really, they’re computer scientists, special agents, and others who sit both at Headquarters and in the field and really are highly trained in our most technical workforce, ready to deploy to help victims and help us pursue investigations. I mean, they are tip of the spear when it comes to, really, that incident response capability for the FBI.
What kind of training goes into being a member of the CAT team? And, not everybody is selected to be a part of that team.
Maddock: Yeah, absolutely. So, it starts with being an already onboard FBI employee with minimum of two years’ experience working in computer intrusion investigations. It doesn’t matter whether you’re a special agent, computer scientist, information technology specialist, or other job classification. If you’ve been working in that space and you have the necessary skills, and you’re allowed to put in. Every FBI employee who’s working in this space receives some baseline training, to cover how you handle a cyber investigation.
Cyber investigations look very different than counterterrorism investigations or white-collar or violent crime cases, because in those cases, there may be components of digital evidence—in log files to review. And you might be reviewing, you know, email and other kinds of the artifacts. But in a criminal or a computer intrusion investigation, the computer isn’t just a data point, it’s the crime scene itself.
You’re dealing with a computer that has been broken into and understanding how those mechanics work is just significantly different. So, we put all of our employees working in cyber through some very specialized training. The folks that rise to the top of that, and … would apply for the Cyber Action Team, typically have already come in with a little bit more of a technical background than the average FBI employee.
So, maybe they studied computer—science in school, and they might have several years of … industry experience working in information technology, or being a software developer, or maybe even working specifically in computer forensics. And, you know, digital forensics and incident response. But, that’s just that’s a … there’s a breadth of experiences of people that are applying.
What they’ll do to apply is, submit a written application. We canvas about once every two years. And we’ll review their training, their experience, their written responses to several questions and pick the top tier from that. And then, we go through a technical selection exercise.
So, for everybody that gets selected for that portion, we send them some disk images. We send them log files. We send them snippets of network traffic. It varies from year to year, the specific evidence that we would send. But they’re given some instructions about the scenario and told, “Analyze this data. Feel free to ask some questions.”
But then they have to write a report of what they found, and they’re allowed to use really any tools that are open source or, or tools that are available to them through the FBI.
We’ll review all of the written submissions, and we’ll take the top tier from that, and then we’ll ask them to brief … to … a group of role players, their findings and answer questions based on that, just to make sure that they’re also able to not only write a good technical report, but also able to think on their feet and brief their findings to a group that would be representative of maybe executive management in a company that we’re dealing with or, you know, FBI leadership or prosecuting attorneys, the consumers of our investigative findings, and that they can answer questions and think on their feet.
So, yeah, and there we take maybe two or three every couple of years.
Leatherman: It’s a victim-centric approach, right? We want them to be able to engage the victims while also being able to help the victims in the midst of a breach. And, having seen the trial process, you know, in various roles, I know that we pick the very best. And there’s a lot of folks who are close to being there, and we always look for that next bench, but … we really have the very best working there to help victims.
Great. Well, let’s hit the story No. One, story item No. One, which is the software supply chain attacks that we continue to see over the last few weeks. And that really … the focus there is on two major software supply chain attacks in the span of two weeks. Different actors, different techniques, same result, trusted tools turned into weapons.
And this is one every security leader in every developer listening should really try to understand. First was the attack on Trivy. It’s one of the most widely used open-source vulnerability scanners. Organizations plug it into their software build and deployment pipelines. The automated systems that code from development into production to check for security flaws before their software ships.
On March 19, the threat actor group called Team PCP compromised it. The short version: an earlier incident gave the attackers a foothold into their development environment. Credentials were rotated during that response, but not all of the credentials. The surviving credential credentials gave Team PCP the access they needed to come back weeks later and inject malicious code into 76 of 77 version tags.
The payload was a credential stealer that stole SSH [secure shell] keys, cloud credentials, database passwords; everything it could reach. And because the legitimate scan still ran normally afterwards, pipeline outputs looked clean. Organizations had no obvious indication they were compromised.
Since then, it’s cascaded. Team PCP used stolen credentials to compromise additional security tools, including check marks, infrastructure-as-a-code scanner, and the LiteLLM Python packager, which has roughly 480 million downloads.
They launched a worm that backdoored over 47 additional packages. As of this week, the campaign seems to be still expanding. Then separately, on March 31, Axios, one of the most popular JavaScript libraries in the world—about 100 million weekly downloads, in total—was targeted by an attacker who compromised the primary maintainer’s account and published two backdoor versions within a 39-minute window.
Both the current and legacy release channels were poisoned. The payload was a cross-platform, remote-access trojan targeting windows, macOS, and Linux. The malicious versions were live for about two to three hours before they were pulled, but that seems to be enough time to actually impact a number of different organizations. Google Threat Intelligence Group is attributed … the Axios attack to UNC 1069, a financially motivated threat actor tied to North Korea.
John Hultquist, our guest in Episode One, said this is expected to have far reaching impacts given the packages’ widespread use.
That’s a lot of technical jargon there, Adam. So really, two attacks, two different threat actor groups, it appears, but both going after tools that both developers and security teams trust. From the technical side, what really stands out to you with these compromises?
Maddock: Yeah, a couple of things really stand out … big picture. And then there’s a lot of little nuanced things that, I think, folks can take away as far as how they can improve their security. But the big picture, one is just that these … software development environments have gotten really, really complicated and really complex.
So, we … almost everybody doing software development now is using what they call a CI CD pipeline. That stands for continuous integration and continuous development. And really, what that means is that we’re using automation in the places where we keep our source code—that’s GitHub or offline versions of GitHub, GitLab, Gitea, other kinds of source code repositories—to kick in, automated processes to check for whether code compiles properly, whether it passes certain unit tests, and often cases to actually build in real time, compiled versions of binaries every single time a developer checks in code.
And these are really, really useful tools for increasing not only the quality of the code that we can write as software development teams, but also the velocity of code, how quickly we can actually put out products. But the increasing complexity increases the risk at the same time. So, I’m surmising here, but I gather based on reports that I’ve read and people that I’ve talked to, that there are … some CI CD pipelines that are not really fully understood by the teams that are using them.
You might have one or two SMEs [subject matter experts] that put them together, and then you have a lot of other people that are just interacting with them on a daily basis, and very rarely are they being reviewed for whether or not there are security risks inherent in the pipeline. The other big picture takeaway I had on this is that it’s becoming increasingly difficult for executives and IT managers to know what products that they can trust.
Going back to my days before I joined the Bureau I worked for a large company; we had a really humongous IT department, and I remember conversations back then about whether or not we should trust open-source software on our internal systems. And there were different camps taking place there. There were some folks that were all in on open source because of the ability of us as IT professionals to review the code.
And then there were others that saw it more of a liability and a risk because you couldn’t necessarily hold a vendor accountable to something going wrong. The fact of the matter is that now, regardless of whether you’re using open-source tools or commercial tools in your environment, they’re all leveraging open-source libraries and downstream products that even the vendor that you’re paying for a tool doesn’t have complete control over.
So, between the complexity of these, these systems on the build side and on just the general ecosystem of interconnected products and libraries, it’s becoming more difficult for us to know who we can trust as far as the tools and the products that we use on our networks.
Leatherman: Yeah, I think part of that is really developing the intelligence pipeline to understand with the tools that you do use when there is a vulnerability discovered, how are you quickly identifying whether you’re running a vulnerable version and how you start to mitigate that? Really important discussion for CISOs to begin having, I think, with their teams in their SOCs [Security Operations Center] about how you start to alert on that.
So, the second story is, what we’ve seen happening here recently, which is nation-states targeting messaging apps. So, on March 20, the FBI released two separate products on the same day covering two different nation-state adversaries going after two different messaging platforms. Russia targeting Signal and Iran weaponizing Telegram. Different techniques, same lesson.
The FBI and CISA [Cybersecurity and Infrastructure Security Agency] jointly issued a public service announcement on an ongoing Russian Intelligence Service phishing campaign targeting individual Signal accounts.
The targets are current and former U.S. government officials, military personnel, political figures, and journalists. This campaign has resulted in unauthorized access to thousands of accounts globally. This is important. The actors have not compromised Signal’s encryption or the application itself. They’re bypassing encryption entirely by going after the human.
Two techniques: First, they impersonate a known contact and send a malicious link or QR code to the individual or the victim.
If the target clicks the … if the target clicks on that, the actor’s device silently gets linked to the target’s Signal account. Linked in a way that they can see that individual’s conversations. Both the target and the actor now have access, and the target has no idea.
Second, a direct account takeover through phishing messages posing as Signal security support, requesting pins and verification codes.
Also on the same day, we released a FLASH on Iran’s Ministry of Intelligence and Security, or MOIS, using Telegram bots as command-and-control infrastructure to push malware. The targets here are Iranian dissidents, journalists critical of the regime and opposition groups, though the FBI notes the malware could be used against anyone of interest to the Iranian regime. The malware masquerades as legitimate apps, establishes a persistent backdoor that communicates through Telegram’s own API [application programming interface], and can record screenshots and audio, including during Zoom calls, then exfiltrate everything from that environment.
Because Telegram traffic is in … is routine on most networks, the command-and-control communication blends right in. We’ve linked this activity to Handala Hack group, which the Department of Justice identified as a front for MOIS. On March 19, the day before these products came out, DOJ and the FBI seized four domains MOIS used for hack-and-leak operations, including Handalas’s domain that claimed credit for a destructive malware attack against a U.S.-based medical technology firm.
So, Adam, from a technical standpoint, these platforms are known for strong encryption. Why do these attacks work?
Maddock: Well, they work because humans are still vulnerable. And I think actually something you said like these platforms do use end-to-end encryption. And that encryption is really strong. That, I think, is an enticing reason for threat actors to want to target the platforms, because they also know that even the companies that make and run these platforms—whether it’s Signal, WhatsApp, or Telegram—they don’t have great visibility into the traffic that’s going across the platforms by design, the privacy focus, their privacy first.
But that also limits the ability for them to track actual threat activity across the same platforms. So, in the case of Signal, the threat actors that perpetrated this scheme were able to leverage social engineering, you know, scenarios to trick the users of the … their own devices into letting them in, whether that’s coming up with a ruse, a plausible reason to scan a QR code that links a third-party device to your own Signal account.
Or it could be finding plausible reasons for a user to think, “You know what? I should actually send this one-time password pin that I got over to … this person who’s asked for it because they seem to be coming from a tech support role” or something along those lines.
When our defenses are lowered, we’re more … when our defenses are lowered, we’re less skeptical of things, and … and more willing to, to provide information to third parties, but that can result in a complete compromise of our accounts.
Leatherman: Yeah. I think it’s important for the folks to recognize these platforms. The encryption works, but like you said, it is the user, ultimately, that when you give up the key or, in this case, your password or give access to your account, it’s the data is still fully encrypted. You’re just giving encrypted read access to an adversary. So really, focusing on, you know, phish-resistant multifactor authentication is important.
And then what about network administrators who might … we’re talking about Telegram and C2 capability. How might they identify whether this is an ongoing breach in their environment?
Maddock: Things that users can look out for when they’re using Signal, if they think that might … they may have been targeted by one of these groups, is if all of a sudden all of your Signal communications go dead, that probably means that somebody took over your phone number’s profile on the Signal system, and they’re now running a doppelganger account in your name.
That doesn’t mean that they can read your past communications with all of your contacts, but what it does mean is that they can initiate new communications with people who are in your Rolodex, and impersonate you to them, and potentially get information out of them that they would only provide to you. So that’s something to look out for.
You can also go into Signal app on your phone—and we have instructions in some of our publications on how to do this—and … and find where it says that you have linked devices. And if you see linked devices in there that you didn’t authorize, that’s another way to find out that your account has been compromised. In those situations, the adversary actually is able to see your ongoing communications.
So, you … two different types of attacks. They’re both bad, and they’re both things that you can look for and watch out for in your own personal life.
Leatherman: Yeah. You highlighted the PSA. For folks looking to get more information to protect your communications, go visit ic3.gov and you’ll see the PSA posted there. And it’s really important that even if you are not compromised, if you’re in a group with somebody who is compromised, your communications within that group are also being collected by malicious actors.
And so, sharing this with folks that you have, conversations with in these … commercial messaging applications is incredibly important.
Now for network administrators we talked about C2, and the use of Telegram in support of C2. What can they look for to help them understand whether there is a potential issue in their environment there?
Maddock: For sure. So, the first thing to note is that the adversaries’ use of Telegram in this way is very different from what we saw with Signal, and the doppelganger accounts and so forth. This is malware that’s been built to use the Telegram API as its command-and-control channel. So, it doesn’t mean that any of your Telegram accounts, if you use Telegram, are compromised. It doesn’t mean your apps were compromised on any of your mobile devices.
It just means that there’s going to be network traffic flowing out of your network, potentially, if you have this malware running, that’s talking to the Telegram fabric. So, if your organization does not use Telegram at all, or your users are not authorized to use it from your network, simply looking for DNS requests or network traffic to telegram.org is an indicator of compromise in your environment.
Leatherman: Yeah, that’s a great first method is to filter out some of that DNS [domain name system] traffic. Okay. Great.
And then story No. Three, we’ve talked about, I think, on almost every episode so far, which is your home network being part of the digital battlefield. And this is one that we continue to track.
In Episode Two, we discussed the IPidea residential proxy network that Google and industry partners disrupted. Roughly 550 threat actor groups were routing traffic through compromised home devices.
In Episode Four, we talked about Operation Lightning, where the FBI and Europol took down SocksEscort, a criminal proxy service that had infected approximately 369,000 routers across 163 countries with AVrecon malware since 2009.
Since that episode, we’ve continued hitting this threat. On March 20, the FBI, working with law enforcement in Germany and Canada, and dozens of private sector technology companies, seized infrastructure used by four additional botnets: Aisuru, KimWolf, JackSkid, and Mossad.
Collectively, these networks compromised approximately 3 million devices worldwide, with hundreds of thousands here in the United States. The devices were primarily IoT [Internet of Things] devices and equipment like cameras, routers, video recorders, streaming devices.
The operators sold access so criminals could use the devices for DDoS [denial of service] attacks and as proxies to mask other criminal activity. Aisuru alone issued more than 200,000 DDoS attack commands.
Cloudflare has been warning that these botnets had over a million devices at their disposal and could launch attacks capable of disrupting connectivity for entire nations. The Department of War’s own information network had IP addresses targeted through these botnets.
The one I want to highlight is KimWolf. Amazon helped the FBI and Department of War identify the command-and-control infrastructure and reverse engineer the malware.
What made KimWolf different is that it compromised IoT devices that were already on home networks—things like the streaming TV boxes—and then used those compromised devices to reach other systems on the same local networks, systems that would normally be protected from external threats by the home router. It grew to over 2 million infected devices, with over half the victims in the U.S. or the U.K.
We also released a public service announcement on March 12 through IC3, explaining how home devices end up in these networks. The PSA covers five methods: Apps with hidden proxy code embedded through the developer partnerships; free VPNs with buried terms of service, which we talked about previously; IoT devices that arrive compromised from the factory; malware bundled with pirated content—we’ve also hit on that previously with res proxies—and passive-income apps that pay users for their internet bandwidth without disclosing that criminals are actually routing traffic through their connection.
So, Adam, the KimWolf capability, compromising a device on a home network and then pivoting to other devices on that same network: That changes the threat picture a bit from what we previously have discussed.
Talk about why that matters, especially when so many people are working from home still today.
Maddock: Yeah, it is a significant change. Historically, there have been a handful of ways that adversaries have gotten inside home networks, either through end-of-life devices at the edge of the network, like your Wi-Fi router, or through mobile apps coming in when your kids download games or things like that.
What this is showing is the adversaries’ desire to stay embedded in these environments, even after you upgrade your router or you patch your kid’s Android phone or iPhone or remove that malicious app.
This interweaves with the general trend that devices that are sold to be run on the inside of home networks don’t generally have security as part of their design practice. So, they assume that bad guys can’t talk to you because you’re on the inside of the firewall.
But if there are bad guys already on the inside of the firewall because they came in through a free VPN app, as you said, or a malicious game, or they compromised the edge device because it was unpatched and out of date, then they can very easily pivot to other devices.
A lot of the times, it’s not even the … necessarily the fact that the device has a vulnerability, it’s that it just uses a default password so they can scan for your IP camera that you’re using or, you know, and your nanny cam, as they call it, or some sort of a lamp control, and then log into that with a default password, install their malware and now they’re persistent. Now, even if you remove the initially compromised device.
Leatherman: Yeah. So, you know, that’s kind of the home network. But then, employees work and they connect to their work environments. And what are the considerations for employers who have employees connected and potentially vulnerable to these types of attacks?
Maddock: Yeah. So, it’s really two things, right? You mentioned … employees bring their devices in and out of the home, maybe into and out of the corporate environment. Maybe they’re actually connecting the same devices to their home network and to their corporate network.
So, there’s the potential for malware to now move in and out of an environment that would have otherwise been considered protected by a corporate firewall.
But it’s also the fact that your employees, in many situations now, with work from home being incredibly prevalent, they’re connecting to the corporate environment from their home network. And you’ve got almost a conduit now of information going from an untrusted network into your trusted environment.
Leatherman: Well, Adam, we’ve covered a lot today. Really technical details. The good news for folks listening is there’s more available at ic3.gov. To learn a little bit more about the PSAs and the mitigations that we put out here.
Adam, just a quick thanks to you for your leadership of the CTAOS teams. And I really want to thank everybody across the CAT teams and CTAOS for the work that they do to impose cost on bad actors, but then to really prioritize victim engagement.
Thanks for being on the show today.
Maddock: Thanks for having me on, Brett.
Leatherman: Great. So, three stories, one thread. Trust. Developers trust their security tools and open-source packages. Government officials trust their encrypted messaging applications. Homeowners trust the devices on their networks. In every case, adversaries are exploiting that trust to get access. Closing the gap between what we assume is secure and what actually is, that’s what we’re trying to get across to our Operation Winter SHIELD that just wrapped this week.
I would encourage everybody to take a look at those controls that we recommend at fbi.gov/wintershield.
Coming up next, my conversation with Joe Maddock, CEO of Sophos. We get into why most of the world’s businesses are operating below what he calls the cybersecurity poverty line, why edge devices are ground zero for nation-state activity, and what it takes to defend the organizations that don’t have a security team.
That’s next.
_______________________
Brett Leatherman, assistant director, FBI Cyber Division: Welcome back. I’m really excited to talk to our next guest. Joe Levy is not a typical tech CEO [chief executive officer]. He’s a 30-year practitioner who built firewalls by hand in the 1990s, ran exploit research and security analytics startups, and spent decades as Sophos’ CTO [chief technology officer] before taking the job of CEO in 2024. He still runs a full home lab in his residence, which I love because I do the same thing.
So, it keeps us both sharp. Right, Joe? So, Joe, thanks for agreeing to join us on “Ahead of the Threat.”
Joe Levy, chief technology officer, Sophos: I have been so looking forward to this, Brett. I’m really excited about the chance to talk to you.
Leatherman: I’m looking forward to the conversation. So, Joe, we have talked before about the importance of edge device security, about … the fundamentals of cyber security. And recently we boiled that down into what the FBI has launched, called “Operation Winter SHIELD.” And Operation Winter SHIELD is meant to close the gap in the cyber resilience fight. It’s kind of what we see day in and day out in our law enforcement mission that continues to be targeted by foreign actors. In your and my conversations, you guys have kind of validated that that is what you’re seeing as well throughout kind of those controls.
So, tell me a little bit about Sophos. Tell me a little bit about yourself and what you guys see in your visibility into the current threat environment.
Levy: Yeah, happy to do that. And first let me say I’m really glad that you created Operation Winter SHIELD. There have been a variety of different sorts of frameworks and blueprints over the years in the industry, and all of them, they’re trying to do the same thing. They’re basically trying to take, like, the collection of all the NIST SP-800 documents and distill them down to something that’s consumable, interpretable, actionable.
And I think you guys did an extraordinary job with this, and I’m hoping to actually use it as the structure for the conversation, because I think it’s perfectly suited to it. Just a little bit of a background on Sophos. We’re a well-known cybersecurity brand. We’ve been in business for about 40 years now. We originally started off with endpoint protection technology and then began diversifying into other IT operating theaters, email security, network security, cloud, mobile.
The biggest transition for the company was about six or seven years ago, when the realization struck me that, particularly given my practitioner background, technology is great, but it doesn’t really matter unless it’s used in some sort of an effective way—configured correctly, operated correctly. And that you’ve got 24-by-7 operations that are actually going to respond to what is the technology and what is the control telling me to do.
It’s one thing when an endpoint is just screaming at you that it recognizes that it’s under attack. It’s another when either a human or an agent can actually intervene and do something about that attack. So, that was a philosophical design change for us. We just chose that we want to offer more predictable outcomes to our customers, great underlying technology. And now we actually deliver that as a very, very predictable managed detection and response service. So, that’s us in a nutshell.
Leatherman: That visibility is tremendous, right? You’ve got host-based visibility. You’ve got network-based visibility. And you guys, as a result of that, publish an annual threat report. And I think that’s valuable for anybody who is looking to defend networks, people, systems, data.
Your 2026 Active Adversary Report analyzed 661 IR/MDR [Incident Response/Managed Detection and Response] cases that you guys were involved in. The key findings here, I think, continue to reaffirm that the fundamentals are missing, in that 67% of incidents were rooted in identity related attacks, and the MFA [multi-factor authentication] was missing in 59% of the cases.
And that’s important, right? Because … in one of our episodes, somebody had mentioned, that identity is the new perimeter. And that adversary continues to target the end users to get credentialed access to networks and data. And we still continue to see an increase in targeting of those end users.
Levy: Yeah, that’s absolutely correct. And we do have some rather unique insights through the combination of our managed detection and response service. Of our 600,000 total customers, about 36,000 of them are under our MDR watch today. And then we also have incident response practices, both from Sophos and through Secureworks, which recently became part of our business, about a year ago.
And as you pointed out, we do hundreds of these kinds of engagements a year. And that data, unfortunately, it keeps revealing the same patterns over and over again. While there are some interesting data points that were exposed this year—for example, that within ransomware, we’re seeing less encryption events than we’re seeing exfiltration events. And that one by itself is an interesting data point.
And perhaps you wonder why is that so? And the simple answer is it’s because ransomware that encrypts is noisier than ransomware that exfiltrates, and it’s just easier for attackers to fly under the radar when they modify those behaviors that way. And these year-over-year reports permit us to see those kinds of changes in the adversary behavior.
And this is absolutely essential for us as defenders to be able to understand how are they adapting so that we can continue the counter adaptations.
Leatherman: Yeah. You guys, I think, looked at 51 unique ransomware brands that you had observed. And in that case, an interesting thing that stood out to me on the ransomware side is that 88% of ransomware payloads deployed during non-business hours and 79% of data exfiltration occurred in off hours. And I think that just goes to show there’s probably … a variety of reasons. Some actors are operating outside the U.S. time zones, which means it’s going to naturally happen that way.
But we have seen in the FBI some of the largest data, ransomware … data encryption and ransomware events happen during holiday weekends, for example. If folks are off on a Friday or a Monday, and all of a sudden if you go back to the REvil attacks, you see these major attacks happening around July 4 or holidays where they know network defenders are out of the environment.
And so, detection is likely to be delayed and incident response is likely to be delayed as well. So, there’s a human element of this as well. It’s the detection, but it’s also the actors really looking at what are the capabilities to respond and how much time do we have to encrypt and exfiltrate as well.
Levy: That’s right. Yeah. And they’re not stupid and they’re certainly opportunistic. So, they know when they can strike and be most effective.
Leatherman: Yeah. And so, prevention versus detection: I, you know … a lot of folks talk about this. I see it as kind of a false choice, really. Prevention and detection. We should … we should really start to focus on both of those. I think sometimes we over-index on prevention and at some point everybody’s going to get breached. So how do you reduce that dwell time more quickly, right?
I think security by default. You have talked about that many times in prior engagements that we’ve had. So, how can folks start to think around, “How can we detect attacks? Like, we’re focused on prevention.” But, you know, you mentioned the threat telemetry. You see the IR work that you have done and your company has done.
But how do we start to get to this place where we start to detect the actors quicker?
Levy: So, sharing threat intelligence is, of course, one of the best ways that we can do this. And there is a lot of public/private sector sharing that’s been going on. The Bureau and Sophos have collaborated in multiple engagements over the years, including some that have been targeted at us. And I think that that is just fundamental to ensuring that we’re sharing the collection of knowledge. The metaphor of the blind man and the elephant, I think, genuinely applies here.
There is no one cybersecurity company. There is no one agency in any government that can make the claim that they have an absolute perfect understanding of everything that’s happening. And oftentimes, there’s a debate in the industry, for example, about the naming nomenclatures that we use for different threat groups and threat actors. And there have been suggestions that we actually just normalize them
and we unify on a single set.
And then the counter argument was made, which I think is a very important one, that there are actually are very unique perspectives, even when you’ve got overlap within the same threat actor groups. So, that kind of … you complete a more comprehensive picture by unifying all of the data, I think is fundamental to this, and that’s why it’s so essential to us to participate in different sorts of threat intel forums and consortia.
We work with the Cyber Threat Alliance, for example, us and about 30 other companies. So, that, I think, is one of the most important things that behaviorally we can do. And we should try to normalize that to the greatest extent possible across the entire ecosystem. And I’m not just talking about, like, the 30-something vendors that are in the CTA today, but, like, all of the cybersecurity vendors; all of the technology vendors; the service vendors; the cyber insurance ecosystem.
There is more to it than just companies that are building technology and providing services. It’s a whole-of-the-ecosystem approach that we need to take to this. So, it’s very important that like, I get that point across to everybody and just encourage everyone to participate in that a little bit more. Sorry, go ahead.
Leatherman: I was going to say, yeah, I’ve defined it kind of in the past, I think even on this podcast as, you know, we’ve previously talked about an all-of-government approach to defending the homeland. That’s kind of that law enforcement and intelligence community nomenclature. But we’re shifting to this all-of-society standpoint where we have to close the gaps.
I know we are working much closer with Sophos and the other threat intelligence companies, the major cloud providers, to really share what we’re seeing in a way that protects privacy of consumers, but allows us to pivot upstream against the bad actors more quickly. I think we can all stand to do a lot more of that and to lean into some of that sharing.
Levy: And that’s the fuel of detection. Like, that is the basis upon which detection happens. You have to have all of the indicators and all of their abstractions, and some of them are quite simple, and some of them are quite hard — like collecting bad IP addresses is relatively simple, relatively low value. Collecting novel TTPs [tactics, techniques, procedures] as they’re emerging is much, much harder, and there is an immense value that you get from them.
But they’re more difficult to extract from observations and there are far fewer of them. And I also think that we’re very, very good at sharing the simpler kind of IOCs [indicators of compromise] and IOAs [indicators of attack] than we are the more abstracted ones. And then figuring out mechanisms that we can actually share packets of knowledge rather than just hashes and IP addresses and file names and those sorts of artifacts.
We’re making progress on this today, and it’s quite encouraging. And the more that we see the underlying security operation platforms themselves mature — and whether it’s a SIM or an XDR or some combination of the two, as tends to be the direction that the industry is going in right now — they’re getting better at actually dealing with these collections of knowledge rather than these discrete data points.
Leatherman: Yeah, absolutely. Let me pivot into something that you and I have also talked about. And that’s this idea that, while we have Operation Winter SHIELD and these 10 controls, I … you know, my fear is this, Joe, that there are still a lot of folks out there who don’t have deep cybersecurity teams, who don’t have deep knowledge of cyber, and who are going, “How do I implement these? I don’t necessarily know what they mean. I don’t know what they mean to my environment. And so, how do I start to approach this?”
You and I talked a little bit about this. I thought you had great perspective on this and just kind of wanted to bring that to light to the audience as well.
Levy: Yeah. This is, I think one of the most important, most difficult aspects of this whole conversation. So, I’ll provide a little bit of framing to this first. You mentioned that most organizations simply don’t have the means to do this stuff. The term in the industry that we’ve used for a number of years — it was originally coined by Wendi Nather and I will always give her credit for it because I think it was … extraordinarily helpful — “the cybersecurity poverty line.” And what that describes is a condition below which the likelihood of having a good cybersecurity outcome is just really poor.
And if you look at that and you ask the question, well, “How do we quantify this?” There’s a variety of ways to do it. One could be, do you have a dedicated security team? Do you have a 24-by-7 SOC [security operations center]? What is your cybersecurity budget? What is the accountability model that you have? What sort of risk management methodologies are you using internally?
And the list can go on and on and on. So, there’s no one universal measure for it. But one metric that I think is very telling by itself is just this basic question that we ask, “How many organizations in the world actually have a CISO [chief information security officer]?” And if you use the CISO as a proxy for leadership and a proxy for the capacity for maturity and operation, it’s quite a stark number.
Out of approximately 359 million organizations in operation in the world, there are approximately 32,000 CISOs. So, it’s fewer than 1 in 10,000 organizations have somebody whose job it is to provide cybersecurity leadership for them, and those aren’t good odds. So, the fundamental question is, “Could we do better than that?” And I think the answer is, “Absolutely.”
And I will describe the conditions which I believe make that possible, probably for the first time in our history. But, like, if we look specifically at what you guys produced with Operation Winter SHIELD, I … one of the first questions that I want, I’ve been meaning to ask you this the next time I saw you, in fact, “Are they organized in any particular way? Is there an order? Are they in a priority? Is there a dependency stack? Like, how do you think about that?”
Leatherman: Yeah, I’ve been asked that a number of times. Like, “Am I, am I to take these one to 10 and work on these?” And the answer is, “No. They’re not.” And the reason I say that is because we do incident response from a law enforcement perspective 365 days a year. And in every incident we’re engaged in — 99% — one of these controls, if not more, were violated by the threat actor.
Now, they’re different. In almost every case. It is … We can look back and see edge device exploitation. We see end-of-life devices that are five years past their support dates. We see vulnerabilities being exploited that had a patch available three years ago. We see a lack of phish-resistant MFA on remote access for administrators. Or an organization that didn’t have an incident response plan or hadn’t tested that incident response plan … was a contributing factor.
And so, all of these are incredibly important to us, but we didn’t want to define to the businesses themselves a one-to-10, because somebody may do something really, really well, but be weakened in another area, but we might artificially cause them to look at that area that they’re really doing well.
So, it was more of like, “Here are the top 10 areas we see if we aggregate everything we do. And we want you as an organization to kind of look at your risk and understand where your focus might be.” Does that make sense?
Levy: It makes perfect sense. And like, you don’t have a complete solution unless you have all of these elements. I completely agree with you, but I always like to take a razor approach to managing these sorts of situations. And like, one razor that you could apply is, “If you could do one thing, what’s the one thing you should go do today?”
And I … when I looked at it through that lens and through the lens of our commercial engagements with our customers and how often it is that we find when we engage with a new customer, the ways in which their environment is immature or the ways in which their environment is unhygienic, we generally find that there are relatively low-hanging fruits that we would be able to just go do with them, like today. Like, Day One on the engagement, “Let’s go do this thing and it’s going to make you measurably better than you were yesterday.”
So, I applied that lens to the 10 components that we have here. And I came up with, a sort of an order. And then as I looked at the order, it occurred to me that some were easy and some were hard, or some were easier and some were harder. And also, some were things that you buy and some are things that you do.
So, like, I just ended up with this stack rank of like, “easy low- hanging fruit, go do this today.” And if you’re not doing it, it’s going to make you so much better off. And like, No. 1 there is adopt phish-resistant off. Like, that is, in terms of return on investment, if you are not doing that today and you start doing it tomorrow, you’re going to be infinitely better off.
Reducing admin privileges is the next one. Maintaining immutable backups. Like, you can go through this list and you could think of it just in terms of, “In the real world, in terms of practical adoption, what are we seeing as being deficient and what’s going to make the biggest difference immediately?”
Leatherman: And that kind of maps to your reporting and Microsoft reporting and Amazon reporting. Like, I look at these threat reports and you could almost, if you don’t number them 1 to 10, you can almost take them and put them in, you know, segments. Here’s the top three. Here’s the middle three, here’s the lower three. Because what the reporting says is, “Identity continues to be targeted.”
And that’s why phish-resistant MFA, de-escalation of privilege … all of those things are so important. And then you can start to say, “OK, now edge devices are under attack.” And so, vulnerability risk management and end-of-life devices — retiring those — understanding the services that are running at your perimeter and how you better secure those services you can almost augment underneath those.
I think that’s a really good perspective because you … if you start to address your identity issues first and you start to roll out … listen, you don’t have to roll out FIDO2 devices to everybody in your enterprise, but maybe those who have privileged access and those who are accessing your devices remotely and have remote access to your environment, that might be a good place to start.
Levy: That’s right. Yeah. And we’re fortunate because there have been such advancements in not just the technology itself, but the user experience of the technology as well. Like, Passkeys are just so wonderfully simple to use now. And even as recently as two years ago, that wasn’t the case. So, where we’re the industry itself — and this largely comes down to where the browser vendors have provided this kind of wide-scale adoption, browser being a primary interface into so many of these systems.
It’s incumbent upon them to try to provide those simpler, more easily adoptable user experiences. So, like, hopefully we see more of that sort of thing.
Just getting back real quick to the framing before. So, I came up with this two-by-two matrix. And it’s very simple. It’s “things you buy,” “things you do,” “things that are relatively easy,” “things that are relatively hard.”
The absolute hardest one, like the one that really, really stood out for me is, managing third-party risk. Like, that one just explodes into so much complexity that even the best organizations in the world still have a hard time getting their arms around. So, this one, I think, if the Global 2000 are struggling with this, how is the rest of the world doing on that?
Like, where does a small business or mid-sized business even begin in getting their head around that?
Leatherman: Yeah. It is … it’s a tough problem because the proliferation of third parties who have access to your data in your system is only increasing. We’re relying on more and more people to house our data and information. We’re moving things, to SaaS [Security-as-a-Service] providers, to the cloud ecosystem, not keeping everything necessarily in one spot. And then how do we start to think through that?
And of course, if you are not an organization that has a CISO, now you have a third party who may be coming in and actually managing your networks and your devices as well. And so, how do you start to manage risk around that? When the environment is only increasing right? That is a hard thing because it’s not a technical solution where you can just deploy something.
It’s process. It’s constant auditing. It’s having access to be able to audit third-party vendors’ access, because you can spend a million dollars on really shiny technology that is really good at defending your network. But if you have one trusted third party who has access to that environment or to your data, the actors are going to target that third party.
They’re not going to try to breach that sophisticated technology. They’re going to go after that third party that has less cybersecurity standards in place, and then they’re going to pivot into your environment. That’s a really tough, I agree. That’s a really tough one to think through.
Levy: It is. But if we manage to get good at the other nine, then we can focus all of our energy on that one, and ultimately, I think that’s our goal when we’re trying to advance the maturity of organizations.
Leatherman: Yeah. And I think you said it really well. It’s about moving the needle. It’s about starting somewhere. And so, for every organization, it can be daunting to take all 10 of those controls and say, “All right, I’m going to just start plowing away at all 10 and trying to make progress.” No, I think like looking at those top three that they see as risk to their organization, that is going to measurably move the needle.
When I talked to Amy, the CISO over at AWS, they put a blog post out that showed a Russian-based actor, who was mediocre at best, conducting hacking operations. Whenever they leveraged artificial intelligence to support the work they were doing but they saw that the fundamentals at the edge of the environment were in place, they simply moved on to the next system.
And that’s what the goal is here. In the United States, Operation Winter SHIELD … I’ve always said if we could raise the resilience percentage — I know that’s very ambiguous — by 10%, like, we are doing measurably better than what we were before. But it’s about doing that, it’s about taking steps against the most risky areas in our environment and making that initial progress.
Levy: Yeah. And there are attempts in the industry, to be able to quantify that, like, there is no universal measure of resilience today. There’s cyber-risk quantification efforts. And I think these are going to become more and more important, just as a yardstick that organizations can use to say, “Am I better today than I was yesterday?”
And the only organizations in the world that can do that today are the ones who have CISOs, are the ones who have mature risk management frameworks that have heat maps that they’re employing, they’re running tabletops and they’re practicing their incident response plans. Like, as you start to stack all of this stuff up, there’s more in the “Do” pile than there is in the “Buy” pile.
Like, you could go buy the best technology. You’re still not going to get the right outcome until you get the “Do” stuff right. And I mean, throughout my life, I fundamentally believe that any problem that you could solve with money is a less hard problem than one that you can’t.
So, it’s yes, budgets matter. Like you have to have the dollars to go do the right things, but it’s rarely the lack of budget that causes the problem.
It’s the lack of knowledge. It’s the lack of knowing what to do next. And it’s inertia. Like, just organizational inertia. And, “Are we going to be able to make the changes that we need to to actually adopt this and make it habitual, just make it part of the way that we operate?”
Leatherman: And I think that’s removing it from the cyber discipline, because even if an organization has a CISO, the CISO’s job is to manage cyber risk for the enterprise. But it’s not the CISO’s job alone, like they’re the one there to champion and lead that effort. But it is a business risk like everything else.
In fact, I would argue, based on what the FBI sees day in and day out when organizations are hit with ransomware or an APT [advanced persistent threat] actor, that the financial risk outweighs some of the other business risks out there.
And I think it’s only increasing. And so, this is, you know, cybersecurity is not just national security. Cyber risk is business risk. And that means … executives, boards of directors; they don’t have to know the ones and zeros. They don’t have to deploy home labs like you and I run to understand it. But they do have … there’s an obligation to understand risk in general and to start to dive in and understand where the biggest portions of risk to your business is.
Whether you sit here and you manufacture a widget or you are building software for hospitals and health care, how you become more secure at developing code. We all have responsibilities that are beyond the ones and zeros. And I think that’s an area this campaign is really meant to move from the server room to the boardroom … to the outside counsel’s office, to understand what this risk is and how they can take a part at moving that conversation forward in mitigating risk to organizations.
Levy: That’s right. And your mention of health care is, is obviously a reminder of a recent incident that we just saw, the Stryker attack. And this one, there was no malware involved in that, that was just getting access to an administrative tool and then using it to remotely wipe a whole bunch of devices.
So, this has been going on for years. Attackers, again in pursuit of flying below the radar and evading detection, they started using existing administrative tools, living-off-the-land sort of binary approaches. And this is just a variation of that really. But why is it that a platform as powerful as Intune, which is an amazing platform, why is it that it couldn’t itself recognize that it was being abused in this way?
Like, this is not to disrespect Microsoft in any way, but why are tools that are this powerful, permitted to be abused in this fashion without the vendors themselves providing the kind of self awareness that the abuse is taking place? I mean, this is fundamental to the way that we think about our MDR operating platform.
Like, we are responsible for protecting 36,000 customers and the length that we have gone to, and the design of how our analysts get access to the platform itself: hardware YubiKeys, extensive auditing, ongoing security checks for the employees themselves, verification of the employees during the onboarding process. Naturally, this is not just the technology itself that becomes susceptible, but it’s the combination of the technology and the humans, and increasingly, the artificial intelligence agents that are driving the technology.
How are we ensuring that the call isn’t coming from inside the house, basically?
Leatherman: Yeah, listen … that’s a great point, because secure by design is kind of, the concept that we’ve talked a lot about. When you have technology that folks don’t necessarily understand but have to deploy in their environments or are part of the software that they have in their environments. There is a certain responsibility, I think, going forward for organizations to really take responsibility for what their software can and can’t do.
Especially as we continue to have a talent gap, it really is incumbent upon the major providers to start to look across their ecosystem and to say, “What damage could this particular service do? And are there ways now we can start to bake in artificial intelligence that would help end users identify anomalies when an actor is living off the land or abusing that particular service?”
And I think this is part of a multifaceted solution to defend the homeland and secure the homeland, is allowing, you know, the major platforms, the major software providers to start to put these protections in place that make it easier for the end users who don’t … who can’t understand 100 different software packages that they’re running in their environment, to help that become more secure.
I think there’s already a move in the cloud ecosystem to apply really robust threat intelligence to tenant environments, and that that raises organizations’ threat, mitigates their risk to threats significantly. Because instead of having to deploy their own threat intelligence teams, they’ve got Google, Microsoft, Amazon; incredibly capable threat teams that are looking at the tenant environments and defending against actors that they’re tracking.
The same is really true of software providers. When you put hardware in your environment that’s running an operating system and various services, helping organizations now understand when it’s being abused — because that is the move, right? The PRC [People’s Republic of China] no longer, in particular, no longer deploys really sophisticated malware, in most cases. They are living off the land in very effective ways, and we’ve got to start to mitigate risk around that.
Levy: I totally agree with that. And there are points of concentration that could be leveraged either by good guys or bad guys. We need good guys leveraging points of concentration more. And the CSP [credential service provider], I think, is a great example of that. When we talk about CSPs, I think we’re all familiar with this notion of a shared-responsibility model.
There’s a set of things that I, as a CSP take care of, or I as the vendor take care of, and a set of things that you as a customer take care of. A term that I use that’s a variation on that, which I quite like and I’ve adopted, and I wish I could give credit to whoever coined it. I just don’t know who it is. “Shared outcome model.” Shared outcome model sounds better than a shared responsibility model.
Yeah. And I think vendors … and this is an area where we put our money where our mouth is. Vendors have a greater obligation to protect their own environments so that they don’t become that point of compromise leverage.
Like, imagine what would happen, God forbid, if like, AWS was compromised at some point. I understand they’ve got like great internal security architecture in isolation.
They’re using a lot of Sophos products internally, which is good. Same as us. Like we’ve got good kind of modular, isolated design. But if a vendor ever becomes breached, that becomes a point where you get access to underlying data systems and you could begin to corrupt data.
You have access to customer environment, you have access to code bases to where you could push down malicious code updates. All sorts of really terrible things happen.
So, what are the vendors doing to actually demonstrate that they’re making an exceedingly large and hopefully sufficient investment in ensuring that they don’t become that leveraged point of attack? This is where I think, like secure by design, other sorts of initiatives, are so important.
Where they unfortunately begin to fall short is that the counterpart on the demand side just hasn’t seemed to have kept up. You can have a supply of things, but if you don’t have a demand for it, you’re never really going to get that kind of market interlock that’s going to drive the necessary progress. And one of the reasons why we haven’t seen more vendor adoption on the secure-by-design side is because we haven’t seen enough pull from the secure-by-demand side.
And where that begins to change is where procurement dollars begin to influence the demand landscape. Like, when are organizations actually going to say, “We’re just not going to buy that unless you can demonstrate that you’re secure by design, that you’re secure by default”? Until that happens, the market is not going to self-correct.
Leatherman: Yeah, I wish we would get there. I mean, listen, I would love for the FBI cyber teams to be out of a job and shift our focus to another threat that the FBI has; we have a lot. But we’re not there. And what I would say is, you know, the threat environment is only escalating.
I’ve talked a lot publicly about the PRC threat. And when it comes to really kind of an organization that deploys tech to other entities, you guys have seen your fair share of PRC actors targeting your environment and you’ve actually turned that into the ability to better defend those environments. And so, talk a little bit about kind of the edge device conundrum that we’re in.
You know, I’ve always said 2025 and even before, but really 2025 was the year of edge device exploitation. And I believe that 2026 is going to be the year of edge device exploitation at scale because we’re starting to really see artificial intelligence play into the equation here.
But you guys really, did this well from the vendor side, when a nation-state looks to turn your products into something that is weaponized against folks. Can you talk a little bit about your process there and what you guys … your perspective there?
Levy: Yeah, absolutely. This was a set of disclosures that we made a couple of years ago, under the banner of Pacific Rim. And it’s a reference to the geography and where the attacks were being sourced from. And this was a multi-year engagement that we had with identified PRC threat actors where they began attempting to compromise our customers’ firewalls.
The very inception of it, the beginning of it, was an attack against our corporate operating environment. And believe it or not, these are the sorts of things that you hear about. And sometimes people roll their eyes when they hear about them. But it was an attack on a system that was in the greeting office of one of our India offices.
And it was a small dedicated device, like an Intel NUC [Next Unit of Computing] that was driving a display that just had like, you know, “Welcome customer,” that sort of thing. And that was the initial entry point. So, in that respect, it’s one of these apocryphal stories that you hear, like there was this little thing in the corner that nobody thought about, or it was an IoT [Internet of Things] device that provided the initial foothold, that was really it.
And it just sort of proceeded from there. And it took us a while to identify that the threat actor was present. There were some abuses of zero days within the AWS IAM [Identity Access Management] operating environment. There’s a lot of learning in the early stages of this. Ultimately, what happened was, they began developing exploits against our firewalls.
And we have approaching about a million firewalls in deployment across our customer base right now. And they were finding vulnerabilities on the code base, and they were doing the exploit development on the devices themselves. Access to physical devices, access to virtual and software devices. And we became aware that this was happening. So, we began to investigate.
We have a natural set of telemetry from the devices — basically, think of it in terms of like the health of the device — that we were collecting. And there was interesting information there, but it wasn’t enough. So we said, “We’ve got this XDR [Extended Detection and Response] tool that runs on Linux environments. Let’s just deploy our XDR agent on our firewall.”
So, that was the very first step we took. And that was kind of this epiphany moment. It’s like, “Wait a second. These are just like high-privilege, high-trusted-use case-specific Linux servers for the most part. Why don’t we just treat them like a Linux server and do detection response on them?” So that was like, “Bing.” Light bulb went off.
We deployed XDR agents to all of these devices. We started getting more telemetry, better insight, and we began to see just the isolated set that the threat actors were using for their exploit development. There were blind spots in that, but we didn’t have all of the information that we needed. So, we said, “Now that we have identified this small number of devices where the TA [threat actor] is actually active, can we get more visibility?”
And we developed something that we referred to as “the kernel implant,” which we pushed down just to those devices very, very surgically. And I want to be clear about this: We did not push this out to the entire population. We do not do XDR telemetry gathering on everything. So, there is no private information that is being gathered.
But that step permitted us to see exactly what the threat actor was doing, and we were then able to stay one step ahead of them. As they developed a new exploit, we fixed it, and then, instead of pushing out a hotfix — we have a hotfix capability so that we can automatically push out live updates without having to do a firmware update, without having to do a reboot.
You don’t lose your connection cache, like it just goes in live totally non-disruptive. Pretty cool architectural feature. We were able to push out hot fixes, but instead of just fixing the one thing that they were doing, we batched it together with like 150 other very low priority defect fixes. Like there was a misspelling of a word on, you know, one of the pages or something like that.
And that permitted us to prevent harm from occurring in our customer population without ever tipping off the TA that we were watching them.
Leatherman: That’s fascinating. I think it was one of the most public kind of disclosures of a cat-and-mouse game between a vendor, a defender, a technology provider, and an APT actor, that we have seen publicly. So, I applaud you guys for putting that out there because it gives all of us visibility into the, I guess, the mindset that some PRC actors have when targeting the devices at the perimeter. That’s especially true when they’re identifying zero days, like you said, in an environment where they have to disclose those zero days privately to the CCP and not disclose it to the vendor themselves.
And in some of these cases, I think you guys were able to trace this activity back to academic institutions in China, which to me indicates it’s likely that they were looking to sell these or to provide these at least, to the government there.
Levy: That’s right. We know the dude. And it’s funny that you mentioned disclosure because we’ve also run a bug bounty program for years, and we’ve got some very generous bounties that we pay for finding critical defects in any of our products — our firewalls, our endpoints, our cloud operating environment. We also observed that some of the more enterprising exploit developers were attempting to double dip.
They were developing the exploit and they were reporting it to us at the same time in the hopes of collecting a bounty. And yeah, that’s pretty audacious. But yeah.
Leatherman: It is especially when you’re sitting in mainland China.
Levy: Yeah. Like that probably wouldn’t sit well with their leaders.
Leatherman: I mean … it shows the blended threat environment that we face because yes, we have nation-states who use criminal hackers, or who use hackers within their government to engage in exploitation or broker access to U.S.-based networks. But at the same time, these actors are also moonlighting in some cases and conducting ransomware activity.
Iran is an example of that where, historically, we’ve seen them act on behalf of the state, but then on the side moonlight in conducting ransomware operations. North Korea, we’ve got, you know, IT workers and we’ve got cryptocurrency theft, but we see them aligned with criminal groups as well. And of course, Russia is very much the same.
So, that’s an area where I think all of us have to understand, we’ve got these foreign nation-states who do work in this gray zone of, you know, industry supporting the government, you know, forcing hackers to engage in this activity. And we’re really up against a blended threat. And, I applaud you guys for having really deployed the technology that you did, the implants that you did to understand what that threat was in such a targeted way.
Levy: Yeah. And this has become part of our standard practice for our firewall fleet, now. We think that, because devices like this, edge devices, by their nature, they’re internet facing. And so often they’re doing things like providing remote access, whether it’s through SSL VPN [Secure Sockets Layer Virtual Private Network] or ZTNA [Zero Trust Network Access]. Their very function generally necessitates that they’ve got like some listener ports on them that can come under attack.
So, that’s why it’s so essential that we continue to monitor the fleet. And we actually we consider it part of our MDR environment now, we think of our firewalls as being part of our MDR service, but we don’t charge our firewall customers extra for that. And I think that’s a great model. And I would encourage other firewall and remote-access-device vendors in the industry to think of it similarly.
Leatherman: I think that’s how you approach that secure-by-design approach in the future, and how you iteratively stay ahead of the threat is continue to understand what the threat actors are doing and then apply those fixes where you can. Yeah. Incredibly important.
Do you kind of agree that, over 2026, 2027, we’re looking at this scaled environment where actors are going to have, I guess, quicker access to those edge devices or be able to enumerate vulnerable edge devices much more quickly as a result of artificial intelligence?
Or are we making progress there or might we be in trouble if we don’t start to address this pretty quickly?
Levy: We will be in trouble. And you and I, I think, have done a really good job playing kind of an inverse drinking game here where we’ve managed to not talk about AI too much at all, but like, really, it’s not the novel threats that AI is going to develop that we need to be concerned about.
It’s going to be the rapid operationalization of the off-the-shelf available threats that everybody needs to be concerned about. There’s just going to be a volume and velocity of attacks that is going to overwhelm any human system. And it’s already beginning. Like, we’re seeing early stages of occurrence of this. And that’s just going to continue to ramp up.
This is why it’s so essential for organizations to begin to think about, first of all, “Do I have a security operation center. And if I don’t, I better go figure out a solution to that, whether it’s I’m going to build it myself or I’m going to engage with a managed detection response vendor.”
And the second one is, “Does that SOC or does that MDR provider have a credible way to be able to deal with this inevitable kind of volume increase that we’re going to begin to see?” And that demands that they don’t have completely human-driven operations. They have to have the combination of human plus AI.
Human needs to remain a part of this equation because the AI is exceptionally good right now, but I don’t think that the majority of people are ready to just turn the keys over to it. The most important reason why the human has to remain in the loop, though, is accountability. And accountability is the one thing that I don’t think AI is going to earn or deliver for quite some time.
Like operationally, it’s amazing what we can do, like tier one, tier two stuff now. But ultimately, we need human beings to be accountable. And that’s why I think that that hybrid model is going to be our best solution for the foreseeable future.
Leatherman: Yeah, we’re in trouble if we get to this environment where it is consistently AI versus human on the defense side, and we’re not starting to employ AI. And I’ve said this, I think, on the show before as well, we don’t have to deploy AI everywhere right now, but we do have to start to apply AI in the areas that matter most to understand where we need to detect and defend and there are ways to start doing that.
Some of it starts with the providers themselves that leverage MDR, and edge devices and elsewhere. But part of it also is incumbent upon businesses to use capabilities available to them today at relatively low cost right now, if you’re using it in limited cases against your most vulnerable areas.
The key is, like Operation Winter SHIELD, we have to start somewhere, and we have to start sooner rather than later.
Levy: Yeah. And then the encouraging part of this is that there are a number of cybersecurity vendors who are far along in their adoption of AI, agentic workflows within their security operations. Sophos is obviously among them. What’s most exciting to me, though, is the opportunity that the combination of these security operation technology platforms that we have today, like the next generation SIMs, the XDR platforms, plus these new agentic capabilities that we have now, plus some way to scale the human interface with the businesses.
And when I refer to that specifically, what I mean is our ability to work with a global community of MSPs [Managed Service Providers] and MSSPs [Managed Security Service Providers]. That’s the last mile interface. The combination of those three things gives us an ability, for the first time ever, to solve that earlier problem that we were talking about, which is the leadership problem, that 359,032,000.
Like, I fundamentally believe that we can actually begin to believe, begin to bring CISO leadership to these hundreds of millions of organizations that previously couldn’t have even dreamt about having a CISO.
So, that, I think is, the next frontier for us. And that’s something that we’re busily working on here. And we’re going to make some exciting announcements about that this calendar year.
Leatherman: I’m looking forward to it. So, the folks have heard a lot here today, but there’s … we’re looking for tangible ways to help folks really start to dig in tomorrow morning or next week, like early on. So, what would you recommend in the way of if you are a CEO, you’re a board of director who is not tracking with the risk environment looks like to your organization, if you are inside counsel, if you’re a network defender.
Like, what do you start to think about after our conversation today in how you approach controls, risk, technology, and what changes you might make in the days and weeks and months to come?
Levy: So, advice there would be start with Operation Winter SHIELD as a structure and go through it. There are 10 elements to it. As you look at them yourself, that hierarchy that I was describing will probably just naturally begin to emerge to you as well. Some of them will stand out as, “Ooh, this sounds pretty hard,” but some of them will be like, “Yeah, I think I could get that done tomorrow.”
And if it’s something that you’re not already doing, go figure out how to get it done tomorrow. Like, if you work with a partner, if you work with an MSP, an MSSP, first question should be, “Why haven’t you done this thing for me yet?” But go do it. If it’s not being done, go do it. Take advantage of low-hanging fruit opportunities that you have.
And low-hanging fruit is a relative term. For an immature operation, maybe it’s adopting phishing-resistant MFA. For a more mature operation, maybe it’s, “I’m finally going to stand up that attack surface management environment that I really need to understand, “How does an attacker see me from the perspective of the internet?” So the answer is, “It’s all relative.”
Like, assess your own maturity and figure out what is the next thing that I can do to make myself better.
Leatherman: I think that’s great. And I think again, it kind of goes down to what we said up front, which is taking that next step. And I do think use AI to your advantage. Right now for, you know, roughly $20-25 a month, folks can get frontier AI models and they can drop … Operation Winter SHIELD material into it.
And they can even say, “This is kind of some of the environment that I run. What recommendations might you have?” And then really start to learn about it. If it’s something that’s unfamiliar, you now have technology at your fingertips that can do deep research that can help you understand and even somewhat customize to your environment. Now, you always want to talk to professionals about that, but it’s about education up front, and that’s an area I think that would be tremendously helpful.
Levy: That’s a great recommendation. Yeah.
Leatherman: Well, Joe Levy, I really appreciate it. Thirty-year practitioner of cyber-security and cyber and building firewalls. I really appreciate the time. CEO of Sophos. Very great perspective.
Today, we talked about kind of Pacific Rim and China and what Sophos has done to really inform its user base and the public about what the PRC is doing to target edge devices and how Sophos defends those devices as a result of that.
We talked about the poverty line and kind of who’s undefended right now and the importance of intelligence sharing. We talked about what the data shows, which they’re seeing in their incident response engagements, and really reinforces the Winter SHIELD, I think, 10 controls that we have put out there.
And most importantly, I think we talked about what a CEO, a board member, or somebody might do on Monday morning as they start to approach better assessing risk to their organization.
So, Joe, it was great talking to you. I’m looking forward to doing it again down the road. You’ve got great insight based on the visibility that your organization has. Thank you for visiting us on “Ahead of the Threat.”
Levy: This was awesome, Brett. Thank you.
Leatherman: Thank you. And to the listeners, thank you for staying “Ahead of the Threat.” I would encourage everybody to visit fbi.gov/wintershield and take a look at what those controls can do to help defend your organization today.
Until next time, I’m Brett Leatherman, assistant director of FBI Cyber Division. We’ll talk to you soon.