Podcasts
Data Security Decoded
Ep 50
Data Security Decoded 4.14.26
Ep 50 | 4.14.26

Detecting Adversary Intent: Analyzing Behavioral Tells in Admin Logs with Allison Wikoff

Show Notes
Transcript

Allison Wikoff: You know, phishing is still going to work. I don't think we're ever going to get away from our end users being targeted. So it's going to look different, again, as MFA is everywhere, as AI agents become a broader part of the corporate environment, but, you know, people still have to log into their computers one way or another, and that is going to consistently be an area of opportunity for threat actors. [ Music ]

Caleb Tolin: Hello, and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolin, and if this is your first time joining us, welcome to the show. Make sure you hit that Subscribe button so you're notified when new episodes go live. And if you're a returning subscriber, thanks for coming back to spend more time with us. Leave us a rating. Drop a comment below. Let us know what you think about the episode. Your feedback really helps me understand what you want to learn more about and is the best way to support the show. Now, today, I am joined by a familiar face, Allison Wikoff from the PwC Threat Intelligence team, and her team released a report titled "Annual Threat Dynamics 2026," and it addresses resilience in an identity-driven AI-accelerated threat landscape. We're going to skip the perimeter's dead lecture, and today is all about the human-to-non-human identity ratio and identifying the behavioral traits of a state-sponsored saboteur before they get too deep into your network. Let's get into it. [ Music ] I really am excited to hear about this report that you guys put out, and I want to read a quote from there. So the quote is, "As organizations adopt zero trust, adversaries will iterate with techniques to spoof device posture, abuse non-human identities, and target AI-driven automated workflows." So for the practitioner who's bored, thinks, you know, "We have MFA. We're safe," which realistically we both know that many organizations don't even have MFA. I think it's something like 50%. What should the SOC team be looking for in terms of session token anomalies today to start catching that kind of malicious behavior?

 

Allison Wikoff: So, you know, I think when we talk about intrusion activity, generally speaking, like, as an industry, we've gotten a lot better in terms of understanding that it's not if but when. And also when there is an intrusion, it's not -- there's so many opportunities to detect it within -- or stop it within your network. So, you know, whether you have something on the endpoint, whether you have found it via, like, phishing, there's so many opportunities within -- by the time the adversary gets in and achieves their actions on objectives. Now, time is of the essence depending on what type of intrusion we're talking about, but, you know, when I think about MFA and what we have been seeing, like, MFA is still best practices. We are seeing adversaries starting to work around it, which we knew, right? We had been talking -- we've been talking about MFA for, like, way too long, and we did say when there is more of a critical mass, we are going to see threat actors work around it. But generally speaking, fortunately, we're not seeing a massive ton of it, which is good and bad. That means the old stuff still works.

 

Caleb Tolin: Right. Right. And so something I want to ask you about, too, is the NHI explosion. I mean, there's different reports out there. Some of them say up to 82, some even say -- I think I've heard 200, where NHIs are outnumbering humans that number to one. Regardless, it's a huge number, and these aren't just service accounts anymore. So as organizations release AI agents and other non-human identity into their environment, it's going to skyrocket even further. So what are some of the most common misconfigurations in these automated pipelines that regional actors are exploiting to gain that lateral movement?

 

Allison Wikoff: So I think it's probably helpful to have people really understand what we're talking about when we're talking about the non-human identities. These are the service accounts, the APIs, like you said, the AI-driven agents. And like you said, they are becoming a faster-growing part of these types of things, and they're not seeing as much scrutiny as we would like. But, you know, the thing is, these are designed to keep systems running, which means they typically have persistent access and elevated privileges. That's why they're so enticing to the adversaries. But it does create a gap. I think, you know, the thing that we have to remember with these accounts is they move a lot like what, you know, an admin account that we have historically seen targeted looks like. So there's lateral movement, but I think, you know, as automation continues to expand and we see more of these, we are going to have to see some of these defensive tools catch up with this.

 

Caleb Tolin: Are there any specific, like, misconfigurations that you're seeing that threat actors are leveraging today that -- anything -- like, are there any stories from the battlefield that you see in terms of how threat actors are leveraging these tools?

 

Allison Wikoff: You know, fortunately, we haven't seen, like, a whole, whole lot of it. I would say when we talk about AI, really what we're seeing is that it's lowering the barrier of entry for a lot of threat actors. And we knew this, right? But the conversation that we're having about AI today is a lot different than the one, you know, you and I even had the last time we spoke. It was about a year ago. And really, everyone's using it, and we knew they were, right? It's really speeding things up in terms of, you know, how it's being used, everything from reconnaissance to -- we know they're vibe coding their malware as well. I mean, who isn't vibe coding right now, right, with all of these great tools available?

 

Caleb Tolin: Right. Absolutely. And so I want to touch on something you mentioned earlier when we were chatting a little bit about MFA, and it's really this issue around identity. Since we know so many bad actors now are using legitimate stolen credentials to creep across and blend into the network, it seems like this, like, noisy ransomware that we've seen historically has kind of disappeared. So if both, like, a data thief and a state-sponsored saboteur are using the same type of valid admin account, what are the high-fidelity behavioral indicators that separate a ransomware attack from a threat actor aiming for sabotage?

 

Allison Wikoff: Yeah, so, you know, it's tough, right? Because what we're seeing now, or what we've been seeing for years, when it comes to ransomware activity, is that the threat actors are taking data off the network. So historically, when people thought about data exfiltration, they aligned it solely with the espionage-centric actors. But again, extortion is a huge part, sometimes the only part of ransomware compromises right now. You know, I think the big thing is detecting that exfiltration, though, if you haven't detected them when they got in or as they move around your particular network. And then from there, you know, it's what are they taking, right? So that can be a good indicator of who specifically is in the network.

 

Caleb Tolin: Something that really stood out to me when I was taking a look at the report you put out was that healthcare and medtech providers are some of the biggest targets for threat actors. That's something that we've known for a while now. But these geopolitical conflicts, where nation states are waging a cyber operation in tandem with high-intensity kinetic conflict, that's really exacerbating this attack factor. So from an architectural standpoint, what is the most effective way to air gap these critical environments without breaking the automation that healthcare workers are relying on every day for their, you know, productivity?

 

Allison Wikoff: Yeah, so I think, you know, the challenges with these types of organizations, these sectors, one is, you know, they really are -- they sit at the intersection of critical operations, sensitive data, highly connected systems, like you said. So it's tough from an exposure standpoint. There's not, like, a silver bullet or a fancy tool that you can buy to solve this problem, you know. And when there are organizations like these that have some sort of event, we see the effects because it is just rippling. But I think when we're looking at these in particular, we have to look at, like, just how complex is the ecosystem of devices, and it's usually very complex. That's one of the challenges. What are your third-party vendors? Who are your third-party vendors? And your cloud services. So we talk -- we've been talking about this, actually, a lot in light of what we saw over the past year. What we have seen with a lot of organizations that have critical operations that rely on some of their -- rely very heavily on third parties is having backup third parties. So we ran a tabletop exercise with an organization, I think it was last year, where it was a ransomware event, and we ran it in terms of some sort of outage to their third party, and they fared very well in it because they had a backup, because this was a very important third party to a lot of critical parts of their operations.

 

Caleb Tolin: Right. Right. It goes back to mapping your dependencies, which is so important for any business that's trying to maintain continuity through a crisis like that. We had a really great conversation with Hayden Smith back in, I think it was December, where we talked about mapping those dependencies, especially when it comes to mitigating third-party risk. So if anybody listening hasn't taken a listen to that one, it was a really great episode over the holidays, so go check it out. But one other thing that was prevalent in your report that I'm just hearing so much more about across the industry is post-quantum readiness. And so a question I kind of have is, is this like a future problem, or is this something that we really need to start talking about seriously right now? And there's this concept of harvesting now, decrypting later in terms of what threat actors are doing with data in a, like, pre-quantum world. So, can you kind of unpack what that means and then why this is a problem right now that we need to address?

 

Allison Wikoff: So that's a great question. In layperson's terms, what the report says and what we're concerned about in terms of quantum is there has been all this collection of encrypted data with all of the different intrusions that we've seen, whether it be a ransomware event or an espionage-centric event. And you know, right now, a lot of this can't be decrypted, but quantum, in particular, will make that, you know, a moot point. And so this is where we're talking about quantum readiness as a concern. I know there's a lot of buzz around it, but, you know, we really have to think about, like, are we ready for that? Will this data remain sensitive over time? Is it something that ages out? So, you know, if you do lose something that's encrypted, maybe you're not as concerned about it. But if you know what it is, again, asking yourself that question, "Is this going to be sensitive in x amount of years?" I would love to tell you I will know when this will actually be seen in practice, but if I had that kind of crystal ball, then I would probably be having a much different kind of conversation. But identity systems are so central to security architectures that those are the types of compromises that are really unique in terms of recovery challenges, and particularly because most of those systems are encrypting that sort of data. So there's a lot of forward planning that needs to be involved. And when we're talking about quantum, that's actually what we're talking about. So, for me, it makes it a little less daunting when these types of questions come up.

 

Caleb Tolin: Right. Absolutely. And so with that forward planning, what are some of the steps you think organizations could be taking right now to prepare for that quantum readiness and so that they're not just like, you know, caught completely blind when the eventual quantum-ready day comes?

 

Allison Wikoff: Right. So I think, like, let's just continue on with the identity example, right? So organizations are moving towards not just restoring systems but reestablishing trust across their user base, their devices, their automated process -- their automated processes. And this is really what is required for some of that forward planning, specifically around identity, right? So, like, identity is -- I don't want to say the new hotness because identity has always been, you know, a really great way to get into an organization. But, you know, as you mentioned, our report really -- that was one of the big findings this year. And, you know, we're not unique in that. Everyone over the past 18 months, two years has been saying, you know, threat actors are logging in; they're not getting in. So, focusing this readiness solely on identity right now is a really great place to start.

 

Caleb Tolin: Absolutely. And to kind of piggyback off of that, many organizations treat identity as more of, like, an IAM problem and backup as a storage problem, but your report advises that organizations prioritize identity governance up to even the board level to harden resilience. So if an identity system is compromised in a conflict scenario, what does a recovery look like for that in practice, and how do we ensure that we're not just restoring an adversary's backdoor that they already had set up?

 

Allison Wikoff: Right. So it's, you know, rebuilding a system from a known trusted baseline specifically to avoid that sort of thing. So if compromised systems are restored too quickly, you might bring back the risk that you were trying to mitigate in that particular instance. So, like, recovery taking place in a more controlled environment where every component, users, privileged accounts, service accounts, the trusted device relationships are carefully validated before being reconnected to a production system is what we recommend. This is a lot of prep, though, right? This isn't as easy as past recovery-type recommendations that industry is mentioning. So it's everything from secure backups, documented processes, and a really clear understanding of system dependencies. And that, I think, is probably the toughest bit of it. But identity underpins everything in an organization, so restoring it securely is really foundational to a lot of this recovery.

 

Caleb Tolin: So, as we're kind of starting to wrap up a little bit here, for the listeners who see their organization sector in your high-risk motivation table, which, again, I just -- I thought it was so fascinating to see the breakdown there. What are the three specific hygiene metrics that they should report back to their CISO this week that actually correlate to reducing the blast radius of an attack?

 

Allison Wikoff: So, like, the practical takeaway is really, like, where do you fall within, you know, a sector? But I know, like, generally we love to talk about threats in sector-specific ways, and it is absolutely applicable, but it's not a one-size-fits-all approach to an organization. Like, look at the manufacturing sector. If you look at the wide swath of companies that are considered manufacturing, they all have very different threat profiles. So really focusing on what is the thing that you create, what is the thing that is most valuable to you, and what kind of threat actors would be interested in that sort of thing. So if we continue on the healthcare example, these are more exposed to financially motivated attacks. But, you know, you've got sectors like government, energy, telecommunications that face higher level of, you know, the espionage-centric attack. So, regardless of industry, though, the good news is, like, the general hygiene still is, like, the best way to defend against all of these attacks. So, you know, you've got the identity hygiene, so reducing unnecessarily admin accounts, regular reviewing access, like we've talked about that ad nauseam. We still need to do it because that is still a great way to get into an organization. Second is the segmentation piece of things or blast radius control, as you were saying. And so just ensuring that a single compromised entity, system, whatever it be, is not going to expose your entire environment. And then third, and this is a tough one, too: visibility across all of your entities. So service accounts, automated workflows. I would lump third parties or, you know, your vendors in there as well. And then practice, practice, incident response readiness is so important. I know we have drilled that in as an industry, like, pretty heavily, but expanding what that readiness looks like, so not just an incident within your network, an incident with, you know, maybe a specific type of account, maybe with one of your third parties, and really working through what an incident and recovery looks like with something like that.

 

Caleb Tolin: So what are two inconvenient truths about identity resilience that security teams really need to start coming to terms with?

 

Allison Wikoff: You know, just identifying all of those service accounts, I think, are always tough, and particularly now that we've got AI really being incorporated into every single network. What do those AI agents look like, and how do we secure them? You know, I think that is the new frontier when we're talking about identity. You know, phishing is still going to work. I don't think we're ever going to get away from our end users being targeted. So it's going to look different, again, as MFA is everywhere, as AI agents become a broader part of the corporate environment, but, you know, people still have to log into their computers one way or another, and that is going to consistently be an area of opportunity for threat actors.

 

Caleb Tolin: Absolutely. I'm the oddball in my family. Everybody else is in healthcare. My sister was a nurse. My parents are both respiratory therapists. And when I talk to them about security stuff, they're like, "Oh, you know, I get these emails with these monthly training things, like phishing is a thing, but, like, there's actually no fish involved in it." And I said, "Yeah, yeah, that's important. You should pay attention to those. Don't just skip through it. It's very important, especially in the industry that you're in." So that's a very good one. Well, Allison, my last question for you is, what is the single most important message that you want to leave with our listeners today?

 

Allison Wikoff: It's not all as scary as, you know, you might be reading. A lot of the basic hygiene that we've been talking about for years is still going to combat the majority of the threats that we're dealing with.

 

Caleb Tolin: Absolutely. And I love leaving it on a positive sentiment. So, Allison, thank you so much for your time again. It was great to have you on for a second time. Thank you so much, and until next time.

 

Allison Wikoff: Thanks. [ Music ]

 

Caleb Tolin: That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and leave us a review on either Apple Podcasts or Spotify. Your feedback helps me understand what you want to hear more about. And if you want to reach out to me directly about the show, shoot us an email at data-security-decoded@n2k.com. Thank you to Rubrik for sponsoring this podcast. The team at N2K includes Senior Producer Liz Stokes and Executive Producer Jennifer Eiben. Content strategy by Ma'ayan Plaut. Sound design by Elliott Peltzman, audio mixing by Elliott Peltzman and Trey Hester, video production support by Brigitte Criqui Wild and Sarelle Joppy. Until next time, stay resilient. [ Music ]

Data Security Decoded
Podcast Info
HOST(S):
Caleb Tolin
As the host of Data Security Decoded, Caleb Tolin dives deep with cyber experts to deliver actionable, vendor-agnostic insights to reduce data security risks and improve cyber resilience outcomes. Caleb asks the incisive questions that you need answered, extracting actionable guidance for defenders. Come be obsessed with improving your organization's cyber resilience.
Schedule: Two times per month. Every other Tuesday.
Credits: Data Security Decoded is a podcast by Rubrik.
Creator: Rubrik
Data Security Decoded