Understanding the Current Threat Landscape

In a recent Threat Vector Podcast episode, I spoke with David Moulton about the critical shifts Palo Alto Networks Unit 42 is seeing with Chinese cyber operations. We believe these demand our immediate strategic focus. We're observing two particularly concerning trends: - Hyper-Accelerated Scale & Exploitation: It's no longer just about high volume. Chinese cyberattacks towards Taiwan have doubled to 2.4 million daily, with vulnerabilities exploited in minutes. This demands a radical shift in our response capabilities. - Strategic Embedding for Disruption: Beyond traditional espionage, actors are now proactively embedding themselves in critical infrastructure, from Taiwan to Guam to the U.S. West Coast. This signals a calculated move for future disruption, requiring a profound re-evaluation of defense priorities. This new operational tempo and strategic intent compel us to move beyond tactical patching. Our recommendations for preparation include: - Comprehensive Scenario Planning: Anticipate and model complex, multi-stage attacks which involve all parts of your organization and also include your partners and entire ecosystem of providers. - Beyond Technical Exercises: Integrate human leadership, decision-making, and communication drills. - “Shields Up” — The New Normal Requires Human Leadership: Cultivate a culture of constant readiness and active defense across your organization. For a deeper dive into these challenges and actionable insights, read my full analysis here: https://lnkd.in/guNwXyYG What strategic adjustments are you implementing to address this heightened threat landscape?

The European Telecommunications Standards Institute (ETSI) AI Threat Ontology provides rigorous foundations for mapping and understanding risks across the AI threat landscape. Key highlights include: • Formalizing AI-specific threat agents, vulnerabilities, and system assets in a structured ontology for adversarial and defensive use. • Modeling AI as both a threat agent and a target with dynamic attributes like observe, learn, and adapt. • Expanding on adversarial goals: from model evasion and training data poisoning to model theft, inversion, and reputational compromise. • Mapping trust relationships across actors: data owners, system builders, training providers, consumers, and outsiders. • Aligning with standards such as OWL, RDF, CVE, CWE, and the CIA (Confidentiality, Integrity, Availability) model. • Accounting for misuse potential across all ML phases: from data curation and transfer learning to sandbox escape and model hallucination. • Addressing cross-domain ontology limitations e.g., how a potato exists in both diet and biology taxonomies. • Emphasizing human-in-the-loop risks such as overtrust in models and attacker-induced alert fatigue. Who should take note: • Security and ontology architects modeling AI-enabled and AI-threat scenarios • Red and blue teams simulating advanced persistent AI threats (APAITs) • Compliance and GRC professionals seeking formal, semantic frameworks for AI assurance. • AI ethics and policy leaders designing layered trust models. Noteworthy aspects: • Built on semantic relationships (subject → predicate → object) to encode AI system risks formally. • Lifecycle-aware guidance: data poisoning → model compromise → deployment misuse. • Defines AI threat agents as extensions of classical agents with real-time learning and behavioral modulation. • Supports both classical and neural-based systems, from expert systems to GANs and DeepFakes. Actionable step: Use the ETSI AI Ontology as a basis to build knowledge graphs and threat modeling frameworks that can observe, reason, and react to adversarial AI risks in real time. Consideration: AI security isn't just about defending models but it is also about defining what security even means when intelligence is both the attacker and the target.

So you think you know how to threat model? Many SOCs claim to do formal threat modeling (whether they really do is another story). But let’s talk about the right way–because a half-baked threat model can be worse than none at all, especially when it comes to organization risk. 𝟭. Introspection: Know your business–and its risk • Identify the crown jewels: Which assets, if compromised, would cripple your operations or reputation? • Spiral method: Envision a crime scene–except it hasn’t happened yet (hopefully). Start at your most critical points and circle outward, noting controls in place. • Map your processes: Understand your dependencies, supply chain links, and workflows to figure out where the real business risk lies. 𝟮. Extrospection: Know your threat landscape • Threat actors 101: Who’s targeting your vertical? How do they operate–ransomware, data exfil, or something else? • Outcomes & motives: Whether it's a quick payday or long-term espionage, each threat actor’s endgame shifts your risk profile. • Worst-case mindset: If they succeed, what’s the impact on revenue, reputation, or compliance? 𝟯. Union: Combine Business & Threat Risk • Introspection + Extrospection: Once you see your weaknesses and adversaries' strengths, theoretically set fire to your own org to find the flashpoints. • Prioritize by Risk: Not all threats matter equally. Tackle high-likelihood, high-impact scenarios first. • Feed it back: These insights drive your detection engineering–especially behavioral and sequential detections that address the most significant threats. 𝟰. Evolve: Threat Modeling is Never Done • Track & Iterate: Each exercise introduces new defenses (lowering some risks) and may uncover new attack paths (introducing others). • Stay Current: New business ops, acquisitions, or tech adoptions all shift your threat landscape. Revisit your model regularly. • Continuous Improvement: Capture lessons learned, adjust your controls, and refine your detection logic to stay in step with reality. Threat modeling isn’t just a one-off workshop–it’s a cycle that guides strategic security decisions and aligns detection capabilities with genuine business risk. How do you keep your threat model updated as the business and threat landscape evolve?