Latest Findings from Palo Alto Networks Unit 42 – AI, Threats and Protection Strategies

Paul Spain:
Hey folks, greetings and welcome along to the New Zealand Tech Podcast. I’m your host, Paul Spain. Today I have the privilege of chatting with Philippa Cogswell from Palo Alto Networks, Unit 42, managing partner of JPAC. Welcome along, Philippa. How are you?

Philippa Cogswell:
Yeah, doing well. Thank you, Paul. Thanks for having me.

Paul Spain:
Of course. Big thank you to our show partners, One NZ 2degrees, Spark, Workday, HP and Gorilla Technology. A real privilege to have you joining us while you’re visiting New Zealand. Welcome. Maybe you could give listeners a little bit of an overview of what you do and where you fit into this big wide world of cybersecurity.

Philippa Cogswell:
Yeah, absolutely. I’ll give a little bit of background to myself and then also Unit 42. So look, I’ve been in cybersecurity myself now for over 20 years. During that time I’ve worked for government both in Australia and in the uk. I’ve spent seven years based in London and run teams across Europe, Middle east and Africa. I’ve also spent time in big four consulting as well, leading defensive security capabilities. And I was fortunate enough to join Palo Alto Networks two years ago now, or a little over two years ago with the remit of leading Unit 42 across Japan and Asia Pacific. So globally, Unit 42 is over 600 people.

Philippa Cogswell:
And look just for context, Unit 42 is our sort of security consulting, incident response, managed detection and threat hunting capability, all underpinned by our threat intelligence. Okay. So as a team, Unit 42 has been around since 2014 and has really expanded from the sort of initial threat research team with an acquisition from crypsis in the US, a major IR company over there in 2020. And then from there we’ve sort of really expanded and exploded our services as well, that we’re offering anything from sort of cyber risk management to offensive security as well as that ir. So really think of it, I guess as assess, respond and transform.

Paul Spain:
Right, right. That ir, the incident response capability. How much of your work is responding to incidents out of what you do?

Philippa Cogswell:
Unfortunately, probably too much. Look, globally it’s probably somewhere around 40 to 50% of the overarching Unit 42 team.

Paul Spain:
Yeah. So you’d see a lot of things in a lot of places when from your research through to actually dealing with those real world incidents.

Philippa Cogswell:
Yeah, absolutely. So globally we respond to over 500 incident response cases a year. So if you sort of think about that, as you know, it’s been deemed a security incident, that an organisation’s assessed that they’re not able to deal with themselves or they need additional Capacity or specialist skill sets. So they’re brought in an organisation like ourselves to help respond to. So it gives you, I guess, a view of just how many incidents are.

Paul Spain:
Happening per year and the types of customers that you would tend to be helping cause. I guess across the cybersecurity sector, we’ve got a whole range of firms that work in incident response, from smaller to bigger global entities such as yourselves. So, you know, is it government, is it big business? What would, what would be, you know, some typical examples. Without giving out the names, of course.

Philippa Cogswell:
People are turning to Unit 42 for, you know, as you said, government and big business. Right. Because we’ve got a global team that works as a follow the sun model in incident response. We’ve got people all over the world able to sort of respond. We’ve got, you know, ransomware negotiators on staff and these sorts of things. So, yes, it’s definitely that sort of, I guess, upper tier. It’s not necessarily always just Palo Alto Networks customers, but more broadly as well, being called upon. And look, sometimes we might even respond alongside other response companies or transformation recovery companies as well.

Paul Spain:
Yeah, okay. So one of the things that Unit 42 does is is release a number of reports that can be really insightful in terms of what’s going on. So I think a real benefit to those of us involved in cybersecurity to understand how the landscape is changing. And it seems to be that the ground is moving under us all the time and shifting in differing ways. What are the things that really have stood out, I guess, in your reports this year compared to previous years?

Philippa Cogswell:
Yeah, absolutely. So I think just sort of stepping back a little bit before answering that question, I guess as well, when we sort of think about a lot of our reporting that we put out, and we do put out substantial reporting that we make publicly available on our website and. And, you know, we’ve got a whole range of consumers who sort of draw down on that. But I think realistically, one of the important things to understand is, you know, where does our threat intelligence come from? So we’ve obviously touched a little bit on incident response, and I think, you know, the incidents themselves give us a great view as to what happens when an organ, when an attacker gets into an organisation, how did they get into an organisation? How do they possibly move laterally through an environment or what were they targeting? What have they taken? So it gives us that sort of internal view to, I guess, a victim organisation again, and that’s useful information for understanding controls appropriate for an organisation. But even outside of that, we sort of have this, I guess I think of it as almost frontward facing intelligence from our research teams as well, because, you know, Palo Alto Networks, as I guess I thought of the company before joining, I thought of it very much as a firewall company, which is true. But over sort of the last six or more years, we’ve done, I think it’s 19 acquisitions. Right. So, you know, we’ve gone from being a firewall company to a company which does security operations.

Philippa Cogswell:
We operate in cloud security. So endpoint. So again, why I’m telling this is because this starts to build a picture for the sorts of telemetry and information that we’re getting back about the sorts of things that we can see. And from I guess, a threat intelligence perspective that these, I guess, breadth and depths of sources gives us a view as to what threat actors are doing in terms of the infrastructure, who might be some of their victims, and these sorts of things. So it paints sort of a rich picture from, you know, early to, you know, the sort of incident itself and response around that. So that’s the sort of, I guess, basis. And I think it’s important to understand, you know, sources of threat intelligence ultimately, like how deep and how broad are those threat intelligence sources. And, you know, I touched on it.

Philippa Cogswell:
We negotiate with ransomware threat actors. We monitor deep and dark web forums. We work with, you know, law enforcement and other agencies globally as well. You know, we do have a lot of malware reverse engineers on staff, vulnerability researchers. So it’s a really sort of comprehensive piece. But to your point, around what are some of the common themes, again, based on all of this, all of this information that we’re receiving, I think if I look to probably a good point of comparison would be our incident response report from 2025. Okay. That we released earlier this year, and that sort of looked at all of the incidents that we responded to over the sort of past 12 months or so.

Philippa Cogswell:
Yeah. What that told us was a couple of different trends and themes. I think the first being that what we saw in terms of a real shift was we saw 2024 as being one, what we call sort of almost the year of business disruption. Right. So previously there was a lot of, you know, data breaches and what have you. But threat actors are pivoting more to how do I disrupt organisations? Because unfortunately that was becoming what is actually getting, you know, that would get attention. That’s where they were looking to get paid ultimately. Right.

Philippa Cogswell:
So you think, particularly extortion actors. So for 86% of the cases that we investigated there was a business disruption or reputational impact to those organisations. Right. So that in itself was sort of probably a fairly significant trend. A couple of the other ones that we sort of really observed when we delved right into the data that we had was around 70% of the cases that we investigated had attacks happening on three or more attack surfaces. Right. So again, exactly. So it’s really changed how defenders need to think about protecting themselves.

Philippa Cogswell:
So all of a sudden we’re thinking about network, we’re thinking about across the endpoint, we’re thinking about the humans, we’re thinking about those public facing exploitation. So it becomes far more challenging. Right. So like I said, 70% of cases, like that’s, that’s a lot, I guess.

Paul Spain:
That would be, sorry, reflective of the sort of organisations that you’re looking at, because I imagine you look at, say, smaller organisations, and in most cases they’re probably not going to have the same profile as those, those larger entities that might be more specifically, you know, targeted in that sort of way.

Philippa Cogswell:
Yeah, look, I think you’re right. I mean, you look at probably the scale, right. So, you know, a lot of organisations we work with, as I said, are multinationals. Yeah. But the one thing I would say is our sort of the digital connectedness that we have nowadays. Right. It means no matter which organisation you are, you either are trying to offer those services yourself, but often smaller entities are actually outsourcing. Right.

Philippa Cogswell:
So, you know, you’ve got email providers, you’ve got IT providers, you’ve got a whole range of that. You’re still using similar technologies to give you the outcomes that you need, be it a CRM or something like that. So, yes, from. I think the scale is larger for large organisations, potentially that global footprint as well. But again, we’re all using similar sorts of digital technologies, I think.

Paul Spain:
Yeah, I think, you know, one of the interesting things we saw in the reporting on recent issue for Qantas was, you know, that the issue they dealt with was not, you know, within their own, the bounds of their own systems, it was, you know, through a partner that their data was compromised. And I think often it’s forgotten the importance of not just looking after, you know, corporate core systems, but thinking around, you know, everyone, be it, you know, contractors, partners and so on, who are maybe connecting in and accessing, you know, data and systems.

Philippa Cogswell:
Right, absolutely. And look, unfortunately, I think almost every organisation I talk to, or at least it feels that way, that, you know, third party and supply chain is a major challenge for them to work out how to secure it. And I think ultimately it comes back to how material is that service or that information that they’re storing for your organisation. So it’s all about sort of, you know, the assets and what I’m trying to protect ultimately to give that organisation the competitive advantage or, you know, keep that business operating. Right. So I think that’s sort of the key part. But to your point, you’re absolutely right. We are unfortunately seeing a lot more of a pivot towards some of those social engineering tactics and not just the traditional phishing, particularly those sorts of targeting of call centres or IT help desks and the like.

Paul Spain:
And when I think about it, actually we did see a case recently with, you know, one of our company’s mid size organisations whereby, you know, they had a partner in a particular area and the partner was hit now because of the protections and so on that were in place for that partner to be able to tap in. We didn’t see them be able to get to the organisation that we were working with, but it certainly disrupted that partner and so that partner wasn’t able to, you know, deliver their services. So yeah, there’s some quite important considerations there in terms of, I guess, you know, expectations and what you expect of third parties from, you know, multiple perspectives. You know, even potentially down to, you know, if an organisation has a internal cybersecurity awareness training, do all your partners do the same? Absolutely, you know, do the thing. The same thing. Are they all on the same page and so on.

Philippa Cogswell:
So that’s right.

Paul Spain:
It’s not easy, is it?

Philippa Cogswell:
No, not at all. And look, there’s a lot more sort of, you know, even the last sort of five years here in this region. Right. There’s a lot more focus on that third party risk assessment and what have you. You know, again, like I said, for those organisations, the material suppliers for you, are they holding that same level of standard as to what you would expect as well? So unfortunately we do need to remember at the end of the day these organisations themselves are victims to criminal and the like activity. So, you know. But yes, you’re right. Are they doing the things they should be doing and the expectations?

Paul Spain:
Absolutely, yeah. So we were kind of, I guess talking around some of, you know, some of the key findings. Was there anything else to mention at this point?

Philippa Cogswell:
So from my perspective, I think, you know, we do talk a bit about speed, scale and sophistication and you know, I sort of tend to joke that I feel like I’ve spoken about the increase in speed the increasing in scale and the increase in sophistication for almost as long as I’ve been doing this. But I think the reality is, my view is that the time to impact now is so, so short that it’s very different. There is very little time for an organisation to try and identify and contain and eradicate these threats. Right, so what One of our key findings to your point is that I think it was in 25% of the cases that we investigated, the point from compromise of an organisation to exfiltration of sensitive information was under five hours. And in fact I think it was 20% of cases that happened in less.

Paul Spain:
Than one hour, super fast.

Philippa Cogswell:
That’s exactly right. Exactly right. And as we think about AI, that’s only going to get even faster.

Paul Spain:
Yeah. And we hear of, you know, some situations where, yeah, it’s maybe a small amount of data or smaller access to something small and it happens in an instant. Right.

Philippa Cogswell:
Unfortunately.

Paul Spain:
Are there any particular stories you can share that may have been covered in one of your reports or that you’re aware of that give a good example so folks can understand what is it that that happened and how quickly did it happen?

Philippa Cogswell:
Yeah, absolutely. And because you sort of just touched on a case which sort of spoke a little bit about some of that sort of social engineering aspects. Right. I think one of the groups that we track quite a lot is a group called Muddled Libra. It’s a subset effectively of a very well known group, Scattered Spider. Obviously there’s been major incidents, a lot of news headlines globally for this particular group. So we’ve been, I guess effectively tracking this group and responding to incidents for probably, I would say close to three years now, or maybe even a little over. But what is interesting is watching their evolution during that time.

Philippa Cogswell:
So they’ve gone from a group which used to use tactics like sim swapping, they’ve now pivoted into a lot of that social engineering, particularly of help desks and call centers. Like I said, they’ve gone from being groups that were sort of, I guess, a little more stealthy with slightly longer term persistence perhaps, really getting in, having impact and getting out quickly. Right. That’s sort of, you know, ultimately get paid quicker, unfortunately. So we’ve watched these groups sort of. And you know, during that time there’s also been law enforcement takedowns of various cybercrime groups, which has also meant broader sort of fragmentation, if you will do as well. So, you know, some threat actors have claimed that they’re leaving cybercrime altogether and retiring. Some have claimed they’re going, you know, back to doing ddos or some have just, you know, sold off parts of the business.

Philippa Cogswell:
And so it’s been a real sort of fragmented piece. But what was particularly interesting about this group is they’re English native speakers, so largely assessed to be UK and US based and more worryingly, fairly young.

Paul Spain:
Yeah. Which is, it’s quite unusual, isn’t it? Because we’re, you know, we’re used to them coming from maybe, you know, less friendly countries, shall we say.

Philippa Cogswell:
And I think that’s where we’ve always sort of pointed to. Right. But unfortunately, I think crime does happen everywhere. Right. So it’s been interesting to see some of these sort of identifications and takedowns happen, not just of the infrastructure, but some of the arrests as well that have sort of changed that. One of your questions was the sort of the speed of some of these things and sort of an example. But if I was to give an example, you know, we know of one where one of the cases that we investigated, they went from social engineering, the help desk, to gaining domain credentials and gaining further access inside a cloud environment in less than 40 minutes. Once they’re in that environment, because they had that level of access, they’re able to bring in their own tools, their own VMs, set up stage, do whatever they needed to move around freely in that environment and exfiltrate data effectively at an alarming rate.

Philippa Cogswell:
What is interesting, one of our other findings was that I think it was in saying 99% of cloud cases that we investigated, they were overly permissive environments. So as a general rule it suggests that we still haven’t got to configuring and securing cloud environments in particular in a way that we would do the normal traditional on prem environments or the legacy environments we think about. So definitely an area of opportUnity there for people, I think.

Paul Spain:
Yeah, yeah. And those issues with overly permissive environments, are you seeing that with, with newly set up environments or is that more environments that have been around for a while? I guess when I look at different organisations and different discussions that I have, there are some environments where things have, they’ve just kind of evolved organically. Different people have kind of come and gone, they’ve ended up with all sorts of legacy mess in different ways in terms of cloud configurations. But those that are maybe starting from scratch, if they’re switched on at least then they’re configuring things maybe a lot more sharply than what was common five, 10 years ago. But if you’ve got something that’s been around for five or 10 years to get that into a good state. That can be a significant challenge. Is that kind of something that you see or what’s the norm?

Philippa Cogswell:
I think, unfortunately, sometimes it’s probably a bit of a combination of both. And again, it’s not a strict data point as such, but, you know, I would like to think those greenfield builds should be in a better position that we’ve sort of learnt from, you know, the previous sorts of things that we’ve seen and observed.

Paul Spain:
They should be.

Philippa Cogswell:
Yes, you’d like to. Exactly. But unfortunately, sometimes I think also, you know, we always talk about security being an afterthought or something like that. Perhaps they haven’t deployed, tested or configured appropriately, even though they’re like, oh, we’ve just stood it up. But have they done that in parallel? Have they been applying those security configurations in parallel? I think, you know, that’s what we’re looking for with the legacy environments. Obviously always a challenge as well, no matter what that environment it is. But I think, you know, from where I stand, this is where, you know, when I look at some of the work that my team does is so important because it’s actually testing it. So I think as an industry, we often do what we call sort of, you know, almost design effectiveness.

Philippa Cogswell:
We’re like, do you have a policy for that? Do you have that control? Yes, yes, yes, that’s great. But are you actually testing it? Do you know that that control is actually operating as you would expect it to? Right. So operational effectiveness. And our red team is unfortunately, you know, with their job and maybe fortunately, because would rather that we’re using an offensive security professional rather than an attacker doing it. But they get in, they get into all sorts of organisations, they bypass all sorts of controls, be it endpoint, be it network segmentation, you know, they’ll find exposed exposures at the edge, just like an attacker does. Right. So, you know, like I said, unfortunately, I think there’s always. They’re complex environments.

Philippa Cogswell:
That is the reality. They are complex environments we’re trying to attack.

Paul Spain:
Now. We have a growing startup ecosystem in New Zealand. Some really successful companies.

Philippa Cogswell:
Absolutely.

Paul Spain:
But there’s, you know, there’s a, there’s a challenge for startups. Right. So, you know, sometimes there’s, there’s vibe coding going on, there’s, you know, hacking together the minimum viable product, you know, all of these things around the startup ecosystem. Is there anything particular that you’ve, you know, that, that you’ve noticed that, you know, we, we need to be a little bit more aware of for, for our, our startups to consider, I think.

Philippa Cogswell:
You know, and again it does depend on the type of startup.

Paul Spain:
Right.

Philippa Cogswell:
You know, particularly tech startups. Right. I think like any organisation, if you have a good idea, you’ve got to work out how to effectively protect that good idea until such time you turn it into what you need it to be. Right. And, and you know, whether that is ip, whether that’s source code, whatever that is, you know, I think that’s worth considering from the outset and like I said, it’d be different between potentially an ice cream shop versus you know, like I said, the latest and greatest in accounting software or whichever example we want to use. Right.

Paul Spain:
So yeah, that’s an interesting example you’ve just mentioned on the accounting software front, but we pick that up on another episode. Yeah, I think it’s one of these challenges, isn’t it, that an organisation of scale often has more means to appropriately consider the role of cybersecurity. And in New Zealand of course we’ve got that mix from very small businesses up to bigger entities who might be in software, aerospace, we’ve got a pretty broad gamut. But it is I think a challenge for every organisation. It’s just probably different challenges at different scales and varying abilities to invest.

Philippa Cogswell:
Indeed.

Paul Spain:
How do you guide the smaller entities in terms of their approach? Because we see entities of every scale get impacted by know, by cyber security, down to, down to individuals. Right. So you’re not, you know, you’re not scot free just because you’re a smaller entity.

Philippa Cogswell:
No, unfortunately not the case.

Paul Spain:
Yeah.

Philippa Cogswell:
Look, I think I would apply more or less the same principle whether you’re a large entity or a small entity in terms of, you know, for me it’s, and I sort of mentioned it even with the startup sort of conversation. Right. What are you trying to protect from your business context? What differentiates you? What keeps you operating, what is your longer term strategy? Right. So and then also I think about, you know, what is your industry and what is your geography and you know what your company’s risk appetite, those sorts of things. Right. So I think about initially business context because what that then tells me is what do I actually care about what are those assets, be it data, applications or services effectively that are actually going to give me differentiated impact in the market.

Paul Spain:
Right.

Philippa Cogswell:
And that also applies to government as well. But this is where for Unit 42, I always talk about us taking threat driven, so threat led, data driven sort of focus. Right. Because once you know those things, I think if you know, then I Talk about asset profiles often. So is it third party managed? Is it on prem, is it Iot? Is it ot, is it, you know, these sorts of things? What, what does, what does the housing for that general asset look like? And the reason I say that is a, at a very generic view there’s like controls protecting those things. Now obviously different third parties. Yes, granted, but at a high level. And the reason I think about that asset centric view is because I then think about what are the threats to those assets.

Philippa Cogswell:
So which threat groups are most probable or common and how are they going to do it? Like what’s going to be their path to get to that asset? And then if they’re to get to it, what’s the impact? What is the financial impact effectively to an organisation? And look, it could even be loss of life. Now there’s, you know, for certain organisations an expanded view but you know, am I going to be out of business for an extended period of time? So is there productivity impact and I can’t produce my, my best ever widget or whatever it is. Right. Is there a reputational cost to my organisation which means my customers are going to move to a competitor? You know, is there going to be significant replacement costs in some of the hardware or other things? Right. And I mentioned it before around business disruption. So you know, and even more so you’ve probably seen a lot of the sort of fines and regulations coming in as well. Like if this data gets stolen and it’s X amount of data, what fine might I be up for? So I always talk in terms of threats on assets with impacts once you know what’s most important to you and the how a threat act is going to have that significant impact. That’s where you focus your controls.

Philippa Cogswell:
So it’s not thinking about controls everywhere for everything, which is what I think we’ve often done as an industry. Do you have this control, yes or no? How is that control applicable to what I need to protect?

Paul Spain:
Gotcha now. Yeah, you talked about, you know, fines and so on and we, you know, we look in New Zealand we’re pretty, yeah, we’re pretty light in terms of legislation that would put a responsibility on, you know, company directors and the like in most areas. You know, there’s a little bit of teeth there around, you know, data privacy but still reasonably light. But one of the areas that is probably evolving reasonably quick is the government side of things. Okay, yeah, yeah. I don’t know whether how well legislation can sort of put, you know, put pressures on governments. Right. And when we look around the world, we’ve seen, you know, probably every government impacted with, you know, varying breaches and loss of data.

Paul Spain:
But there’s this sort of move, you know, quite, quite naturally, I think, from a technologist’s perspective, of increasing government digitisation.

Philippa Cogswell:
Yes.

Paul Spain:
Do you, do you think that, you know, we’re maybe mature enough in our, you know, in our governments yet for that increase in digitisation and for, you know, government entities maybe be, you know, sharing a lot more, you know, you know, data between them? Or is there a fair road ahead to get ourselves into a place where, you know, we should all be very relaxed around, you know, digital IDs and this, you know, broader, you know, digitisation of government?

Philippa Cogswell:
Yeah, look, I think from where I sit, I don’t think relaxed is probably the term that I would use. But look, I think the reality is, you know, your point around government and, you know, the use of things like digital identities or what have you, I think, you know, and we look globally, right? The reality is we’re there, we are as government organisations, no matter where you are, intentionally using more and more digital services to provide those to our citizens, to connect, to share data, as you said. Like, I don’t see us moving backwards from that, I think. So the reality is, how do we actually look to protect that forward way of thinking? Right. You know, it’s made individuals, it’s made commUnities far more connected. You know, you also have remote commUnities here in, in New Zealand. Right. Islands off the mainland and things like that.

Philippa Cogswell:
You know, you can’t move away from that need for digital connectivity, but to, to use that to the best of its ability. You’re right, it needs to be secure so you can ensure it’s reliable, you can ensure it’s safe, you can show data privacy. You know, obviously in the last, what, probably eight years thereabouts, we’ve seen huge change globally in terms of related legislation, so privacy, with GDPR and California doing similar and many other countries, you know, you sort of touched on board accountabilities. There’s, there’s those, there’s all sorts of changes around cyber itself. Privacy, data, data governance, AI now as well, and how that that impacts things. So I think it’s a large, a large group of considerations that actually come into play. When I always think about it, I always think about this sort of being. Five key themes, if you will do that, explain why organisations will need to continue to invest in cyber, not just do a cyber uplift, but continue to invest.

Philippa Cogswell:
Right. The first is the digital ecosystem, the digital connectivity that you spoke about, we’re going to want to continue to adopt and enhance technologies to allow us to do more and do it faster and more efficiently. Secondly, there will be continue to be regulatory, regulation, compliance, legal frameworks and they will continue to enhance as well. Again, most of the ones that were even brought out a couple of years ago are already undergoing some sort of revision. Right. To say, are they still appropriate. The third, for me, I often talk about stakeholders actually, and it’s a little bit almost what you’re touching on there. When you think about governments, stakeholders, anyone, it’s not just your partners or your board or your CXOs, it’s also your employers, your customers, your members, your students, whoever it is, whatever sort of organisation you are, they matter and they have opinions.

Philippa Cogswell:
Now I think about the impact of cyber to them, to their organisations, to whatever in a way that they haven’t previously. Right. We often talk about cyber being one of the biggest risks. The fourth of those five points for me is third party and supply chain and we touched on it because it is such a complex web and it continues to come into everything that we do. And of course the fifth, which is, you know, where we spend a lot of our time is that evolving threat landscape. Right. Of course threat actors are going to continue to pivot, change and evolve.

Paul Spain:
So now the role of AI seems to be continuing to evolve. But what can you share in terms of what’s being seen in terms of new threats or threat actors leveraging and taking advantage of what AI can do for them. And I guess same way businesses want to leverage AI.

Philippa Cogswell:
Absolutely.

Paul Spain:
Our threat actors are in the same boat, right?

Philippa Cogswell:
Yeah, you’re absolutely right. Everybody is dabbling with, if not move beyond that when it comes to AI. Right. It is a significantly transformational technology. Right. Ultimately, I think we talk about how it can enhance attack generation, how it can enhance the efficacy so effectively, how effective is it making attacks far more effective, but then also the speed and scale ultimately. We already spoke about the speed. What’s the speed going to be today, tomorrow, two years time, comparatively.

Philippa Cogswell:
So it’s. How are we seeing it currently being used? We talk about evolutionary rather than revolutionary at this stage, but that’s changing very quickly. So I think like a couple of examples, I think, you know, we obviously we know about phishing, emails getting, becoming higher quality, right. That’s all well and great, but even stepping back outside of those and thinking about who are threat actors going to target, right. All of a sudden they can do reconnaissance and discovery and bring vast amount of data together super quickly to actually understand and get better targeted outcomes. Right. So more plausible understanding attack surfaces, much easier to identify and potentially help build exploits. Right.

Philippa Cogswell:
Right through the attack chain. I think ultimately we can see use cases and, and in fact our research team thought well, let’s test this. Right. And so they, in the research lab, they sort of tested and went well, how quick can we do end to end? Not just compromise to exfil, but before that some of that discovery stages like I said, and they were doing, able to do end to end in 25 minutes. So we’re talking 100 times faster. Granted that’s a lab, but it gives a view as to where things like Genai can take threat actors. Right. So we’re already seeing it, like I said, we’re seeing voice cloning, we’re seeing face swapping, we’re seeing a range of different technologies being used.

Philippa Cogswell:
I don’t see it going away.

Paul Spain:
How commonplace is the voice cloning and face swapping type, you know, types of things? Because we’ve been aware of, you know, these things for, you know, for years. However, the technology has dramatically improved over the last couple of, couple of years and you know, continues to improve, you know, probably for the next little while. I’m sure it’s still a reasonable, a reasonable pace. Have you, you know, been seeing some real world examples on the video side or is it just on the audio side? Like, you know, how effective are these use cases?

Philippa Cogswell:
We have seen them through both cybercrime and nation state groups using them. So we spoke about muddled Libra. They’ve used some of that voice cloning and sort of, you know, that sort of, I guess, high impact, high pervasiveness tactics when it comes to trying to, I guess ultimately extort their victims. Really high pressure tactics, not just focused on, you know, executives themselves, but also on family members and things like that as well. Which really changes the landscape when if you’re a CEO of an organisation trying to decide whether to pay something or not and your wife’s getting phone calls, all these sorts of things. Right. So voice cloning, yes. Face swapping, where we’re seeing, you know, we talk a lot about North Korean IT workers and again that’s where some of the concerns are really cropping up.

Philippa Cogswell:
The IT workers are really sort of trying to embed remote IT workers into particularly high tech firms. Right. And we’ve seen sort of some of these, but where we’ve. You’re absolutely right. When you talk about, I guess ultimately the, the ease or the changes in the technology, the Accessibility of these things. Right. I remember giving an example of the voice cloning about a year ago when I was over in New Zealand presenting and, and I, and I actually it was a piece of research we called Deep Faking. Our boss.

Paul Spain:
Yes.

Philippa Cogswell:
And at the time it was Wendy Whitmore. She’s our chief security intelligence officer for Palo Alto Networks.

Paul Spain:
Yeah.

Philippa Cogswell:
She’s publicly recorded everywhere, right?

Paul Spain:
Yeah, yeah.

Philippa Cogswell:
So we were able to take samples of her voice and then use that to replicate and demonstrate what we were seeing in terms of some of those call center and help desk phishing attacks. Right. Or social engineering attacks. And so it was basically, you know, a voice recording of her phoning up and saying, hey, it’s Wendy Whitmore. You know, I’m, I can’t access this and I can’t access that. And it’s basically she was trying to put on pressure. She was trying to get help desk to do what they do best, respond, respond quickly, be helpful, take advantage of some of that human trust element. But ultimately to get the reset of those passwords despite multi factor.

Philippa Cogswell:
And again demonstrating how threat actors are doing that. When I was here this earlier this week in Wellington presenting, I gave an example of some of the face swapping that we’ve seen as well. Right. So we released some research called false faces around synthetic IDs that we’re seeing. And that was, you know, one of our researchers. In fact, he’s not actually a researcher, he’s one of our consultants. Right. Who does a lot of our consulting based in the US and he thought he’d double with it.

Philippa Cogswell:
It took him less than an hour actually, I think it was 70 minutes. Sorry. He’d never played with it before, he’d never played with software before, was able to do it on fairly standard hardware as well. And he was able to create face swapping. So I sort of showed that video which was him going from a real human into him going to a face swapped human. There’s some techniques to be able to determine and see some of those things now, but again, I expect they’ll also fade over time. So sort of moving hands in front of faces actually allows you to see the face behind and things like that. But, but in a world where we remotely recruit and remotely employ people like this is worrying.

Paul Spain:
Yeah, really, really concerning. And how’s the role of ransomware been evolving? This sort of extortion’s been around in varying forms, but these things don’t tend to sit still. There’s always changes going on.

Philippa Cogswell:
No, look, I think, you know, at A very high level. The basics, you know, if you rebound back 10 to 15 years ago, you know, ransomware, they were targeting individuals. They’re trying to get, you know, a couple hundred dollars ago. We’re now into major organisations and multi extortion tactics as well. Right. And major claims, $50 million or whatever it is. Right. For the, for the extortion that they’re trying to go after.

Philippa Cogswell:
But you know, it’s not just a case of. I think we sort of think about it. They were encrypting data. Okay, great, effective. What was good was industry got better at doing its backups. Right. So then they moved to data exfiltration in combination with, you know, encrypting data and so on and so forth into you know, the third level we started to see organisations being DDoS. The fourth level we started.

Philippa Cogswell:
So we continue to see these sort of iterative changes as to how they apply some of the sort of, I guess pressure tactics, if you will do. One of the interesting points for me too is we, I sort of mentioned it earlier on. We do sort of a lot of deep and dark web monitoring, monitoring the forums. We publish research fairly frequently on what are we seeing from the ransomware and extortion groups. I like that research because it’s not necessarily about who’s our customer base or where did we do our. But it’s kind of what a threat actors telling you about themselves. Right. From our reporting earlier this year, which again it’s published reporting.

Philippa Cogswell:
But a couple of key trends that we saw there were. It’s exaggerated claims but I kind of think about that as threat actors lie. I mean no major surprise, right. But they’re sometimes using fake and old data in these forums. Right. And they’re claiming that they’ve broken into an organisation, but it’s not necessarily the case. So one of the good uses of our, I think our negotiation team is to also help validate some of that claim as well. Right, Validate.

Philippa Cogswell:
Did that come from that organisation? Did that come from that organisation now or did that come from that organisation two years ago? You know, knowing some of that sort of, you know, that piece, that’s.

Paul Spain:
That’s pretty key, isn’t it? If you actually haven’t. Haven’t been hit. But absolutely, you know, you’re trying to be extorted and yeah, it’s not, it’s not actually real. Then you want to get your head around that pretty swiftly.

Philippa Cogswell:
Absolutely. Like the, the pain ultimately that organisations go through when they have a cyber incident, you know, from everybody. The operational level. Right. Through executives, boards and partners and everybody else around that you want, you want to know pretty quickly whether it’s true or otherwise. But I think some of the other sort of key things we saw were, we’ve started to see a bit more blurring between some of the sort of APT and ransomware groups. We have seen what looks like some shared infrastructure between, you know, some of the North Korean nation state groups and also some of the sort of more ransomware or I guess revenue generating groups, shall we say. We’ve also seen a lot of talk on some of the sort of the forums from the affiliate groups about the use of things like EDR killers, which to me is a bit more of a concern because once they’re discussing how great these tools are and I think there’s been a heavy reliance on endpoint detection if you’re, if that’s where you’re sort of relying on things now there’s tools to sort of bypass quite easily that would be a concern.

Philippa Cogswell:
And you know, I think they’re probably some of the main things that really stood out for us when we’re looking at some of the trends and the changes in those groups.

Paul Spain:
Yep. And how big is the role of social engineering now? Sort of, I guess beyond the traditional being a fishing type of attacks and you know, dodgy, dodgy emails of the, of the past.

Philippa Cogswell:
Yeah, look, it’s, it’s definitely changed which is, you know, a number of months ago now we actually released a social engineering report as a sort of an addendum if you will, due to our IR report released earlier in the year. And, and look, you know, social engineering, as you said, phishing has usually been one of the number one attack vectors. But social engineering as a whole is kind of the number one attack vector. Right. I think it’s something like 36% of the cases that we investigated overall were initiated through social engineering. As we said, it’s not just phishing anymore, it is starting to move into more of that sort of, I guess, help desk manipulation. So employee, sorry, targeting of you know, help desk call centres and trying to manipulate them into giving away multi factor access and those sorts of things. So it’s really around trying to get that access.

Philippa Cogswell:
But we also see things like social engineering around trying to get obviously search engine optimisations, a poisoning of those to increase I guess ultimately the results that people are receiving when they’re looking at things.

Paul Spain:
Right. So someone’s googling away, they think well I can trust Google to give me trustworthy links. I’d never question that if it’s if it’s up there on the first page of Google, then it’s likely trustworthy and most people probably wouldn’t give it a second thought. But we’re seeing the threat actors actually manage to insert results in there. And I guess if that happens, then a similar thing could happen with Genai type systems as well. If they can get into Google results, they can get into Genai results. And I’ve noticed that that sort of thing can happen very quickly. I was involved in something in the last few months where a new domain name was purchased, new content was put online and it got to ranking number one on Google within.

Paul Spain:
I mean it was ranking on the first page within bit over a week and number one on Google on multiple searches within two to four weeks. Now this one was legitimate content, but the fact that that can happen gives a little bit of an understanding of what someone who can get some serious benefit out of ranking can do. Right. And then there’s the, I guess the malvertising.

Philippa Cogswell:
Yes, absolutely.

Paul Spain:
Side where, you know, maybe they’re using stolen credit card details or they’ve hacked into accounts to run ads or maybe they’re legitimately paying for the ads, I don’t know. But we’re seeing that as part of the picture as well, aren’t we?

Philippa Cogswell:
Absolutely. You know, there’s a whole range of those sort of techniques. Right. You know, even compromising legitimate websites. Right. And serving up malicious content through that as well. And you know, these sorts of things unfortunately just are not uncommon. And, and again, part of the reason we sort of release that report was because, you know, even if I look at, you know, we spoke a bit about click fix in the report, right.

Philippa Cogswell:
And click fix is sort of that, you know, fake user prompt. You know, click this because, you know, it like, it looks like a system update, it looks like something I need to do. And ultimately, you know, users very much have, we’ve, we’ve trained users to be like, keep your software up to date, keep yourself protected. So it’s not a surprise but, but I remember seeing sort of probably around mid March, we really saw an uptick in that sort of tactic that we were seeing. And again, it’s a form of social engineering. It’s, it’s trying to bypass human or identity flaws in systems. It’s trying to take advantage of, you know, human trust ultimately. Right.

Paul Spain:
Now you mentioned around, you know, targeting a help desk. Is this something that is quite common now? And what would be the approach that an organisation needs to take if they’ve got and I’m sure across our listeners, you know, there’ll be people with varying sort of relationships or roles in relation to say an internal or an external help desk. What’s the guidance that you can give in terms of making sure help desks aren’t opening the door to cyber attack?

Philippa Cogswell:
Look, I think it’s a number of things when we sort of do our investigations and look, it’s not just you know, help desk, I’ve sort of said it a few times, call center, similar sorts of, you know, functions I guess if you will do that, have access to information or you know, access to credentials and resets and these sorts of things. But really like what do they need to do? So it probably a range of different things I think we’ve spoken about for extended periods of time around, you know, things like training and awareness. Often that tends to focus on phishing. Don’t click here. But actually we need to, you know, be more sort of targeted in some of that. I know a lot of organisations have been for the likes of help desk. But again it almost needs to be real world simulations of what are we seeing again, how are we seeing those threat actors evolve and are we testing and educating that group of users on those types of changes? So here’s what we’re now seeing, here’s how these things have evolved. So there’s that sort of general sort of awareness piece and that’s one aspect, but it really is a case of exploiting things like the gaps in almost like identity systems.

Philippa Cogswell:
Right. Or the human workflow itself. So again breaking down those things. What are the lessons learned that we’re getting in these cases and therefore what are those controls? And I fundamentally think that plug in with how we’re looking at identities and how we’re looking at. You probably very familiar with the zero trust principles. How are we going to be validating users and devices and applications on an ongoing basis or how do we sort of give just in time access? So only access for when it’s explicitly needed and not permanent access to things. So a range of different controls I think across. And that’s how we always need to look at security.

Philippa Cogswell:
Right, A range of different controls to give the outcome.

Paul Spain:
Yeah, and it’s a good reminder these things aren’t super simple. And what, what was relevant 12 months ago is gonna be different today and that will keep happening, won’t it?

Philippa Cogswell:
Yeah, definitely. I think we always still need to learn from what happened previously cause threat actors will pivot back to old techniques as well. But again what is happening now and what are we foreseeing to happen and how do we plan for some of those sorts of things?

Paul Spain:
And how do you see that the landscape has changed with the organisations that you work with? How quickly do they organisations getting to the place, places where that, where they need to be. Are you seeing big leaps forward or have we still got quite significant challenges in terms of the maturity of organisations, in terms of how they’re going with reducing those internal risks from a cyber perspective? And of course there’s so many aspects into that. But, you know, what’s your sort of general feeling of how are we doing overall?

Philippa Cogswell:
I think, look, there’s no one size fits all in this answer, right? Different organisations are at different stages, different industries, some are more heavily regulated, so they’ve been working on security challenges much longer. So I think, you know, and some are less able to move so quickly because they’ve got environments that only get changed ever so frequently. It’s not like they can just roll out updates all of the time and these sorts of things. So like I said, there is that sort of change. But my view is we can’t keep doing what we used to do. That has to change. And, you know, that is, you know, one of the things that I probably most enjoy about working at Palo Alto Networks is that view of how do we need to keep doing things differently, how do we need to keep innovating? And that’s where the research pitch comes into it so much for me. What do we know? What do we know is starting to happen? Where do we know things are going to and therefore what do we need to change? And you know, we’re just, as I said earlier, we’re at our conference during the week and we had our president of Cortex over here, Shailesh, and he was speaking, I kind of, it’s the first time I’ve seen him present and I was super impressed.

Philippa Cogswell:
But he sort of, he said to the audience, I’m giving you the answer. You go away and work out how to question it and test it and this sort of stuff. And his view was, you know, here’s what is supposedly a modern SOC looks like. He said, we need to stop trying to operate in the way that we do for security operations. Like, we can’t keep being human centered. We’ve got too much information, we’ve got too much complexity, we’ve got too many things not talking to each other, we’ve got all these challenges and we need to get past that. And so I, I genuinely believe that is the thing we can’t Keep trying to run security operations with a new rule and a new rule and a new rule every time a threat evolves or there’s a new IOC or a new file hash or an IP that just doesn’t work. So I think it’s any organisation out there we need to start thinking about how do we test ourselves to be, particularly when we talk about AI threat.

Philippa Cogswell:
As I’ve said, the speed and scale has increased and it’s to a point where that’s almost no time to react. We can’t rely, unfortunately, on humans being our first line of defense, at least.

Paul Spain:
Yeah, that’s really wise. And I think there is so much that can be leveraged from an automation and an AI perspective especially. And, yeah, if you’re trying to manually set all those things up, you’re always going to be chasing your tail. So, yeah, we definitely need to be leaning in and leveraging these things. And yeah, I think probably everyone listening has hopefully come away with something that’s got them thinking about something that maybe they weren’t thinking about previously or that’s just giving them a little bit of a nudge of, oh, yes, we need to keep moving along and in one area or another, because I don’t think that there’s probably any organisation that can be relaxed about cyber security. We need to keep moving things forwards.

Philippa Cogswell:
Absolutely.

Paul Spain:
Well, that’s great. It’s been fantastic to chat with you. Anything else that you wanted to add that we’ve maybe missed, Philippa?

Philippa Cogswell:
I don’t think so. I could obviously talk security all day, but look, thank you, Paul, for having me. It’s been great to talk to you and also I hope it’s a value to your viewers like you said.

Paul Spain:
Yeah, super insightful and thanks for your time.

Philippa Cogswell:
Wonderful. Thank you very much.

Paul Spain:
Thanks everybody for listening in. We’ll look forward to catching you on the next episode. Of course, a big thank you also to our show partners to Workday, One NZ, 2degrees Spark, HP and Gorilla Technology. Thanks, everyone. Catch you next time.