Today, we’re joined by Rupert Marais, our in-house security specialist whose extensive experience in endpoint security and network management gives him a unique perspective on the evolving threat landscape. In our conversation, we will explore the forces behind the recent surge in massive DDoS attacks and how AI is being weaponized to accelerate cloud intrusions to frightening speeds. Rupert will also shed light on the specific vulnerabilities plaguing our critical operational technology sectors, the subtle art of detecting sophisticated insider threats, and the practical realities of prioritizing and managing vulnerabilities. Finally, we’ll discuss the nuanced strategies required to respond to different types of data breaches.
We’re seeing DDoS attacks reach unprecedented peaks, like the recent 31.4 Tbps incident. What technical capabilities are enabling these massive attacks, and what defensive strategies can organizations realistically implement to mitigate threats of this scale? Please share a few key steps in a mitigation plan.
It’s staggering to even visualize an attack of that magnitude. That 31.4 Tbps event, even though it only lasted 35 seconds, represents a fundamental shift in the scale of what’s possible. These hyper-volumetric attacks are enabled by massive botnets, often comprised of compromised IoT devices, cloud servers, and other internet-connected systems that can be orchestrated to send a tidal wave of traffic. We saw a 121% increase in DDoS attacks over the last year, with network-layer threats making up the vast majority—about 78% in the last quarter alone. To defend against this, you can’t just have a bigger firewall; you need a distributed, cloud-based scrubbing service that can absorb and filter this malicious traffic before it ever reaches your network. A solid mitigation plan starts with proactive threat intelligence to understand a potential attacker’s TTPs. Second, you need an automated detection and rerouting system; manual intervention is far too slow. Finally, you must have a clear, tested incident response plan that involves your ISP and DDoS mitigation provider so that communication and action are seamless when an attack begins.
An attacker recently used AI to achieve administrative access in an AWS environment in under 10 minutes. Could you walk us through how threat actors are leveraging LLMs for reconnaissance and privilege escalation, and what new defensive paradigms are needed to counter these high-speed intrusions?
That AWS intrusion is a chilling case study in the velocity of modern attacks. The entire attack chain, from initial access using stolen credentials to full administrative control, was completed in just eight minutes. What’s critical to understand is how AI acted as an accelerant. The threat actor used Large Language Models to rapidly perform reconnaissance, generate custom code for exploiting services, and even assist in decision-making for the next step of the attack. It’s like having an expert co-pilot guiding you through an unfamiliar environment. They abused Bedrock models, created backdoor accounts, and almost launched powerful GPU instances. The new defensive paradigm has to be built on speed and automation. We can no longer rely on human analysts to catch these things in time. We need AI-powered defense systems that can detect anomalous behavior in real-time—like unusual API calls or rapid privilege escalations—and automatically terminate sessions or isolate resources before a human can even review an alert.
With an 84% surge in attacks using OT protocols against critical sectors like manufacturing and energy, what makes these operational technology environments so uniquely vulnerable? Please outline the first three steps an organization in this sector should take to begin securing its OT systems.
The vulnerability of OT environments is a perfect storm of legacy technology and increased connectivity. Many of these systems were designed decades ago, long before the internet was a consideration, with a focus on reliability and uptime, not security. They often run on unpatched, outdated operating systems and use proprietary protocols that traditional IT security tools don’t understand. The 84% surge in attacks using these protocols shows that adversaries are actively learning how to speak this language to disrupt physical processes. The first step for any organization is to gain complete visibility; you simply cannot protect what you cannot see. This means deploying monitoring tools that can passively identify and inventory every device on the OT network. Second, you must segment the network, creating strict boundaries between your IT and OT environments to prevent an intrusion on the business side from spilling over and shutting down the plant floor. Third, establish a baseline of normal network behavior. By understanding what “normal” looks like, you can quickly detect and respond to anomalies that could indicate the beginning of an attack.
A former Google engineer was convicted of stealing AI trade secrets for a foreign government. Beyond standard access controls, what advanced behavioral analytics or monitoring techniques can companies use to detect and prevent such sophisticated insider threats, especially when valuable intellectual property is at stake?
This is a classic and devastating example of an insider threat. Standard access controls are necessary, but they’re not enough when a trusted employee decides to go rogue. The key is moving beyond static permissions and into dynamic behavioral analytics. You need systems that build a baseline of normal activity for every user. For a software engineer like the one at Google, this would mean understanding what projects they typically access, the volume of data they download, the hours they work, and the systems they connect to. An advanced system would then flag deviations from this pattern in real-time. Did they suddenly start accessing files related to a project they haven’t touched in years? Are they downloading an unusually large volume of data to a local machine or a USB drive? Are they logging in at 3 a.m. from an unusual location? These are the indicators that, when correlated, can paint a picture of malicious intent and trigger an alert for a security investigation long before the trade secrets walk out the door.
High-severity local privilege escalation flaws were recently patched in widely used enterprise products. How should security teams prioritize these types of vulnerabilities that require prior access, and can you describe a practical, step-by-step process for managing the patching and verification cycle?
It’s a common dilemma for security teams: how to prioritize a “high-severity” flaw that an attacker can’t exploit without first being on the system. While there was no evidence of the ESET flaws being used in the wild, you can’t ignore them. The priority depends on context. On a critical server or a domain controller, a local privilege escalation flaw is an emergency because if an attacker gains even a foothold, this is their ticket to full control. The first step is risk assessment: identify all affected systems and classify them based on their criticality to the business. Second, test the patch in a non-production environment to ensure it doesn’t break anything. This is a step people often skip in a rush, and it can be disastrous. Third, deploy the patch to the highest-risk systems first, often during a scheduled maintenance window. Finally, and this is crucial, you must verify the patch was successfully installed using a vulnerability scanner or configuration management tool. You have to close the loop and confirm the vulnerability is gone, not just assume the patch worked.
A recent data breach specifically impacted guest checkout data, exposing payment details. How does the response to this type of incident differ from a breach that exposes PII like names and emails but not financial data? Please elaborate on the different communication and remediation strategies.
The difference is night and day, and it centers on the immediacy and type of harm to the victim. When you have a breach like the one at Betterment, which exposed 1.4 million emails and names, the primary risk is long-term, such as phishing attacks. The communication is about advising users to be vigilant, perhaps change passwords as a precaution, and monitor their accounts for suspicious activity. The remediation is focused on securing the system and monitoring for future threats. But with the Canada Computers breach, you have payment card details exposed. The risk is immediate financial fraud. The response has to be far more urgent and direct. Communication must not only inform customers but also give them concrete steps to take right now, like contacting their bank, canceling their card, and monitoring their statements for fraudulent charges. Remediation involves not just your own systems but also coordination with payment processors and credit card companies to mitigate fraud. The legal and regulatory notification requirements are also far more stringent and time-sensitive when financial data is involved.
What is your forecast for the evolution of AI-driven cyberattacks over the next two years?
Over the next two years, I expect AI to become fully integrated into the cyberattack lifecycle, moving from a novel tool to a standard component of an attacker’s arsenal. We will see the rise of highly autonomous AI agents that can conduct entire campaigns with minimal human oversight. Imagine an AI that can independently discover a vulnerability, craft a custom exploit, breach a network, escalate privileges, and exfiltrate data, all while dynamically adapting its techniques to evade detection. Phishing emails and social engineering schemes will become hyper-personalized and virtually indistinguishable from legitimate communication, making them far more effective. On the defensive side, this means our only hope is to fight fire with fire. We will be forced to accelerate the adoption of AI-driven security platforms that can operate at machine speed to detect and respond to these autonomous threats, turning cybersecurity into a battle fought not between humans, but between competing AI systems.
