Happy Sunday!
Hope you're having a relaxing weekend! While you were busy wrapping up another week, the cybersecurity world has been buzzing with some fascinating developments that I think you'll want to hear about.
- Snyk stirred up controversy with suspicious NPM packages targeting Cursor AI (drama in the DevSec world!)
- A clever new ransomware technique is using AWS's own encryption against S3 buckets
- Google shared how they automated 97% of their threat detection (and yes, it's as cool as it sounds)
Plus plenty more stories about AI security, career trends, and new tools that caught my attention this week. Let's dive in!
Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.
INDUSTRY NEWS
Snyk Uploads Suspicious NPM Packages Targeting Cursor AI Code Editor
-
Security researcher discovered three malicious packages on NPM authored by Snyk employee, designed to collect system data and environmental variables including GitHub credentials and AWS keys when installed.
-
Packages named to target Cursor's bundled extensions (cursor-retrieval, cursor-always-local, cursor-shadow-workspace) were uploaded without prior coordination, though Snyk claims it was researching dependency confusion vulnerabilities.
-
Snyk's CTO confirmed the action was part of their Research Labs' testing of VS Code extensions, while Cursor's co-founder stated they had received an apology from Snyk but no detailed explanation of the intent.
New Ransomware Campaign Encrypts AWS S3 Buckets Using Native SSE-C Feature
-
Threat actor "Codefinger" leverages compromised AWS credentials to encrypt S3 bucket data using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C), making data unrecoverable without the attacker's decryption keys.
-
Two confirmed victims have been identified in recent weeks, with the attack requiring no AWS vulnerability exploitation - only valid AWS credentials with permissions to read and write S3 objects.
-
This novel technique represents a significant evolution in cloud-focused ransomware tactics, as data encrypted via SSE-C cannot be recovered without the original encryption keys, even with AWS support intervention.
Microsoft-Signed UEFI Application Vulnerability Enables Secure Boot Bypass (CVE-2024-7344)
-
Critical vulnerability discovered in a Microsoft-signed UEFI application allows attackers to bypass Secure Boot protection by loading unsigned code through a specially crafted "cloak.dat" file, affecting multiple vendor recovery software suites.
-
The flaw stems from the application using a custom PE loader instead of standard UEFI security functions, enabling potential deployment of bootkits like BlackLotus on systems with Secure Boot enabled, requiring only local administrator privileges.
-
Microsoft has issued revocations for the vulnerable binaries in January 2025 Patch Tuesday update, affecting products from seven vendors including Howyar Technologies, Greenware Technologies, and others. No evidence of real-world exploitation has been detected.
LEADERSHIP INSIGHTS
Google Reveals Internal Threat Detection Framework Built on Automation and Engineering
-
Google's threat detection system processes incidents across world's largest Linux fleet using automated hunts for 97% of events, reducing average threat dwell time from weeks to hours through cloud-based log analysis and triage.
-
Detection team employs a "you write it, you triage it" principle where engineers are responsible for both creating and responding to their alerts, while using generative AI to reduce executive summary writing time by 53%.
-
Success factors include maintaining comprehensive asset inventory, treating security as software engineering with coded detections, and ensuring close collaboration between detection teams and project stakeholders for accurate threat modeling.
2025 World Economic Forum Report Highlights Growing Cyber Complexity and Inequity
-
Cybercrime continues rising with 72% of organizations reporting increased risks in 2024, with ransomware and AI-enhanced attacks being primary concerns.
-
Growing cyber inequity gap between large and small organizations - 35% of small organizations report inadequate cyber resilience (up 7x since 2022), while large organizations show steady improvement.
-
Only 37% of organizations have processes to assess AI security before deployment, despite 66% believing AI will significantly impact cybersecurity in 2025.
CISO Role Evolution Shows Growing Strategic Influence and Career Opportunities in 2025
-
Strategic CISOs (28% of surveyed) have direct C-suite access and quarterly board engagement, earning average total compensation of $809K, with top performers reaching $1.7M.
-
CISO scope expanding beyond traditional infosec into business risk, enterprise governance, and IT oversight, with 15% of organizations now having dual CISO/CIO roles.
-
New career paths emerging for experienced CISOs including Chief Risk Officer, Chief Trust Officer, and board positions, particularly at large enterprises with revenues over $1B.
Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS.
CAREER DEVELOPMENT
Current Cybersecurity Job Market Demands Higher Qualifications and Technical Skills
-
The industry has become oversaturated with entry-level certifications - Security+ and CySA+ alone are no longer sufficient differentiators. Employers increasingly require combinations of degrees, technical experience, and specialized skills.
-
Application Security represents an underserved specialty with high demand and less competition, making it a strategic entry point for cybersecurity careers compared to traditional paths like GRC roles.
-
Technical expertise is becoming mandatory across all domains - even GRC positions now require technical understanding. Most roles require a foundation built through SOC analyst work or similar technical positions before specialization.
Threat Hunting Role Varies by Organization Size and Security Maturity
-
Large enterprises and MSSPs typically maintain dedicated threat hunting teams, while mid-sized companies often incorporate hunting into existing SOC analyst duties based on resource availability.
-
Return on investment concerns make dedicated hunters less common in smaller organizations, with many companies prioritizing basic security fundamentals over specialized hunting capabilities.
-
Threat hunting is most prevalent in organizations with specific use cases like government contracts, defense work, or those offering it as a managed service, often performed by senior SOC analysts alongside other duties.
OSINT Skills Offer Growing Career Opportunities in Cybersecurity
-
Open Source Intelligence (OSINT) involves collecting and analyzing publicly available information from websites, social media, news articles, and public records, with applications across cybersecurity, law enforcement, and business intelligence.
-
Real-world impact demonstrated through Operation TRACE by Interpol, where OSINT techniques helped identify human trafficking networks and rescue victims by analyzing classified ads, geolocation data, and metadata.
-
Career entry points include learning specialized tools like Google Dorking and Maltego, pursuing certifications like GOSI or CEH, and participating in OSINT challenges, with increasing demand driven by AI integration in analysis capabilities.
AI & SECURITY
Microsoft AI Red Team Shares Key Lessons from Testing 100+ Generative AI Products
-
Based on red teaming over 100 generative AI products since 2021, Microsoft developed a threat model ontology and identified that simple attack techniques often work better than complex ones for discovering vulnerabilities.
-
The team found that responsible AI harms (like bias, hate speech, and unsafe content) are pervasive but difficult to measure compared to security vulnerabilities, requiring both automated tools and human judgment to evaluate.
-
As AI systems become more sophisticated, they both amplify existing security risks and introduce new ones, with the team emphasizing that security work will never be "complete" but rather requires ongoing assessment and mitigation.
Databricks Develops AI System for Automated Vulnerability Detection and Prioritization
-
New AI-powered system achieves 85% accuracy in identifying business-critical vulnerabilities by analyzing CVE data from multiple sources and automatically matching affected libraries to Databricks infrastructure.
-
System reduces security team's manual workload by 95%, allowing them to focus only on the most critical vulnerabilities rather than reviewing hundreds of daily alerts.
-
Utilizes ensemble scoring methodology combining severity, component, and topic scores, along with LLM technology for library matching and automated instruction optimization for improved accuracy.
Deep Instinct Launches AI-Powered Malware Analysis Tool Using Amazon Bedrock
-
Deep Instinct introduces DIANNA, a generative AI tool that provides real-time malware analysis by translating binary code into natural language and leveraging collective cybersecurity expertise through LLMs to identify both known and zero-day threats.
-
The solution addresses key SecOps challenges including alert fatigue and complex malware analysis by providing rapid threat assessment in under 20 milliseconds - 750 times faster than typical ransomware encryption speeds.
-
Integration with Amazon Bedrock enables enterprise-grade security features, seamless scaling, and fine-tuning capabilities while maintaining compliance with regulations like GDPR, allowing organizations to strengthen their security posture and reduce mean time to triage.
MARKET UPDATES
Cisco Launches AI Defense Tool to Secure Enterprise AI Systems
-
Cisco unveiled AI Defense, a new security tool that provides visibility into authorized and unauthorized AI applications across organizations, addressing a critical gap where only 29% of organizations feel equipped to prevent unauthorized AI system access.
-
The solution offers continuous validation capabilities powered by Cisco Talos threat intelligence, automatically adapting security guardrails as AI models change and integrating with existing security tools like Splunk for enhanced monitoring.
-
Set to launch in March, the platform works in conjunction with Cisco's security portfolio (Secure Access, Hypershield, Multi-Cloud Defense) to provide comprehensive protection throughout the AI application lifecycle, from development to deployment.
Orca Security Launches Agentless eBPF-Based Sensor for Cloud-Native Security
-
Introduces eBPF-based Orca Sensor that provides real-time runtime visibility and protection for cloud environments, integrating with their existing Cloud Security Platform without requiring traditional agents.
-
The solution extends Orca's SideScanning™ technology to enhance Cloud Detection and Response (CDR) capabilities across multiple cloud providers including AWS, Azure, Google Cloud, and supports Kubernetes environments.
-
New sensor offers automated deployment with minimal maintenance overhead, providing comprehensive runtime detections covering DNS, files, networks, and processes while enabling customizable security policies.
Czech Startup Wultra Raises €3M to Develop Post-Quantum Authentication for Banks
-
Wultra secured funding to protect financial institutions against future quantum threats, with their CEO predicting "Q-day" - when current authentication systems become vulnerable - within the next 5 years.
-
The company's solutions include mobile authentication software and Talisman hardware authenticators, currently serving major European banks like Raiffeisen Bank International and Erste Digital, with all production maintained within the EU for security.
-
Funding will support expansion into Western Europe and Southeast Asia, with plans to open a Singapore office in 2025 to meet growing demand for PSD3-compliant authentication methods and post-quantum security infrastructure.
TOOLS
FutureFeed
A tool for achieving and proving compliance with NIST 800-171 and CMMC cybersecurity requirements.
Darktrace
Darktrace is a cyber security solution that uses AI to detect and prevent cyber attacks in real-time.
InfinityAI
Infinity Platform / Infinity AI is an AI-powered threat intelligence and generative AI service that combines AI-powered threat intelligence with generative AI capabilities for comprehensive threat prevention, automated threat response, and efficient security administration.
Before you go
If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!
For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.
Best,
Nikoloz
