Skip to content
Don't miss

Get the daily Cyber Briefing in your inbox

SIGN UP
Podcast

Botnets, Edge Devices, and AI: Inside Forescout’s Threat Findings with Daniel dos Santos

Season 3 Episode 7 •

Show Notes

A new wave of cyberattacks is being routed through everyday devices—and defenders can’t rely on old assumptions about geography or “known bad” infrastructure. Daniel dos Santos, VP at Vedere Labs (Forescout), walks through findings from their 2025 Threat Roundup, drawn from a global network of hundreds of honeypots and decoy systems. The conversation focuses on why web-facing systems and edge devices have become prime targets, how attackers hide inside cloud and ISP-managed networks, and what defenders can do earlier in the kill chain. Dos Santos also explains why many exploited vulnerabilities never appear on CISA’s KEV list—and how security teams should think about patching and risk anyway.

Main Topics

  • How honeypots reveal attacker intent across IT, IoT, and OT environments.
  • Why attacks increasingly come from ISP-managed networks and consumer devices.
  • Cloud and “benign” services used to blend in and evade traditional filters.
  • Why distributed botnets weaken country-based blocking for defenders.
  • The rise of web-facing exploitation and the shift away from stolen passwords.
  • Edge devices, OT exposure, and why “discovery” dominates post-breach activity.

Key Quotes

“We have hundreds [of honeypots] throughout the world. Some of them are simulations… Some of them are real devices… we expose them with the intention of seeing them attacked.” — Daniel dos Santos

“Home routers, but also home IP cameras or doorbells or solar inverters or…whatever it is that you have in your house that might be exposed to the internet and might be vulnerable can be these days recruited into a botnet.” — Daniel dos Santos

“Attackers…have figured out that when you find a zero-day in a popular router or a popular firewall or a popular VPN appliance, you can really go against thousands and thousands of organizations.” — Daniel dos Santos

“With one zero-day or one critical exploit, you can compromise thousands of organizations today.” — Daniel dos Santos

“But what we do see in the signals that we see there and what we present in the report is that there is a whole world of vulnerabilities being exploited.” — Daniel dos Santos

Relevant Links and Resources

https://www.forescout.com/research-labs/2025-threat-roundup/

https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/

About the Guest:

Daniel dos Santos is the VP of Research at Forescout Research — Vedere Labs, where he leads a team of researchers that identifies new vulnerabilities and monitors active threats. He holds a PhD in computer science, has published over 35 peer-reviewed papers, has found or disclosed hundreds of CVEs — and is a frequent speaker at security conferences.

Transcript

1
00:00:00,000 –> 00:00:01,000
Daniel dos Santos [00:00:00]: Chinese, for instance, are building botnets off of consumer devices to proxy their attacks. And it’s something that really evolved from sort of a practical joke, let’s say, what can we do with these devices, to something that’s valuable for criminals, to very valuable, very important for state-sponsored actors.

2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:23]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with Daniel dos Santos. Daniel is a vice president at Vedere Labs, part of Forcescout, and they came out with their latest report, the 2025 Threat Roundup. Last year we had a colleague come in as well, simply because I think it’s important to be able to unpack some empirically based evidence to, to better focus our cyber discussions around DC and globally. Daniel, thank you so much for joining us today and really appreciate it.

3
00:00:02,000 –> 00:00:03,000
Daniel dos Santos [00:01:04]: Yeah, thank you so much, Frank, for having me. It’s a pleasure really to discuss the research that we do.

4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:01:09]: You know, Daniel, I thought we’d start at the top and how you actually see some of this activity in the first place. And I think one of the interesting takeaways is, a lot of the data comes from decoy systems. And in very simple terms, why is this beneficial for our users? And what sort of data could that provide that isn’t necessarily going to be gleaned through simple logs of customers and the like? So let’s start at the top, the evidence.

5
00:00:04,000 –> 00:00:05,000
Daniel dos Santos [00:01:42]: Yeah. So it’s a great question because actually we try to focus not only on the traditional threat landscape, as we call it, of IT devices such as workstations and servers and so on, but all the things that are running on critical infrastructure, right? So the PLCs and the embedded devices and the routers and all that. And that’s kind of a difficult environment to have to monitor directly if you’re not simulating some stuff, right? Especially for a cybersecurity company, you don’t always have visibility into all the different environments that we would like to get data about. So there are things that we get data from, you know, from our customers. There are things that we get signals on the internet, but there are a lot of things that we simulate to try to understand, like, are attackers actually interested in this kind of device? Are attackers looking at that specific protocol? Are attackers, you know, searching for something more than, you know, what would they do if they found that on a specific network? So I think that the value there really is the diversity of the types of devices that we can simulate or, or have real devices exposed in a decoy form.

6
00:00:05,000 –> 00:00:06,000
Frank Cilluffo [00:02:48]: And in simple terms, a honeypot allows you to sort of get a better sense of intentions, what their interest is. And how many honeypots do you have out there?

7
00:00:06,000 –> 00:00:07,000
Daniel dos Santos [00:02:59]: We have hundreds, really. We have hundreds throughout the world. Some of them are simulations, totally like software-based virtual machines running on the cloud in different parts of the world. Some of them are real devices, right? Like I mentioned the PLCs and the routers and some of those things before. Some of those are actual devices that are used in critical infrastructure, but we expose them with the intention of seeing them attacked. And yeah, as you said, it’s a decoy system. It’s something that the attackers can kind of explore and do the damage they want to do without us having to worry that it’s an actual device doing something actually meaningful, right? So it’s, the more effort, let’s say, you put into creating a realistic network, the more effort you put into luring the attackers to your network, the better results you get. And we’ve had in the past few years examples with ransomware, examples with botnets, examples with manual attacks where they were, you know, kind of looking around and trying to see what devices were running there, examples with hacktivist attacks and so many more things that we could definitely cite here.

8
00:00:07,000 –> 00:00:08,000
Frank Cilluffo [00:04:08]: Excellent. And it allows us to make the big mistakes on the practice field, not Main Streets around our, around the world. You know, your report shows that nearly 60% of attacks are now coming from ISP-managed networks. Firstly, is that new? Secondly, does that mean there more, there’s more activity in terms of co-opting home routers, PCs instead of shadow networks and traditional criminal networks?

9
00:00:08,000 –> 00:00:09,000
Daniel dos Santos [00:04:35]: Yeah. So first, it’s not entirely new, but it’s a growing trend, right? We have seen in the past already that ISP-based devices were more numerous on our sensors than the ones coming from cloud services or from specific business networks and things like that. And the reason is exactly what you mentioned, is that home routers, but also home IP cameras or doorbells or solar inverters or whatever it is, home batteries, whatever it is that you have in your house that might be exposed to the internet and might be vulnerable can be these days recruited into a botnet, right? And we have seen more and more. This is a phenomenon that started actually a decade ago. 2016 was when Mirai first came out, first botnet targeting IoT devices. And it started as kind of a a joke in a way, and then it became something very valuable for cybercriminals. But now it’s actually used by a lot of state actors as well, right? We have lots of reports of the Chinese, for instance, building botnets off of consumer devices to proxy their attacks. And last year, the Russians took part of the Moobot network as well to proxy some of their attacks.

10
00:00:09,000 –> 00:00:10,000
Daniel dos Santos [00:05:58]: So it’s something that really evolved from, as I said in the beginning, sort of a practical joke, let’s say, what can we do with these devices, to something that’s valuable for criminals, to very valuable, very important infrastructure for state-sponsored actors these days.

11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo [00:06:17]: Well said. And it further obfuscates and complicates and confounds the investigators, right? So it has multiple reasons why behind all of that. But one of the other findings that I took note of in your latest report is that attacks coming from cloud and hosting providers more than doubled. And is this more about convenience or are they living off the land and just better at hiding and not triggering alarms or both?

12
00:00:11,000 –> 00:00:12,000
Daniel dos Santos [00:06:52]: Yeah, it’s a bit of both, but also the fact that it looks benign on a network when it comes from Amazon, Google, Microsoft, you know, and any of the big cloud providers out there. It’s much more difficult for investigators, as you said, to then filter out what is actually malicious if you cannot pinpoint a specific IP address or domain or ASN that is, you know, known to be malicious. And we do see a lot of abuse of actual benign services these days for messaging and things like that, like, you know, Discord, Telegram, and so many others, Teams as well, being used for things like command and control, being used to coordinate attacks and to have, sometimes to download malicious attachments and things like that, right? So it’s a mixture of, you know, leasing that cloud infrastructure for specific attacks and then kind of blending in your traffic with the benign out there or abusing benign services as well, especially the messaging services are quite popular.

13
00:00:12,000 –> 00:00:13,000
Frank Cilluffo [00:08:03]: And all of this starts to break some of the old assumptions we have. And I was also taken aback notably about assumptions around geography. We’ve always known that cyber is a way to hit a target without ever stepping foot into a particular region. But I think one of the interesting takeaways was a sharp drop in terms of the concentration of attacks coming from the 10, top 10 countries. So anything you’d like to add on that? And why is blocking by country becoming less useful for defenders?

14
00:00:13,000 –> 00:00:14,000
Daniel dos Santos [00:08:42]: Yeah, so the reality is, as I mentioned before, that the botnets are getting built, the infrastructure is getting leased throughout the world, and it’s easier to hide your attacks when things are much more distributed, right? We see that in the data, as you said, like in the past, the top 10 countries used to account for, you know, the really the vast majority of what we saw coming into our honeypots and the attacks that we look at. Nowadays, it’s much, much less because, you know, if you compromise a home router in, let’s say, Nepal or Thailand or Vietnam or Indonesia or whatever, you can use that to attack anywhere, any organization anywhere in the world, right? And this is really what we are seeing. When attackers used to lease infrastructure from dedicated servers or even in the cloud world, it typically is focused on places where the big data centers are located, right, in the US, in Western Europe, and so on. Nowadays, things are really getting way more distributed because you can compromise devices anywhere in the world and use that infrastructure to then attack anyone anywhere else in the world.

15
00:00:14,000 –> 00:00:15,000
Frank Cilluffo [00:09:57]: And one of the challenges we’ve always had is sort of finding the signal from the noise. And in your report, you argue that autonomous system context is better signal than pretty much anything else. Can you walk us through how security teams should evaluate suspicious IP using AS data or the like today?

16
00:00:15,000 –> 00:00:16,000
Daniel dos Santos [00:10:21]: Yeah, absolutely. So for those that maybe are a little less technical, an autonomous system is basically a block of IP addresses that are managed by a specific organization. Most major organizations have one or more autonomous systems under their control. And why is this a better signal is because it’s a block of correlated IPs and it’s managed by a specific organization, right? So you’re not saying that this specific IP address is in, as I mentioned before, India or Thailand or Indonesia or Russia or whatever that might be. You’re actually looking at one organization that’s managing a block and saying, okay, this IP address is managed by that specific organization that is based somewhere else and so on. So basically what we have seen in the past few years is that a lot of the ASNs that have attacked our honeypots are actually related to what is still known as bulletproof hosting providers, right? Those providers that tend to not really respond to takedown notices or tend not to cooperate with law enforcement and not to really respond to any sort of abuse requests and things like that. So they, whatever is running on their systems, on their services, they’re kind of okay with it. And obviously they are very much used by cyber criminals and state-sponsored actors alike.

17
00:00:16,000 –> 00:00:17,000
Frank Cilluffo [00:11:46]: So all of this sort of points to also how you not only get to where you’re interested in going, but how you actually get into networks. And one of the other interesting findings that you have empirically based evidence around is sort of how web-facing systems now account for over 60% of attacks. And why have they become the prime battlefield so quickly?

18
00:00:17,000 –> 00:00:18,000
Daniel dos Santos [00:12:14]: Yeah, the reality is that web is one of the easiest services that you can exploit. The typical exploits on web applications are easy to exploit things like command injections, authentication bypasses, path traversals, and so on. Those are things that are easy to automate for botnets. They are easy for people to share proofs of concept. They’re easy to change from those proofs of concept that are exchanged online and so on. So we see a lot of web applications being exploited, and it’s a growing number of web applications. It’s not, again, something that is the first time we see, but it’s one of those trends that, you know, kind of continue to grow, right? And definitely, I would say that the main reason is the ease of exploitation, but the fact that web applications are extremely popular as well, right? They are popular as standalone, like, information systems. You know, it’s something that’s running on your organization to share data or your website is a web application or something like that, but also embed the devices, routers, whatever they might be, run those web applications for management and things like that.

19
00:00:18,000 –> 00:00:19,000
Daniel dos Santos [00:13:31]: So definitely ports 80 and 443, the ones that are related to HTTP or secure HTTPS, they are among the top activity that we see often with exploits that are shared online.

20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:13:47]: Thank you, Daniel. And your data also shows attackers favoring software exploits over stolen passwords. And I think this, too, is a trend we’ve seen. But from a policy and an accountability perspective, does this shift some of the onus and responsibility from the user to the vendor?

21
00:00:20,000 –> 00:00:21,000
Daniel dos Santos [00:14:06]: It does. That’s a great question. It does for sure. It still means that the user needs to apply the patches, right, which is something that a lot of users struggle with, especially when we’re talking about the unmanaged device world out there. So the things that are not the traditional, you know, Windows machines or Mac endpoints or Linux servers, but things like the IP cameras and the routers and so on. So definitely, you know, it’s still on the user to apply those patches, but it’s on the vendors to create those patches, right? To make sure that their devices are free of vulnerabilities or when a vulnerability is found that they create a fix for that, that the device will not have those issues being exploited anymore. So it’s, I always say, and it continues to be, right, security continues to be a team sport, but definitely some of the responsibilities are becoming more on the user, sorry, on the vendor side than on the user side due to what attackers are exploiting.

22
00:00:21,000 –> 00:00:22,000
Daniel dos Santos [00:15:11]: And one of the reasons why attackers are looking at exploits more than passwords these days is the fact that, you know, with one zero-day or one critical exploit, you can compromise thousands of organizations today, right? We’ve seen in the past vulnerabilities that we found on routers being used by attackers to actually go after literally thousands of organizations throughout the world because they were using that same model, the same device, and so on. Whereas passwords, if the user is changing them, they are somewhat unique or at least hard to guess.

23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:15:48]: And that begs a question and underscores the importance of a theme we’ve hit on here quite a bit, and that’s secure by design and cyber-informed engineering. It’s basically making sure that cybersecurity is not an afterthought in terms of the very design of our systems and our systems of systems and everything that fits upon that. So I think that’s an important set of issues. Sort of, let’s go to the edge. And you’ve mentioned that a few different ways, but you’ve seen big jumps in terms of exploitation of firewalls, routers, VPNs, and the like. I think it’s self-explanatory, but not necessarily. Why are edge devices such high-value targets?

24
00:00:23,000 –> 00:00:24,000
Daniel dos Santos [00:16:37]: Yeah. Yeah, it’s something that this was a really clear shift something like 2 or 3 years ago when attackers, it’s not that they discovered those edge devices. Edge devices have been exploited for a while, but they really started focusing very, very heavily on those. Part of it had to do with COVID and the explosion of remote work and VPNs becoming so popular. Every organization has a VPN. Maybe not every organization knows how to configure it well. Then they started attacking VPNs that moved to firewalls, routers, and so on, right? Those devices are obviously interesting for attackers because they are at what we still call the perimeter of networks, right? Although some people in security like to say that the perimeter is dead and don’t focus on protecting the perimeter of your network and so on. But there is always something that connects your internal network to the external world, right? And that typically is a router and there is a firewall on top of that router and so on.

25
00:00:24,000 –> 00:00:25,000
Daniel dos Santos [00:17:40]: So every organization needs to have that. And attackers, because of the scalability we mentioned before, have figured out that when you find a zero-day in a popular router or a popular firewall or a popular VPN appliance, you can really, really go against thousands and thousands of organizations, right? So they’re very high-value targets. And the fact is that this is something we’ve seen in past vulnerability research when we find new vulnerabilities in devices. Once you find a place where things are done, you know, in a way that leads to vulnerabilities, you tend to find that repeatedly on the same model of the same vendor, but also across different vendors, different models. Just the way that engineers work somehow tend to make the same mistakes over and over again in the same places. So things like we were discussing before, the web interfaces of some of those devices have lots of vulnerabilities, right? All the path traversals and the authentication bypasses and command injections and so on. And many of those continue to be found so attackers continue to attack those. I don’t expect this to decrease anytime soon.

26
00:00:25,000 –> 00:00:26,000
Daniel dos Santos [00:18:49]: Like I told you, there was a big shift, you know, 3, 4 years ago, and it’s just continuing and just increasing. Last year was the biggest year in zero days for those types of devices that we’ve seen.

27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:19:00]: Wow. Wow. And an AI development platform showed up on your top exploited vulnerability list for the first time. Anything we should read into that?

28
00:00:27,000 –> 00:00:28,000
Daniel dos Santos [00:19:10]: Yeah, it’s also a sign of the times, right? As it’s the first time, it’s something that we’ll definitely be monitoring more often. You know, the AI threat landscape as a whole has changed tremendously last year. Last year, we actually looked into how we could use AI to, you know, find and exploit vulnerabilities. And at the time, things were not super ready yet. Like, it didn’t give us the results we wanted. But now we see announcements from some companies out there releasing models and finding hundreds of vulnerabilities automatically in open-source code. We also see, like you mentioned in the report, the tools being used for building AI systems being exploited by attackers, right? Because people are deploying those. The really latest trend, which we didn’t capture in the report because it’s as late as, you know, a couple of weeks ago that the data wasn’t there, is people deploying their own AI agents, right, with things like MoltBot or lately OpenClaw, and deploying those on their own infrastructure, their own servers, their own houses, companies, and so on. That is creating a very large attack surface for individuals and for organizations that is not yet kind of accounted for, right? It’s not yet in the right level of threat modeling as some of those other devices have gone through.

29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:20:27]: One more question before jumping into a couple questions around critical infrastructure. One of the things that leapt out at me is that more than 70% of the exploited vulnerabilities weren’t in the CISA so-called KEV list. And that’s a little disconcerting since that is sort of the gold standard. What, how should CISOs prioritize patching and the like if the gold standard is missing a big chunk of the activity we’re seeing?

30
00:00:29,000 –> 00:00:30,000
Daniel dos Santos [00:21:02]: Yeah, that’s interesting. So CISA has their own criteria for including vulnerabilities into the KEV list, right? They only look at vulnerabilities with CVE IDs. They mostly look at vulnerabilities that have patches available because they want to have a call to action, which is patch the issue. There are, I think, a few cases where the call to action is basically replace the device or consider that end of life and move on. But most of the vulnerabilities they include there have patches available. And, you know, they have their own criteria for what they consider an exploit, right? There are things that sometimes are just scanned, things that are actually being exploited on honeypots, on networks, and so on and so on. So I can’t necessarily comment on all their criteria because it’s not entirely transparent.

31
00:00:30,000 –> 00:00:31,000
Daniel dos Santos [00:21:49]: But what we do see in the signals that we see there and what we present in the report is that there is a whole world of vulnerabilities being exploited. And some of those in IoT devices in operational technology that are not included in the catalog, right? And it’s important for people to have a visibility into the full landscape out there. I understand that CISA or other organizations might want to prioritize some of the things based on their own criteria, but we like to give more information and then people can kind of make their own decisions depending on the other contextual information they might have, right? The criticality of a device, whether or not the network that the device is sitting on is well segmented from the rest of kind of the corporate network. Do you have any, if it’s critical infrastructure, any downstream controls that apply to reduce the impact that a vulnerability exploitation could have on that device? And so on and so on, right? So we don’t need to focus only on reporting what needs to be patched now, which is kind of, you know, originally CISA’s intention is to build a list so that federal agencies need to patch things in a certain time frame. We like to say this is the activity that we see, which is more than, you know, those things that you need to patch right now. You can use that information together with your own risk assessment, together with the other cybersecurity tools you have at your at your disposal to then figure out if you need to patch now, if you need to patch whenever you can, or if you don’t need to patch it because it’s a less critical system in your network. And kind of just to finalize, it’s not only our list of exploited vulnerabilities that is different and kind of complementary to CISA’s list. There are other organizations out there that have similar data on vulnerabilities being exploited, right? This is not like us kind of pointing the finger at CISA.

32
00:00:31,000 –> 00:00:32,000
Daniel dos Santos [00:23:52]: It’s really saying there are two views of this exploited vulnerability kind of catalog story, right? There’s the view of being a bit more conservative and the view of showing the data, kind of the raw data as we see it.

33
00:00:32,000 –> 00:00:33,000
Frank Cilluffo [00:24:07]: Daniel, the tyranny of time requires I be a bit of a tyrant. So I’m going to have two questions if we can try to get to them. Quickly ’cause I could go on and on and on and on. But when I think of Forescout, I think you’ve been focused on OT before it was cool and before people recognized just how significant it is in part of our critical infrastructure sets of issues. You saw OT protocol attacks grow exponentially with Modbus leading the way. And if I’m not mistaken, it was an 85% spike in activity. Are attackers, you think, focused specifically on these systems, or are these assets just dangerously exposed?

34
00:00:33,000 –> 00:00:34,000
Daniel dos Santos [00:24:53]: Yeah, it’s a combination of both. The assets are exposed and have been exposed for quite some time, unfortunately. And we do see in some countries decreasing numbers, in other countries increasing numbers. But overall, the situation is that there is still a lot of exposed operational technology out there. But the attacker interest has been growing and growing and growing and will continue to grow, right? When we talked about botnets, we talked about something that started with cybercriminals and then moved on to, or sorry, or started as a joke, moved on to cybercriminals and then moved on to state-sponsored actors.

35
00:00:34,000 –> 00:00:35,000
Daniel dos Santos [00:25:32]: The interest in critical infrastructure operational technology kind of took a different way, right? It started with state-sponsored actors that were the ones who knew how to cause some damage, and it was specialized knowledge. But that trickled down into these hacktivist groups we see these days that can find anything exposed online and quickly exploit it and share that on Telegram and tell people how they did it and invite people to do that as well in other systems and so on. So the numbers that we see there, that 84% spike that you mentioned, is a reflection of this kind of activity, right? It’s not necessarily the state-sponsored actors having a look or the very sophisticated actors having a look at what’s out there. It’s all the rest of the actors getting up to speed with the fact that critical infrastructure is so vulnerable, so exposed, and can so easily be targeted.

36
00:00:35,000 –> 00:00:36,000
Frank Cilluffo [00:26:26]: And, you know, I recommend our viewers and listeners to follow up on another report you did, and that’s a hacktivist group going after water systems emanating out of Russia. I think there was some really interesting findings there and sheds light on probably one of our most vital lifeline sectors, but arguably not as far along as some of the other sectors from a security standpoint. But I want to make sure that I also highlight, because I found this very interesting, and that you found that over 90% of post-breach activity is discovery. Basically curiosity and attackers looking around. And I would argue this is a hugely missed opportunity for defenders, right? And anything you’d like to add on that?

37
00:00:36,000 –> 00:00:37,000
Daniel dos Santos [00:27:19]: No, it’s definitely, as you said, a missed opportunity. But the reason why attackers are spending more and more time on discovery is because there are more interesting things that they can do on networks, right? What started, let’s talk for instance about cybercriminals and ransomware and all that. What started as a lot of smash and grab operations where ransomware gangs would get in, encrypt everything, get out, and then demand a ransom, moved to operations where they would exfiltrate the data before and then encrypt things, and then moved to what they call big game hunting. And they go after the really major organizations. They really spend some time understanding what’s there, what’s valuable for the organization. You go and you extract the data that matters, you encrypt the systems that matter, and then you demand a ransom. And that’s a similar situation for other types of attackers as well, right? Everybody is becoming smarter in a way, or everybody is becoming better at going after the things that really matter, right? It’s not just an attack where you get in, you do some damage, and you get out.

38
00:00:37,000 –> 00:00:38,000
Daniel dos Santos [00:28:31]: It’s really important for those attackers to spend some time to figure out what are the systems they can get some value from, what they can do with the data, right? Can they resell it? Can they threaten the organization? Can they cause some operational impact on a manufacturer, for instance, and stop production lines? And that will be a bigger impact than exfiltrating data. Those kinds of things take some time, right? And take some kind of getting used to the environment and understanding where you are, where you can pivot, and so on.

39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:29:03]: Daniel, my last question is looking ahead. And I often say since the end of the Cold War, threat forecasting has made astrology look respectable. So I’m not asking you to look in that crystal ball. But looking ahead, with the rise of modular malware like XWorm, What should we be thinking about here? What’s the one big takeaway you would like our CISOs that are watching and listening or their executives in terms of CEOs in a boardroom? What are the two big takeaways firstly for the defender and then for those that employ the defenders? What do we need to be thinking?

40
00:00:39,000 –> 00:00:40,000
Daniel dos Santos [00:29:44]: Yeah, I think I’ll start with one that I think is relevant actually for both of them. It’s to stop looking at systems in isolation or networks in isolation and think about my IT network, my OT network, or my clinical network in hospitals and so on. And this is their gap and that is this and so on. Really, the fact is that attackers are getting smarter about all the different types of devices out there and leveraging those devices at the same time for attacks, right? Some work that we did back in 2022 showed how ransomware could start from IoT, move to IT, move to OT, and so on. And that was at the time something we were discussing might happen, could happen, and so on. Guess what? 2025, we saw the Akira ransomware gang encrypt Windows machines starting from an IP camera. And that’s not really the first time that this kind of thing happened. We were discussing before the edge devices.

41
00:00:40,000 –> 00:00:41,000
Daniel dos Santos [00:30:44]: So a lot of attacks are coming in from the edge devices and then moving to the IT network. So don’t think about things in isolation. Think about your whole network, your whole threat landscape, all the assets that you have, and so on. So that I think is valid for both. If you are more on the technical side, on the actual defender and so on, think about the visibility you have on those devices, right? I don’t think there’s much sense nowadays into investing all your budget into a modern EDR and having all your Windows workstations very well protected, but you have no logs, no visibility into your firewall or your router, your VPN appliance, and so on. And you don’t have a system that puts those signals together so you can understand where things are going. Because then you will be catching attacks when they are already inside your network, already at the point where the discovery was done and they’re about to encrypt your systems, right? You have to shift left a little bit and look at the entry point of these attacks, which very often is not the IT workstation, the IT server anymore.

42
00:00:41,000 –> 00:00:42,000
Frank Cilluffo [00:31:48]: Daniel, thank you so much. Thank you for joining us today. Thank you so much for the work you do every day. And research is really important. It used to be follow the money. We’ve also got to start following the research to be able to get to the point where we can be more safe, more secure, more resilient as a country, as a company, as individuals. And thank you for fighting that good fight.

43
00:00:42,000 –> 00:00:43,000
Frank Cilluffo [00:32:18]: I really appreciate it.

44
00:00:43,000 –> 00:00:44,000
Daniel dos Santos [00:32:19]: Thank you so much, Frank. It’s been a pleasure to discuss it and looking forward to, to discussing more and more research with you in the future.

45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo [00:32:26]: 2026, we’ll have you all back. So thank you. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.

Related Content