Hello, and welcome again to the SafeBreach studios. We’ve reached the final episode of our series on the Iranian Cyber Nexus. I’m Tova Devoreen, and this is a cyber resilience brief, a SafeBreach podcast. And I’m Adrian Culley. We’ve traveled from the big bang of Stuxnet all that way back in the midst of time to the shadow war of twenty twenty five, which is itself fading in the midst of time. But now we’re going to look forward. That’s right. At the time of this recording, we’re in early twenty twenty six, and the and the landscape has shifted again. There is clear evidence Iranian APTs are no longer just learning from the best. They’re matching the best in some instances. They’ve graduated, Tova. They’re using the most advanced technologies, artificial intelligence, offensively, supply chain manipulation, and autonomous malware to bypass the billion dollar security stocks we’ve spent years building. And Adrian, right now, biggest trend that we’re seeing is the shift towards upstream targeting. Could you explain a little bit what that means and why that matters? Exactly. The Iranian hacking groups have realized that the front door of a major defense contractor is too well guarded. It’s tradecraft. It’s very simple, logical and rational. So what they’re doing is from the supply chain level, they’re looking after the or they’re targeting the managed service providers, the MSPs, and the software vendors. So it’s essentially a skeleton key strategy. Exactly right. If you compromise one IT provider that manages five hundred different companies, you now have access to all five hundred. We saw this with the agonizing Serpents Group, a subset of APT thirty four. In late twenty twenty five, they targeted specialized IT firms in the Middle East and Europe. They weren’t looking for the IT firm’s data. They were looking for remote access credentials to their clients. This makes the traditional concept of a perimeter completely obsolete. What’s very interesting, I’ve experienced in the past over as well, for example, law firms around the world perceiving that who would want to hack us. In fact, they’re one of the highest profile targets of hostile foreign nation state hacking groups. They deal with sensitive and secret information. So again, law firms, make sure you’re safe because you absolutely have a target on your back. Interesting. It’s good to know. Well, so the perimeter’s gone. Know, your perimeter is now as weak as your most vulnerable third party vendor, whether that’s a law firm or an IT outsource firm. And this is where exposure management and the conversation about exposure management has to move from my company to my ecosystem. And we’ll be right back. Let’s shift to talk a little bit about the elephant in the room, which is of course AI. In episode four, we talked about AI powered phishing. But as we move deeper into twenty twenty six, it’s getting far more sophisticated than that. Dover, we’re moving in the era of agentic AI. This isn’t just a bot writing an email. This is malware that can think for itself once it’s inside your network. Could you be a little more specific? So imagine a piece of malware that doesn’t need to call home to a command and control server to get instructions. That’s the first evolution. No longer completely dependent on command and control communication. Therefore, if we’re looking at behavioral activity, we can’t be dependent on looking for that C two activity either. What’s happening is there’s a localized small large language model, if you haven’t heard of that already. I know it sounds like a paradox. It can scan your network, identify your most valuable files, and decide how to exfiltrate them without triggering the heartbeat detection that historically has caught Iranian actors. And when it comes to infiltrating these small scale LLMs, we’re looking at what has been called the triad of disruption because Iran is now sharing these AI techniques with both Russia and North Korea. It’s effectively a hive intelligence tovr, a collective intelligence. They’re pooling their adversarial data. They’re testing their AI models against Western security tools to find the exact blind spots where AI can slip through. Remember, we’re moving from living off the land to simultaneously living in the blind spots. It’s an arms race where the adversary is moving at the speed of silicon. And we’ll be right back. Yikes. I mean, if the threat is automated and AI driven, how can a human led security team possibly keep up? Simply, you don’t. You fight fire with fire, and this is where we use continuous automated red teaming. Yes. Our favorite red team in a pocket. At SafeReach specifically, how are we evolving the platform to meet these threats in twenty twenty six? So we’re we’re focusing on dynamic exposure validation. We’ve integrated our own AI into the hacker’s playbook. When a new Iranian tactic technique or procedure is discovered, our platform doesn’t just have a static signature. It generates thousands of variations of that attack. So what you’re saying is that we’re testing against the unknown unknowns. That that’s absolutely what we’re doing, Tova. We’re testing if your security stat can catch an attack that hasn’t even been written yet, but follows the logic of an Iranian AI agent. And with adversarial exposure validation, we give you a resilience score. A resilience score. Okay. It’s a good concept. But what does that score tell a CISO in practice? So it tells a CISO if an Iranian APT hits you tomorrow with the latest AI enhanced toolkit, this is exactly where your defenses will break. It moves from I hope we’re safe to I know where we’re exposed, and I’ve prioritized the fix. The cyber order of SafeBridge customers have access to the most extensive scenario covering all of our knowledge of Iranian threat groups. This scenario brings together all Iranian linked threat groups, including IRGC and MOIS, that Safe Breach covers into a single comprehensive simulation. It includes notable adversaries such as APT thirty three, also known as Elfin Magnalium, APT thirty five, also known as Charming kitten, Imperial kitten, tortoise shell, or magic hound, APTs forty two and forty three, the copy kittens, fox kitten, which is also known as Parasite, pioneer kitten, UNC seven five seven, leaf miner known as respite, Moses staff, muddy water known as seedworm static kitten, zentempzagros, and oil rig a p t thirty four, which also goes by Helix kitten and Crisin. I sound like I’m on Jeopardy! Quiz show, I know, but it’s important to run through how deep our knowledge is of the attack techniques and code of these Iranian groups. Running this scenario, Tova, enables you to validate your security controls about the widest range of Iranian based threat tactics, techniques, and procedures, ensuring your defenses are prepared for real world attack behaviors. And we’ll be right back. You know, Adrian, we’ve indeed covered a lot of ground, especially about Iran this year. So what is one takeaway you want our listeners to have as they head into the rest of twenty twenty six? So fundamentally, stop trusting the identity. In a world of deepfakes and AI compromised accounts, you have to assume that every user, every device, and every vendor is a potential threat actor. And by that, mean potentially compromised by a threat actor. Right. Zero trust isn’t just a buzzword anymore. It’s a survival strategy, and you have to deploy it correctly in order to use it effectively. Absolutely, Tova. But zero trust only works if you validate it. Don’t just set up a zero trust architecture and walk away. Test it every day. Run the simulations. Use cart to try and break your own rules. Because I guarantee you the IRGC and the MOIS are trained to break them right now, and they don’t and they don’t desist. You should have zero trust in your zero trust. Continuously test and validate it. If you trust your zero trust, well, by definition, it’s no longer zero trust, is it? Absolutely not. And it’s a good reminder as well to our SafeReach customers, letting you know that we do have GardaCore and Zscaler, two zero trust vendors, in our system, and you can validate them with us. So if you aren’t doing it already, just ask your customer service representative. Excellent advice, Tova. Thank you. Now that’s the time we have, and that brings us to the end of our series. We hope this deep dive into the Iranian threat landscape has given you the insights and the urgency to strengthen your own resilience. And remember, the breach is coming. The only question is, will you find it before they do? So for me, from Adrian, and from the entire team at SafeBreach, thank you for listening to the cyber resilience brief. Stay safe, stay safe with SafeBreach, and stay proactive. The cyber resilience brief is a SafeBreach podcast. Executive produced by Adrian Cully and Tova Devoran. Music produced by Sar Dressner. Hosted, edited, and compiled on Riverside. For more about SafeReach and how you can validate your security controls across your entire IT infrastructure, visit us at w w w dot safereach dot com. That’s w w w dot s a f e bereach dot com.
