CyberWire Daily - Cyber and its "Hive" Mind
Episode Date: January 2, 2026While our team is out on winter break, please enjoy this episode of Cyber Things from our partners at Armis. Welcome to Episode 2 of Cyber Things, a special edition podcast produced in partnership by... Armis and N2K CyberWire in an homage to Stranger Things. Host Rebecca Cradick, VP of Global Communications at Armis, is joined by Curtis Simpson, CISO at Armis, to dive deep into the rise of the “Hive Mind”: the collective, connected threat ecosystem where attackers share tools, data, and tactics across the dark web, evolving faster than ever through AI-powered reconnaissance and automation. This is essential listening for anyone seeking to better understand how today’s adversaries no longer operate alone, but as a distributed learning network that observes, adapts, and strikes with speed and precision. Tune in now to learn how organizations can think upside down, harness AI, and build defenses that move at the speed of today’s threats - before the shadows reach your network. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
As we take a short break for the holidays, we want to thank you for being part of our community
and for tuning in throughout the year.
Today we're bringing you a special encore episode.
One will hope you enjoy revisiting or hearing for the first time.
However you're spending the season, we wish you happy holidays, a safe and restful break,
And as always, thank you for listening.
Welcome back to Armis's Cyber Things.
We're back for episode two. This is our short series in homage to Stranger Things.
but obviously always join us for our bad actors podcaster Armis.
And spoiler, of course, we have watched Volume 1 of the final season.
So if you do not want to know what's happened so far,
come back next week once you've watched.
If you are up to date, carry on listening to us
because we're going to talk a lot about the hive mind.
And of course, in Stranger Things,
the mind flayer didn't just attack,
it observed, adapted and learned.
It isn't one just one monster, it's many.
connected through a single invisible network.
And like cybersecurity, there is no single villain
that we are trying to defend our country
or organisations against.
There's no one all-powerful adversary.
The greatest danger, while most of that activity,
happens in the shadows,
long before an attack is even launched.
So today we're going to dive into
how organisations can defend against the unknown.
Joining me as someone who understands this world
better than anyone,
he is one of my favourite people at Armis.
He is our CISO and CISO and
Customer Advocacy Officer Curtis Simpson. Curtis, welcome to Cyber Things. Thanks so much for
Adam. So you are a massive change of things fan like I am and we are excited to dive into this
hive mind conversation. But I think first we need to really talk about what we mean by that.
This distributed, adaptive, learning from every encounter, especially powered by AI now. That is what
a lot of threat actors are benefiting from. And of course, the dark web ecosystem.
system. How close an analogy do you think that is into what we are trying to help organizations
face today? It's a really good question and I think it's incredibly close. Gone are the days
where threat actors are isolated individuals operating from a basement or on the complete opposite
to that scale nation state organizations being funded only and entirely by more malicious
governments targeting other governments. That's not the reality we're facing today.
It's one massive network.
When you look at the dark web specifically,
you've got tooling and services that attackers can subscribe to.
You obviously have geopolitical tensions and such around the world
that are driving folks that may be struggling today
with trying to find a source of income
with potentially considering moving in this direction
and then having rapid, easy access to tools.
You've got forums where attackers are communicating,
with one another in terms of tactics that work, tactics don't work, et cetera.
When you look at the dark web in general and what's always been relevant on the dark web
is selling information that one attacker has potentially compromised from an environment
to benefit others that may want to buy it and use it in support of some of their strengths,
tooling capabilities, etc.
And then just like a legitimate organization, I think that one thing that's important to remember,
folks that used to work in more malicious and criminalistic nation state organizations,
start their own criminal organizations on the dark web,
attackers or in the threat network in general,
attackers that succeed in those realms go off and start their own malicious organization
and start targeting organizations, individuals, etc.
The reality is, is the definition of threat actor now is very broad.
The information available to threat actors is literally at their fingertips
and their ability to just be effective is immediate now because of AI-based tooling
that's literally been built to make it easy for them to give someone money
to fundamentally become a rapid expert at executing attacks.
Yeah. And it's interesting. We're going to dive into this a lot
because that collective adversary learning behaviour from each other,
sort of supporting each other in many respects,
so that they can find the quickest route to an attack,
whether that is, as you say, ransomware or geopolitically sponsored
on critical infrastructure.
I guess we take a step back and work out how organisations can defend against that.
Because to your point, if you have so many different methods and attack vectors,
whether it's exploit developers, botnets, the dark web,
learned behavior, how does that change the strategies that organizations need to use to defend
themselves in the world that we're operating in today? Yeah, it's another great question. One of the
things that I think is most relevant today is best practices have helped and enabled us for a long
period of time, but they're no longer that flag we can plant on the hill and continue to
build our entire programs around. The reality is, is threat actors, no.
know what our best practices are. They build their tooling around them. They build their tooling
to target where we don't have time and don't get to exposures we know exist in our environment.
So as an example, we've long since defined very consistent timeframes around how quickly
we remediate vulnerabilities based upon their publicly known severity. Well, attackers know this.
What that also means, by definition, is most organizations rarely ever remediate traditionally
designated medium risk vulnerabilities.
What does that mean as an attacker?
I'm going to target as many medium risk vulnerabilities as I can.
I'm going to string them together to build an attack that allows me as the threat actor to deliver
the outcome I'm looking for.
Compromising systems, stealing data, executing ransoms, etc.
That's the reality of today.
So what does that mean from a defense person?
perspective, it means that we need to actually build our prioritization efforts, both in terms of
what we prioritize proactively and reactively based on where our business is most likely to be
attacked and impacted. What that means is we truly need to operationalize intelligence
and information around what attackers are going after in our industry, what attackers are
going after in relation to the technologies we consume and then be able to, when I say operationalize,
that information needs to be consumed in the platforms where we prioritize the vulnerabilities
that we're remediating, where we prioritize the detections that we're applying. And a lot of this
is easier than it's been before because of the adoption of AI and the enablement of AI from a
workflow perspective and otherwise. But again, the key is that we have to think this way. We
can no longer think that I'm just going to build based on best practices and I'll be good.
It is about truly understanding that intersection of what matters to my business, what's
likely, what's most likely to be attacked and exploited based on what threat actors are doing
today or thinking about doing tomorrow. And then how do I operationalize that information to
truly prioritize my reactive and proactive efforts? And it's interesting what you've described there
because I think there are many forward-thinking organisations
that have that level of threat intelligence.
I mean, many, many, many of our customers
obviously received that from Armis.
But what we're talking about here
is such a vast network of threat actors,
you know, attacking different organisations
and different parts that they choose.
I wonder what the defensive equivalent
of that hive mind would be.
Do you feel that individual organisations like us
and some of our peers need to,
come together as a unit better to help organizations defend themselves because individually we're
providing individual information pertinent to organizations. But is there enough being done
more publicly to defend against this hive mind mentality that's happening in the dark web?
Yeah, I think in many cases we are operating in that capacity more than we realize. And it is,
again, actually because of AI. So when you look at what a lot of tooling and solutions and
services are built around today when built using AI is they're pulling all information around
research that's been done and published period full stop they're taking all of the research
or they're using and just like with our solutions and many others we're using AI to analyze
all research that's recently been done and previously been done we're using AI to analyze
conversations in dark web forums and otherwise we're using AI to just read all publications
in general around new tactics, evolving tactics, and all of these details at a pace at which
we wouldn't necessarily be able to operate in terms of sharing with one another as third parties,
let alone consuming as the defenders. AI is doing that for us now. And if we're using the
right tooling that's actually doing that analysis, that consolidation, that correlation,
we are actually building that hive mind that's learning from all of the good work that
all of us are doing. The key is that we're thinking that way, consuming solutions that are
thinking that way, and in cases where we can, and it makes sense for us to build AI-oriented
workflows that operate that way, applying that same logic. How do I do this analysis to not just
have a bunch of data about threats, but rather to build data around what threat actors are
actually going after, that I can then intersect with how I look for vulnerabilities,
how I build detections, and actually starting to really bring those things together
operationally, whether it's doing it ourselves, leaning in on third parties to do it through
their tooling, leading in on our partners. The key is that we start thinking that way and
then looking at what can we already do with what we have, what should we be building
or what should be looking to others to build
under that mindset and under that concept.
And just taking a sort of step further for a second,
do you think that collective knowledge
and the industry has got a lot better
at sharing information more publicly?
We've done a really good job
with the last three years of really talking
about open vulnerability disclosure
and the process is quite established now
across all the manufacturers
and all the cybersecurity vendors that take part.
So it's definitely a step forward.
But we know that obviously
the modern environments are so interconnected, it only takes one single blind spot to become the
gateway in. Do you think from your perspective, organisations have sort of have built some sort of
resilience, they have so much data available to them, but that complexity in itself has become
a risk because this deluge of information and so much more awareness of risk, it creates
a little bit of where do we go, what do we do first?
Oh, 1,000%. It's, we used to build much of our programs around the more data I have the better.
Then we overwhelmed ourselves with data, including threat information.
This is why I really look at it and say it the way that I do.
And the challenge we have as the defenders, as the third parties that are operating in that realm that you spoke to in terms of responsible disclosure, etc., is if we as researchers,
identify something bad in terms of a way
that an attacker can compromise technology.
We go through a process of making sure
everyone who owns the remediation of that
and is impacted by that is aware.
We then work through a process of determining
how long it's going to take
to build patches for those types of things,
publish them, publish all of the details.
That could be 90 days,
could be longer, depending on the scenario.
The attackers don't have any of those obligations.
They're not operating on a moral or professional responsibility plan.
They are just looking for opportunities to compromise technology and then exploit that technology.
But this is where being able to hone either the intelligence we already have or to get new
intelligence and start leaving some of the noise behind is important because what we need to be
able to look at is we need to assume there will be zero-day vulnerabilities that nothing
tells us about through the traditional means in terms of, hey, this is, these are new vulnerabilities
you should care about. Because when we say these are new vulnerabilities with CVEs that we should
care about, the problem is, is they've already gone through that process. They've taken time to
be exploited. And it's still good to have that information to be able to prioritize based on it.
But we can't rely entirely on it. What we have to have is information that's built around
what threat actors are talking about in the dark web forums. What threat.
actors are actually testing in real world scenarios that are being observed by Armis and others
through honeypots that were built to look like every single industry on the planet and then to
monitor what those attackers are testing today and then making you as the defenders aware
of what those attackers are going after that actually don't have a CVE today and how they relate
back to your environment and then whether it's through inherently through the technology or
consuming or should be consuming or through AI that's bolted on top of that, either self-built
or acquired through partners and solution providers, you have to be able to pull all that together.
You have to be able to say, well, there is this new CV or there is this new vulnerability that's
being exploited. There is no identified CVE. So there may not be a patch. But I can apply
these specific control points within my environment to prevent the exploitation that is being
seen and all of that was actually made aware to me through these tools, through the information
that was built by this overall capability that's identifying that attackers are doing this,
how they're able to get away with it, what control points can be applied. This is the information
that is gold to us now because otherwise if we don't have that information, don't prepare
with those insights, the chance that that zero day is going to affect our business in spite
of everything else that we've done is just far too high.
And it's funny, because we talk a lot about, you know, awareness is power,
but it's actually the control that really matters.
And, you know, shameless plug, we focus, we are focusing a lot on early warning intelligence,
like you say, like trying to get ahead of the threat,
trying to provide information of potential risk.
But monitoring that and transforming that into real actionable defensive advantage is very
challenging, right, because of all the things you've just said. Do you think as we roll forward
into 2026 and beyond that actually to get ahead of it, you know, in the Stranger Things concept
of this two world upside down state, we do need to really double down onto that early warning
indicators of where the next threat might come from. Even if it never transpires, it's better
to have been prepared for something that may not happen rather than actually have to respond to
something that did? Oh, 100%. We have to assume that this is the new reality that we're
facing that threat actors are going to constantly be using AI to be assessing technologies and
their exposures to then test exploits against those exposures and be able to go from end to end
in terms of discovery and exploitation validation in a matter of hours to days. We have to make
that assumption, which also means we need to build and optimize our programs around that mindset.
And in many cases, that does mean that we either need to build new information, build those new
capabilities, build those new workflows, because whatever it takes to operate in that capacity
needs to be the priority.
And if you think in that Stranger Things mindset, it is turning everything upside down.
It's moving away from those best practices.
It's not worrying about all of the constraints of yesterday.
It's about thinking about what is possible in this realm.
And I stress it that way because often in security, we look at, well, we have too much information.
There's too much noise, too many false positives.
How do you make this true?
How do you make it true that you have the right data to surgically identify the priorities that you should be considering from a control plane perspective?
Because that is critical.
It's just as critical as saying, what are the things I need to PAPS, not just based upon I committed to critical,
in 30 days, highs within 60, mediums within 90, no, no, no, what do you need to patch that
actually will defend your business against the next attack? And one of the other things that's
important to really turn upside down on its head is just because this is how we're audited
today as an example doesn't mean that we can't change the controls and the language around
how we're audited. I've done this many times over the years when it comes to corporate audits.
if you show auditors internal, external, that this is a better way to prioritize what matters to my business
and here's how I'm doing it effectively, they will change the way they assess the control, period, full stop.
Interesting.
So if you had to describe an organization that is like getting it right, not perfect because it's always an immovable situation,
but someone that's really defending against the unknown and sort of thinking about the habits and strategies they've deployed.
what would you give advice to others in trying to sort of put that together?
In many cases today, and this is where one of the questions we talk about to this industry all
the time is where should I be dipping my toes in AI, where should I be bringing AI into
my portfolio to actually have it make sense. I think there's something really compelling
in the AI landscape right now. There are workflow tools that have been built to make it
very easy for you to take a workflow that you've already conceptualized and you've
generally thought through and rapidly build it and then test it and then actually apply it.
And I say all of that because if you already have very interesting data sources around threat
intelligence, but you haven't yet operationalized them, well, with these tools, you can point
the workflow solutions to where the data lies, have it do the analysis, do the deduplication,
do the correlation, take that information, feed it into the platforms that you're using for
prioritization, have it do, again, the same thing, the correlation, the analysis,
establish the priorities, cut through some of the noise.
We have reached the point where we are beyond these orchestration challenges we've had
in the past.
And those that I see they're doing this well are, again, leaving behind what's always been
a problem and looking at AI is an actual new way of solving this and addressing the issues
we've had in the past and bridging the gaps between data, the tools that need to
handle the data but can't necessarily analyze it well, AI can do the analysis for you.
AI can think or can not necessarily think, but can analyze on your behalf and accelerate the
output that would take you too long and do the analysis that the downstream tools can't do
on their own. This is where we can build the workflows, have the appropriate AI platforms,
do the analysis, take the output of the analysis, feed it into the platform that needs to act on
it, we can build all of this today and test it in a way that gives us the confidence to actually
start implementing these capabilities in an increasing scale. If you're going to really excite
your teams by playing with AI, by dipping your toe into it, by showing value, this is where your
teams should be spending their time. And this is, the companies that are doing this well are really
pushing their teams in this direction. Because otherwise, playing with AI can be that. It can be a
that ends up consuming a lot of time, but doesn't deliver a lot of value.
Everything I'm talking about here is valuable and allows you to start moving in the direction
of being able to operate in a similar capacity to the threat actors, but actually do it in a way
that enables you to defend at a similar speed to which they're going to be attacking you.
Yeah, I totally agree.
And I think this is funny how this year is shaped up, because if we look back to conversations,
you and I had at the beginning of the year of, you know, the concern.
people had about AI, and especially in cyber security, we knew that it was being weaponised,
but equally that the defenders needed to use it and leverage it to sort of get control and
get ahead. And then we've come to the end of 2025, and it seems to be people really starting
to talk about the proactive need for AI tools to everything you've just said for workflow
management, for really siphoning out the information that is needed to defend the organisation.
So it feels like a real full circle moment.
Final question for you
and going back full circle to Stranger Things
and the luxury that is that program
where you can physically see the monsters
that lurk in the shadows,
cyber security is very difficult
because you don't know where they're coming from,
you don't know who sits behind that keyboard,
you don't know what their intention is.
There's lots of myths around
what organisations still believe about cyber threats
and where their priorities need to be.
If you could summarize, I know it's what,
It's hard, but if you could summarize into one thing that you still think needs a lot of attention
and a lot of discussion around, what do you think that might be?
Yeah, I think there's two points there.
One we talked about already, which is surgically prioritize everything you're actually defending
against based upon what's likely to be attacked.
The other thing that we really need to continue to be focused on,
because it's what keeps CISOs up at night, is how resilient am I?
when if and when the horrible thing happens.
Like if business capabilities are compromised at scale,
if data is compromised at scale,
will the data be lost?
Can the data be recovered?
How rapidly can the systems and capabilities be recovered?
Even before you can get to that point,
do I know what the most important systems are?
Do I know what they're downstream and upstream dependencies are?
Do I understand what the ecosystem looks like
in terms of how that information is being backed up and otherwise?
Are those backups protected?
One of the things we commonly see is those backups themselves can be compromised and impacted
through ransomware.
We have to think about this from the two sides.
It's how do I defend and prevent the majority of these attacks?
And then the other side of that is how do I ensure that if it happens, I can contain and
minimize its impact?
And as I think about impact, how do I recover the business and minimize the impact to the
the business in terms of long-term impact, like data loss, actual loss of capabilities for
days to weeks, and those types of outcomes that can actually cripple the brand of the organization
for a very long period of time. It's really those two sides of the coin we need to think about,
not one or the other. It makes perfect sense. And I think if we're going towards 2026, I hope
that a lot of work and conversations that have been had in the community helps guide some of
those strategies and sort of starts prioritising that business conversation to your point about
the impact but also the resilience that is needed to tackle the attack surface that
the organisations are facing now. Curtis, thank you so much for joining me for the second
episode and we are obviously a few weeks away from the next download of Stranger Things
which is happening on Christmas Day. So for those that are listening or watching,
We wish you were happy holidays.
Enjoy the next download of Stranger Things.
And we'll join you in January for the final wrap.
And hopefully the answer to what we're all waiting to hear is how this series ends.
So thank you so much for joining me.
Thanks so much for having me.