CyberWire Daily - The cloud that spies back.
Episode Date: December 17, 2025Researchers detail a years-long Russian state-sponsored cyber espionage campaign. Israel’s cyber chief warns against complacency. Vulnerabilities affect products from Fortinet and Hitachi Energy. St...udies show AI models are rapidly improving at offensive cyber tasks. MITRE expands its D3FEND cybersecurity ontology to cover operational technology. Texas sues smart TV manufacturers, alleging illegal surveillance. A fraudulent gift card locks an Apple user out of their digital life. Our guest is Doron Davidson from CyberProof Israel discussing agentic SOCs and agentic transformation of an MDR. Fat racks crack the stacks. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we are joined by Doron Davidson, GM at CyberProof Israel, MD Security Operations, discussing agentic SOC and agentic transformation of an MDR. If you’d like to learn more be sure to check out CyberProof. Tune into the full conversation here. Selected Reading Amazon Exposes Years-Long GRU Cyber Campaign Targeting Energy and Cloud Infrastructure (Live Threat Intelligence) IDF warns future cyberattacks may dwarf past threats (The Jerusalem Post) CISA reports active exploitation of critical Fortinet authentication bypass flaw (Beyond Machines) Hitachi Energy reports BlastRADIUS flaw in AFS, AFR and AFF Series product families (Beyond Machines) AI models are perfecting their hacking skills (Axios) AI Hackers Are Coming Dangerously Close to Beating Humans (WSJ) MITRE Extends D3FEND Ontology to Operational Technology Cybersecurity (Mitre) Texas sues biggest TV makers, alleging smart TVs spy on users without consent (Ars Technica) Locked out: How a gift card purchase destroyed an Apple account (Apple Insider) Racks of AI chips are too damn heavy (The Verge) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result, fast, reliable, and secure connectivity
without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
Researchers detail a years-long Russian state-sponsored cyber espionage campaign.
Israel's cyber chief warns against complacency.
Vulnerabilities affect products from Fortinet and Hitashi Energy.
Studies show AI models are rapidly improving at offensive cyber tasks.
Miter expands its defend cybersecurity ontology to cover
operational technology.
Texas sues smart TV manufacturers alleging illegal surveillance.
A fraudulent gift card locks an apple user out of their digital life.
Our guest is Duran Davidson from Cyberproof Israel discussing agentic socks and agentic
transformation of an MDR.
And fat racks crack the stacks.
It's Wednesday, December 17th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us.
Amazon's threat intelligence team has detailed a years-long Russian state-sponsored cyber espionage campaign
targeting Western critical infrastructure from 2021 through 2025, attributed with high confidence to Russia's GRU,
the activity focused on energy companies, telecom operators, cloud, and network infrastructure
providers across North America, Europe, and parts of the Middle East. The attackers, primarily,
gained access by exploiting vulnerabilities and misconfigurations in cloud-hosted network
edge devices, including routers, VPNs, and management appliances running on AWS. Over time,
the campaign shifted from exploiting known software flaws to abusing misconfigurations,
allowing quieter and more persistent access. Compromised devices were used to capture network
traffic, steal credentials, and move laterally into victim environments.
Amazon says it has disrupted activity and notified affected customers, highlighting the ongoing
risk to critical infrastructure from cloud and supply chain compromises.
Israel and the United States face cyber threats far more severe than those publicly reported,
according to Major General Aviad Dagan, head of the Israel Defense Forces Cyber.
Defense Directorate. Dagan warned that while data breaches often dominate headlines,
dozens of cyber attacks have had the potential to damage real-world critical infrastructure.
He said Israel must assume future cyber attacks will be significantly more destructive than those
seen so far and cautioned against complacency, despite Israel's strong cyber defenses.
Emphasizing national security obligations, Deghan highlighted close cooperation with the United
states, including long-running joint cyber warfare exercises with U.S. Cyber Command.
He cited Iran's 2020 cyber attack on Israel's water system as a near-disaster example,
noting ongoing hostile activity from Iran, China, and others,
alongside reported Israeli cyber responses targeting Iranian infrastructure.
Sisa has warned of active exploitation of two critical Fortinette authentic
bypass vulnerabilities, affecting multiple products.
Both flaws allow unauthenticated attackers to bypass FortaCloud single sign-on
using crafted SAML messages, potentially gaining full administrative control.
Exploitation began just days after patches were released.
SISA and Fortinette urge organizations to act immediately by isolating management interfaces,
disabling Forta Cloud SSO and upgrading to the latest secure versions.
Hitachi Energy has disclosed a critical blast radius vulnerability affecting legacy AFS, AFR, and AFF series products.
The flaw stems from weaknesses in the radius protocol that can allow response forgery attacks.
Devices are only vulnerable if radius is enabled, and the message authenticator option,
is disabled. There is no patch. Hitachi Energy urges organizations to restore default radius
settings, verify message authenticator is enabled, and ensure affected systems are isolated from the
internet. Researchers and industry leaders warn that fully autonomous AI-driven cyber attacks are
moving from a distant possibility to an eventual certainty. Recent studies show AI models are rapidly
improving at offensive cyber tasks, even as today's system still require human guidance.
Executives from Anthropic and Google are set to testify before Congress on how AI is
reshaping the cyber threat landscape, with anthropic warning that AI could enable cyber
attacks at unprecedented scale and sophistication. Open AI has also cautioned that future
frontier models may significantly lower the skill and time needed to launch attacks.
Academic research, including a Stanford study where an AI agent outperformed most human bug hunters, underscores this trend.
While safeguards remain, experts stress urgency in strengthening AI-powered defenses and limiting adversarial access to advanced AI technology.
MITR has expanded its Defend Cybersecurity Ontology to cover operational technology,
creating a structured framework for defending cyber-physical systems used in critical infrastructure,
industrial environments, and defense operations.
Operational technology, which includes controllers, sensors, and actuators,
directly manages physical processes and poses unique risks
as systems become increasingly connected to networks and the cloud.
The Defend for OT extension provides a shared knowledge model
to help organizations understand adversary behaviors,
identify essential observations and controls,
and protect systems not designed for Internet exposure.
Funded by the U.S. Department of Defense and the National Security Agency,
the framework adds OT-specific artifacts, countermeasures, and mappings to related resources.
Maiter says the open, extensible ontology will support cybersecurity operations,
strategic decision-making, and collaboration across the global security community.
Texas Attorney General Ken Paxton has sued five major smart TV manufacturers,
Samsung, LG, Sony, High Sense, and TCL,
alleging they illegally spy on consumers through automated content recognition or ACR technology.
The lawsuits claim the TVs secretly capture screen data in near-reasing,
real-time, track viewing habits across apps and connected devices, and transmit that data for
targeted advertising without meaningful user consent. Texas argues the practice violates the
state's Deceptive Trade Practices Act and seeks significant civil penalties and court orders
halting ACR data collection during litigation. Paxton also raised national security concerns
about Chinese-based manufacturers,
Hysense, and TCL,
citing China's data laws.
The complaints say consent mechanisms are misleading,
opt-out processes are intentionally difficult,
and consumers are unaware their television's function
as surveillance tools.
A long-time Apple user has described
losing access to their entire Apple digital life
after attempting to redeem a $500 Apple gift card.
highlighting risks tied to gift card fraud and automated account protections.
After the first code was rejected and reissued by a major retailer, Apple locked the account.
The affected Apple ID in use for roughly 25 years held family photos, messages, purchases, and device sync data,
effectively disabling multiple devices, and a linked developer account.
Despite providing receipts, the user says Apple support,
offered no explanation and refused escalation, suggesting actions that could violate Apple's own
policies. While Apple Insiders suggest additional factors may be involved, the case underscores
the fragility of digital ecosystems, the impact of false fraud flags, and the importance of backups
and cautious gift card purchases.
Coming up after the break, Duran Davidson from Cyberproof Israel discusses agentic socks and agentic transformation of an MDR.
And fat racks crack the stacks.
Stick around.
What's your 2 a.m. Security worry.
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night?
How do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual works,
so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep.
Get started at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber.
Duran Davidson is general manager and managing director of security operations at Cyberproof Israel.
On today's sponsored industry voices segment, we discuss agentic socks and agentic transformation of an MDR.
Security operations centers for years have had the very similar, may I even say same pain points over years, starting
from slow detections in response to analyst burnout,
repetitive tasks in the alert fatigue.
At some point of time, we kind of came up
with this idea, our notion of security,
orchestration, automation, and response systems that came out
five, six, ten years ago.
And we started automating all of those predefined processes
and tasks.
And we thought, and so did I, that that is going
solve all of my pain points, my difficulty in scaling security operations,
SecOps operations, and so on.
Also would solve a lot of the inconsistencies in executions across teams and across personnel,
both on the L1 and L2 and L3 positions.
And the last, he did not.
It did not because there were still complexities.
It was still hard.
Regardless of how much we were able to automate, even end-to-end automation,
we still ended up having a lot of these alerts that needed manual investigation by analysts to make a decision.
And this is where the Gentic kind of came out and helped us solve a lot of those issues.
So about a year ago, we started investing a lot.
in building those agents.
And when I say we, it's not we, as in inside proof,
we see that across the board.
All security operations centers, all MDR vendors,
and mainly the hyperscalers, the Microsofts of the world,
the Google, Palo Alto, et cetera,
they started providing the infrastructure
that allowed us to really make this change
towards an agentic SOC.
Well, for folks who are
aren't familiar with the whole notion of an agentic sock.
How do you describe it?
So, agentic sock, if I look towards 2027, that would be fully autonomous security
operation center that will take care, end-to-end, the security life cycle of an alert
driven by AI, it will have an agent-to-agent autonomy that will seamlessly detect, investigate
triash respond, and as new attacks would be coming out, it will automatically be able to detect
when there are gaps and start closing the loop of those gaps in the MITRA framework, for
example, automatically by just having a human verifying the actual new rule that is going to be
implemented and that fully autonomous SOC will be able to provide services.
But that's in the future.
Today, I think most organizations are around the semi-autonomous socks.
But in high-level, this is how I would envision it working.
And what kinds of agentic behaviors do you think are going to be the most impactful?
The Holy Grail is to get to that fully autonomous,
which means that we need to build the agents for our MDR,
that would replace our SOC L1, L2, maybe even to some extent L3,
although I do believe that we always would need those experts being part of our security operations center,
and therefore I don't really believe that we'll ever be able to remove the full manual sock.
There will always be a human in the loop.
But to your question about which of the functions would benefit most from becoming agentic,
it's definitely the repetitive tasks of L1s and L2s, as well as around threat intelligence,
everything to do with gathering threat intelligence, mapping those threat intelligence to specific TTPs,
then understanding how those TTPs are being mapped.
to my church, to understand, is my organization really protected?
Those are the things that would be impactful the most first
and would provide the highest value once they are fully agentized.
How do you suppose this is going to change the role of the analyst?
Do you imagine that they'll trust the agentic outputs right away,
or might there be a learning curve to develop that confidence?
We already see the effect of agents being deployed in production
and how analysts interact with those agents.
The short answer, I believe that our analysts will become much more consultants
to our customers rather than having to do a lot of the analytics work that they do today
and instead of doing that,
they will become the trusted advisor
that will help customers understand
the output of the agentic analysis.
So that's one area.
Another area, they will be the ones
that will be developing new agents.
They are the SMEs.
They are the subject matter experts on threat intelligence.
They are the subject matter experts
on detection engineering,
subject matter experts on
vulnerability management
and therefore they are the ones
that can turn their knowledge
into agents that can then help
our customers.
They will eventually become the
developers of these new agents
and then managing those agents
or orchestrating those agents
will become part of what
the security operation center
is responsible of
being the L3s
or L2s. That's
still to be seen.
What sort of safeguards are essential to prevent these agentic systems from
overstepping their bounds or making unsafe assumptions, things like that?
I would divide it into two of these areas, one around the unsafe assumptions and the second
the boundaries around what data they're allowed to be to see, use, utilize in order
to make their decisions.
So on the first one, if we, this is kind of what, these are kind of the best practices that we have put in place today.
Any agent that we are deploying has or inherits the least privileged access of either the analyst that is executing it or the environment that it is executed on or the specific application.
occasions that it is allowed to use.
This way, we're making sure that we do not or we never basically confuse or misuse data from different customers or even different analysts or even different subject matter experts from different teams within the same agent or within the same execution of an agent.
Each of them is kind of working separately and processing the data separately.
We also have human in the loop that is verifying the output of those agents, depending on how critical it is and how real time it is,
we kind of made the decision of whether this human in the loop will be in between passing the information between agents,
so during the runtime or the execution time.
or some of it is just oversight after the agent had completed its work,
and we are verifying in hindsight whether there are any issues.
What's your advice for organizations who are just getting started here?
They're considering their own agentic transformation journey.
How should they begin?
I would start with making sure that you recruit the right team
that knows how to architect develop
and secure the work of the agents that you're planning.
And I'm not talking only about security agents
or agents that's supposed to be part of your security operations
or IT management, but also for your own business operations.
Some of the things that we had to build, basically,
for sake of our customers that wanted our help
in building these kind of agents
is an environment that would allow us to test different models for different business applications and for different needs.
And this is kind of the second recommendation.
Make sure that you're able to, that you build a complex environment that would allow you the flexibility of testing different models.
One, it will save a lot of money down the road because different models,
have different costing schemas.
And secondly, because they really provide different results
and for different tasks, we see that we need
different types of AI models, so that really helps us.
Another option is just find someone that have already built
these kind of agents and consult.
When we started, we actually consulted quite a lot
with organizations that have already built a complex
complex systems because we wanted to try and succeed already on the first run.
By the way, we didn't.
It took time until we built agents that can have the right agent-to-agent communication,
and that's before building MCP.
That's before having our own databases that our agents can use and so on.
So it was a very complex, lengthy process.
So, get a team that have already done that before.
Can you give us some examples of the types of agents that you're seeing success with,
the things that are functioning within the SOC?
Yes, of course.
So we need to understand that within the Security Operations Center,
we have both agents that are dedicated only to the SOC operations,
as well as agents that were built as part of our MDR, MSSP,
across different functions that are then being taken advantage of by our orchestrator or our MDR agent,
whether it's the threat profiler that is part of our CTI threat intelligence family of agent that builds threat profiles using threat intelligence data sources, prioritizes relevant campaigns, actors and techniques and debt.
itself can then be used by the gap guard,
who is mapping basically to mitre all of these TTPs,
trying to understand whether there are any gaps in detection.
It can also be used by the threat hunting
that can aggregate all of this data and build automatically
or even gather from open source different rules
that can be then deployed back into the seam,
the use case management,
or detection engineering that can automatically find gaps within MITR and already suggest new rules and so on.
All of these agents that were built separately, but with clear vision of how an agentic SOC should be working down the line,
are being orchestrated by an MDR agent.
And from what I see in the market, this is kind of the approach that many in the market believe in that MDRs or
or agentic socks down the line
would allow different customers
to deploy different use cases
and start controlling their budget
based on the specific use cases
that are relevant for their security controls
for their crown jewels
rather than always having the same MDR service
kind of fits all.
And it's not a cookie cutter.
Every business needs their own type of MDR.
In the past, we had to build cookie cutters
because that was the only way to say,
sell. Today, we can offer customers, and customers are expecting to have a much more flexible,
agentic service. That's Duran Davidson from Cyberproof Israel.
And finally, for a hopeful moment, it seemed possible that the AI boom might be solved with a wrench, some fresh paint, and a reassuring pat on the server rack.
After all, data centers have been around for decades. Surely they could just be upgraded.
Experts, unfortunately, have met this optimism with laughter of the professional, deeply tired variety.
The issue is not software. It's gravity.
AI racks now tip the scales at up to 5,000 pounds, roughly equivalent to parking a compact car where a filing cabinet used to be.
Floors crack, elevators groan, and doorways revolt.
These racks are crammed with GPUs, memory, liquid cooling systems, and power delivery hardware that legacy data centers were never designed to tolerate.
As AI gulps down compute, big tech keeps building bigger facilities.
while older data centers quietly carry on storing ordinary non-AI data.
The future is shiny and heavy.
The past still needs a place to sit.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ivan.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.