Threat Talks - Your Gateway to Cybersecurity Insights

https://is1-ssl.mzstatic.com/image/thumb/Podcasts211/v4/87/c2/f8/87c2f8ef-8e03-63a6-264f-698f5239d96e/mza_17716733432111276097.jpg/600x600bb.jpg

Threat Talks

103 episodes

6 days ago

Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats. We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals. Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!

Tech News

News

RSS

All content for Threat Talks - Your Gateway to Cybersecurity Insights is the property of Threat Talks and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Tech News

News

Episodes (20/103)

Threat Talks - Your Gateway to Cybersecurity Insights

Looking Back at 2025: Cybersecurity at a Turning Point

2025 was the year detection stopped being enough.
Because attacks stopped behaving the way detection was built to handle.

OT systems were hit with real-world consequences. AI stopped being just a productivity tool and became an attacker. And SOCs discovered - often painfully - that speed alone still means reacting too late.
In this special end-of-year Threat Talks episode, Lieuwe Jan Koning is joined by Luca Cipriano, Yuri Wit, and Rob Maas, all in ugly Christmas sweaters, to unpack why the cybersecurity trends of 2025 represent a structural break, not a gradual evolution.
They trace how attackers scaled faster than defenders, why SOC automation became unavoidable, and how preemptive security and Zero Trust execution are emerging as the only way to regain control.
This isn’t a recap for curiosity.
It’s a map of how we got here - and what must change in 2026 to stay ahead.

(00:00) - Introduction: why 2025 felt fundamentally different
(01:31) - - 05:12 The threat landscape shifts: OT security and real-world impact
(05:12) - - 07:27 A new normal: how AI changed daily security work
(07:27) - - 09:31 The most surprising attacks of 2025
(09:31) - - 20:00 Inside the SOC: scale, speed, and analyst fatigue
(20:00) - - 22:15 “There are protections against AI… right?”
(22:15) - - 20:23 Zero Trust redefined: can it handle AI-driven attacks?
(30:23) - - 32:04 Why prevention matters more than ever
(32:04) - - 41:06 Looking ahead: predictions for cybersecurity in 2026

Key Topics Covered
• How AI-powered attacks and autonomous malware altered attacker economics
• Why OT security and critical infrastructure moved to the front line
• Where SOC automation helps - and where it creates false confidence
• Why preemptive security and Zero Trust shift defense from reaction to control

Related ON2IT Content & Referenced Resources
I-Soon episode
https://www.youtube.com/watch?v=Rkp4OWOcCeU&t=1s

Salesloft supply chain attack episode
https://www.youtube.com/watch?v=_asJ2AN7cbA

PromptLock malware episode
https://www.youtube.com/watch?v=lKcUwLPBC8k

MCP security episode
https://www.youtube.com/watch?v=IkV6jkuYz5g

Zero Trust episodes playlist
https://www.youtube.com/playlist?list=PLF5mXtEG4t5wigSRB3fpyFfMYp3l1Ux2g

Zero Trust infographic (PDF)
https://on2it.s3.us-east-1.amazonaws.com/250429_Infographic_ZT.pdf

Threat Talks is built for CISOs and security leaders navigating real trade-offs—not vendor promises.
Subscribe for grounded insight on Zero Trust execution, AI-driven threats, SOC automation, and preemptive security from practitioners in the field.

Click here to view the episode transcript.

🔔 Follow and Support our channel! 🔔
===
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

1 week ago

41 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

BGP Vortex: Internet Kill Switch?

Could a single BGP trick really break the internet?

A new “BGP Vortex” claim says yes - by abusing route oscillation and BGP communities to trigger endless update loops and exhaust router CPU. So we check what actually holds up in the real world.
In this Threat Talks Deep Dive, Rob Maas, Field CTO at ON2IT, sits down with Eric Nghia Nguyen Duy, Network Engineer at AMS-IX, to understand what BGP (short for Border Gateway Protocol) actually does, how the proposed Vortex mechanism works (route oscillation + community behavior), and why real-world internet operators are far more resilient than the headline suggests.
Yes, it’s an attention-grabbing claim.

No, it’s not a “break the whole internet tomorrow” button.

(00:00) - – 02:29 Introduction: The BGP Vortex Claim
(02:29) - - 06:35 What is BGP?
(06:35) - - 13:13 BGP Vortex: How it works
(13:13) - - 15:02 What an Attacker Would Actually Need
(15:02) - - 19:08 What can we do to prevent this
(19:08) - - 19:56 What role AMS-IX plays
(19:56) - – 22:01 Conclusion

Key topics covered
• What BGP is and why the internet depends on it
• How route oscillation and update amplification can overload routers
• Why the attack relies on upstream policy choices (communities aren’t “magic”)
• Why the “break the internet” claim is mostly theoretical
• Practical mitigations: filtering/inspecting communities, monitoring, session shutdown

Resources
• BGP Vortex research paper: https://www.usenix.org/system/files/usenixsecurity25-stoeger.pdf
• BGP Vortex presentation video: https://www.youtube.com/watch?v=dd6L1mdQLmk
• Threat Talks: https://threat-talks.com/
• ON2IT (Zero Trust as a Service): https://on2it.net/
• AMS-IX: https://www.ams-ix.net/ams

Subscribe to Threat Talks and turn on notifications for deep dives into the world’s most active cyber threats and hands-on exploitation techniques.

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

2 weeks ago

22 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

WSUS RCE: Update Weaponized

Attackers are abusing a WSUS flaw - Microsoft’s Windows Server Update Services - to detonate PowerCat, spawn reverse shells, and plant ShadowPad. All from the update server your entire Windows estate trusts by default.

One weak crypto key and a broken deserialization function let attackers hit your WSUS server with unauthenticated SYSTEM-level code execution. Chinese APT groups are already exploiting it to drop malware in memory, blend into legitimate WSUS traffic, and pivot deeper into the network.

Yes WSUS patch exists, but even if you patch it today, the real problem remains:
Your WSUS server is a high-value target with high-trust pathways - and most environments expose it far more than they think.

Watch host Lieuwe Jan Koning - with Blue Team expert Rob Maas and Red Team lead Luca Cipriano - break down how the exploit works, how attackers chain it into real-world intrusions, and the Zero Trust fixes that actually matter.

(00:00) - Intro
(01:03) - What is a WSUS server?
(02:48) - The WSUS vulnerability
(05:49) - What is deserialization?
(08:17) - What to do about this vulnerability
(10:52) - How attackers are exploiting it
(18:42) - Real-world harm
(19:16) - Final advice & defense strategy

Key Topics Covered
• How one WSUS flaw enables unauthenticated RCE as SYSTEM
• The attack chain: crafted payload → deserialization → PowerCat → ShadowPad
• Why update servers are high-value pivot points for APT groups
• How Chinese APTs weaponized this vulnerability in real-world intrusions
• Zero Trust protections: segmentation, egress control, EDR/XDR detection
• How to secure Microsoft Windows Server Update Services (WSUS patching best practices)

Episodes Mentioned
• China Nexus Barracuda Hack: https://www.youtube.com/watch?v=4X9AmBhOmSA
• APT Sand Eagle: https://youtu.be/U5qdERmvEwg?si=kdsCJDNkGjs6Lklz
• APT 44 / Seashell Blizzard: https://youtu.be/JqA0Irspxrc?si=nnJpz7VnLtz38LN4
• APT Handala: https://youtu.be/XYf-SMhQdDc?si=WpIE0h9Q-pokz0MD

Guest & Host Links
Rob Maas (Field CTO, ON2IT): https://threat-talks.com/the-hosts/
Luca Cipriano (CTI & Red Team Lead, ON2IT): https://threat-talks.com/the-hosts/

Additional Resources
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams

Subscribe to Threat Talks and turn on notifications for deep dives into the world’s most active cyber threats and hands-on exploitation techniques.

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

3 weeks ago

22 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

Bad Successor: The Service Account Flaw to Watch

It was built to secure service accounts.
Instead, it became the cleanest privilege-escalation vector of 2025.

They called it Bad Successor (A.K.A. CVE-2025-53779).

A new “secure by design” feature in Windows Server 2025 -DMSA -was supposed to fix service account hygiene. Instead, it introduced a loophole where attackers could claim successor status, skip password requirements, and silently inherit elevated rights from any target account.

Including domain admin.

Even after Microsoft patched the issue, the deeper risk remains:
Service accounts are over-privileged, under-monitored, and dangerously trusted -and adversaries know it.

This isn’t a niche AD misconfiguration.

It’s a privilege-escalation design flaw hiding inside a security feature, and a warning shot for every environment leaning on default trust in the identity layer.

Watch host Rob Maas, Field CTO at ON2IT, and Luca Cipriano, CTI & Red Team Lead at ON2IT break down how Bad Successor works, how attackers exploited it, and what a Zero Trust AD strategy actually looks like in 2025.

(00:00) - Intro & why service accounts still matter
(00:46) - What are service accounts really for?
(01:31) - DMSA explained: Microsoft’s new managed service account
(02:56) - How DMSA migration works (the phone-migration analogy)
(04:40) - What is Bad Successor & why it matters
(08:00) - How widespread is this vulnerbility?
(11:42) - – Microsoft’s patch & post-patch stealth paths – is the patch working?
(14:03) - Defending AD: patching, OU permissions & logging
(15:23) - Is Bad Proccessor the biggest active directory attack in your tool box?

Key Topics Covered
• How a security upgrade became a privilege-escalation vector.
• Why service account security failures create invisible attack paths.
• The real DMSA abuse chain: child objects → successor claim → domain admin.
• Zero Trust defenses for AD: permissions, logging, rotation, least privilege.

Got your attention?
Subscribe to Threat Talks and turn on notifications for deep dives into the world’s leading cyber threats and trends.

Guest and Host Links:
Rob Maas (Field CTO, ON2IT): https://threat-talks.com/the-hosts/
Luca Cipriano (CTI & Red Team Lead, ON2IT): https://threat-talks.com/the-hosts/

Additional Resources
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

4 weeks ago

17 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

From Hacker to Hero

What if your next great cyber defender is a teenager gaming in their bedroom right now?

In this Threat Talks episode, Lieuwe Jan Koning and former FBI Supervisory Special Agent William McKean (founder of The Redirect Project) explore how young digital natives go From Hacker to Hero.

They chart the journey from gaming and online communities to real-world intrusions.
Then they show how to redirect that curiosity into ethical hacking, cyber defense, and a Zero Trust mindset at home and at work.

You’ll get practical questions to ask kids, simple “safe word” tactics, and concrete steps security leaders can use to grow defenders instead of future attackers.

Key Topics Covered
From gamer to attacker: How curiosity, gaming communities and digital “mentors” funnel kids into cybercrime, and how to redirect that path toward ethical hacking.

Psychology of recruitment: Why belonging, status and rewards override an undeveloped moral compass, and how grooming patterns mirror terrorism and gang recruitment.

Parent & educator playbook: Practical ways to talk about online life, spot early warning signs, use “safe words,” and apply a Zero Trust mindset at home.

Diversion, not destruction: How programs like The re_direct Project, HackShield, re_B00TCMP, Hack_Right, and The Hacking Games turn justice-involved kids into defenders instead of life-long offenders.

(00:00) - - Introduction
(01:25) - - What does FBI’s cyber division do
(05:40) - - Children as hackers
(08:14) - - From hacker to helper
(10:31) - - It all starts with curiosity
(17:56) - - What about AI development
(21:27) - - Other mechanisms to worry about
(22:32) - - 27:17 What can we do to help
(27:17) - - The re_direct Project
(33:45) - - What should the consequences be for child hackers
(37:09) - - Recommendations for parents
(42:02) - - What can organizations do

Additional Resources
ON2IT & Threat Talks
• ON2IT – Zero Trust Innovators: https://on2it.net/
• Zero Trust as a Service: https://on2it.net/zero-trust/
• Threat Talks podcast hub: https://threat-talks.com/

Episode Guest & Projects Mentioned
• The re_direct Project (youth cyber diversion & mentorship): https://www.redirectproject.org/
• HackShield (elementary school cyber game): https://www.hackshieldgame.com/
• Dutch Police re_B00TCMP “Reboot Camp”: https://www.politie.nl/informatie/re_b00tcmp.html
• Hack_Right juvenile cyber program: https://www.om.nl/onderwerpen/cybercrime/hack_right
• The Hacking Games (ethical hacker esports): https://www.thehackinggames.com/

If this episode helped you rethink your From Hacker to Hero strategy for your family or your workforce, don’t forget to hit Like, subscribe to Threat Talks.

🔔 Follow and Support our channel! 🔔 ===
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520
👕 Receive your Threat Talks T-shirt https://threat-talks.com/
🗺️ Explore the Hack's Route in Detail
🗺️ https://threat-talks.com 🕵️
Threat Talks is a collaboration between @ON2IT and @AMS-IX

1 month ago

45 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

The Npm Worm Outbreak

The world’s biggest open-source ecosystem - npm - faced its first self-spreading worm.

They called it Shai Hulud.

It didn’t just infect one package. It infected developers themselves.

When a maintainer got phished, the worm harvested credentials, hijacked tokens, and created new CI/CD workflows to keep spreading - automatically.

No command-and-control. No manual uploads. Just a chain reaction across the npm registry.

And while the world was busy shouting about “2.6 billion downloads affected,” this real threat was quietly exfiltrating GitHub, cloud, and npm secrets - right under everyone’s nose.

This isn’t just another npm story.

It’s the first-ever self-replicating supply chain worm - and a wake-up call for every developer and security team building in the open.

Watch host Rob Maas (Field CTO, ON2IT) and Yuri Wit (SOC Analyst, ON2IT)

break down how it started, how it spread, and how to make sure your pipeline isn’t the next one to go viral.

(00:00) - Intro, welcome & what npm is
(00:01) - Crypto drainer: how it worked, maintainer phish & real impact
(00:05) - “Shai Hulud” worm: credential harvesting & package spread
(00:07) - Hype vs reality: the “2.6 billion downloads” myth & media reaction
(00:10) - Defenses: dependency strategy & CI/CD workflow alerts
(00:14) - Secrets hygiene, OS targeting (Windows exit), end-user/EDR tips & takeaways

Key Topics Covered

How a maintainer phish and TOTP capture led to a crypto drainer in npm.
Why Shai Hulud’s credential harvesting + CI/CD persistence makes it high-impact.
Practical defenses: pin/review dependencies, CI/CD change alerts, secret rotation, egress monitoring.
What developers vs. end users can (and can’t) do in supply-chain attacks.

Got your attention?

Subscribe to Threat Talks and turn on notifications for more content on the world’s leading cyber threats and trends.

Guest and Host Links:

Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/

Yuri Wit (SOC Analyst, ON2IT): https://www.linkedin.com/in/yuriwit/

Additional Resources
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams
npm: https://www.npmjs.com/
Node.js: https://nodejs.org/
GitHub Docs: Actions & Workflows: https://docs.github.com/actions
MetaMask: https://metamask.io/
OWASP Dependency Management: https://owasp.org/www-project-dependency-check/
SLSA Supply-chain Levels for Software Artifacts: https://slsa.dev/

Click here to view the episode transcript.

1 month ago

18 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

Inside the SalesLoft Breach

You were promised safe SaaS - but got silent data loss.
In Inside the Salesloft Breach, Rob Maas and Luca Cipriano expose how trusted integrations became the attack vector.

They trace how vishing calls, trojanized Salesforce tools, and GitHub-to-AWS pivots gave attackers OAuth access and drained CRMs without a single alert. You’ll hear how Drift integrations and bulk SOQL queries quietly moved data out of sight, while audit trails and API metadata disappeared.
If you need provable control over data exfiltration and a narrative your board will understand, this is your playbook.

Turn Zero Trust from slogan to stop - with IP allowlists, app inventories, token telemetry, and shared responsibility that actually blocks abuse at the source.

(00:00) - Cloud first did not mean data safe.
(00:45) - What Salesforce is and why attackers target it.
(02:00) - Campaign one. Vishing and a trojanized data loader to OAuth access.
(04:15) - Campaign two. Salesloft and Drift path from GitHub to AWS to Salesforce tokens.
(07:00) - Impact and cover up. 700 plus orgs hit and API job metadata removed.
(09:10) - Who was involved. ShinyHunters, Scattered Spider, Lapsus, and legal fallout.
(11:00) - Zero Trust actions. IP allowlisting, app inventory, token monitoring, staff education, shared responsibility.

Key Topics Covered:
• How one sign-in token became a master key for your CRM.
• The attacker’s route: from code repo → cloud → Salesforce → data exfiltration.
• What shared responsibility means in SaaS — and what’s actually on you.
• What truly stops it: trusted apps only, IP allowlists, short-lived tokens, and continuous monitoring.

Found value and want outcome focused guidance every week?
Subscribe to Threat Talks, turn on notifications and add your questions for the next deep dive

Guest and Host Links:
Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/
Luca Cipriano (Cyber Threat Intelligence Program Lead, ON2IT): https://www.linkedin.com/in/luca-c-914973124/

Click here to view the episode transcript.

Additional resources:
Threat Talks https://threat-talks.com/
ON2IT https://on2it.net/?
AMS IX https://www.ams-ix.net/ams
Salesforce https://www.salesforce.com/
Salesloft https://www.salesloft.com/
Drift https://www.drift.com/
Okta https://www.okta.com/
Have I Been Pwned https://haveibeenpwned.com/

🔔 Follow and Support our channel! 🔔
===
► YOUTUBE: / @threattalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUE...
► APPLE: https://podcasts.apple.com/us/podcast...

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

1 month ago

21 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

The App Store Nightmare: Why AI MCP Stores Are a Trap

The new AI app store is here - and it’s already making choices for your company.
This episode shows you how to spot it, stop it, and stay safe.

Host Lieuwe Jan Koning with RobMaas (Field CTO, ON2IT) explain the app storenightmare in plain language. A new system (MCP) lets AI tools like ChatGPT, Claude, and Gemini do tasks for you - sometimes too much. When a bad tool or a sneaky document gets in, it can read, send, or delete things without you noticing.

Real cases, real damage:

Postmark MCP backdoor - secretly BCC’d emails (email copies)
Shadow Escape - “zero-click” data theft from a hidden prompt
kubectl chaos - a command mistake that can wipe servers

Your quick fix: keep a list of every AI tool and give each only the access it needs. Example: let your document bot read just the “Policies” folder—not your whole drive. For more fixes, watch the full episode.

Key topics covered:

· The app storenightmare: a new AI app store you don’t control

· How a tricked document can make your AI act against you

· A simple ZeroTrust plan anyone can start today

· How to cut tool sprawl, cost, and risk—without slowing the team

If you use ChatGPT, Claude, or Gemini at work, this is your survival brief.
Subscribe for more Threat Talks and ON2IT’s Zero Trust guidance.

Guest and Host Links:

Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/

Lieuwe Jan Koning (Founding Partner, ON2IT): https://www.linkedin.com/in/lieuwejan/

Click here to view the episode transcript.

Additional Resources:
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams
Anthropic MCP announcement: https://www.anthropic.com/news/model-context-protocol
OpenAI Tools/Connectors/MCP: https://platform.openai.com/docs/guides/tools-connectors-mcp
Kubernetes (kubectl): https://kubernetes.io/docs/reference/kubectl/
Reported Postmark MCP backdoor: https://thehackernews.com/2025/09/first-malicious-mcp-server-found.html
Shadow Escape zero-click research: https://www.globenewswire.com/news-release/2025/10/22/3171164/0/en/Operant-AI-Discovers-Shadow-Escape-The-First-Zero-Click-Agentic-Attack-via-MCP.html

If this saved you a breach, subscribe to Threat Talks and follow ON2IT for weekly Zero Trust moves. New episode next week.

1 month ago

35 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

The Secret Diplomats Fighting Cyber Wars

Cyber defense doesn’t just happen in code. It’s shaped in conversation. Behind every cyber norm or sanction, there’s a diplomat working to stop digital wars before they start.

In this episode of Threat Talks, Lieuwe Jan Koning (CTO & co-founder of ON2IT) sits down with Ernst Noorman, Ambassador at Large for Cyber Affairs for the Kingdom of the Netherlands. They reveal how backchannel talks, sanctions, and shared rules define what countries can and can’t do in cyberspace, and what CISOs can learn from a diplomat’s playbook. This isn’t patch management. It’s peacekeeping in real time.

What You’ll Learn (From Real-Life Example Discussions)

What a cyber ambassador actually does – and why every nation needs one.
How diplomacy helps prevent cyber conflicts between world powers.
Why UN-backed cyber norms matters even when nations ignore them.
How global collaboration builds cyber resilience, from Ukraine to Asia.
What businesses can learn from diplomats about cooperation and intelligence sharing.

(00:00) - - 02:29 - Intro
(02:29) - - 03:46 - What is the role of a cyber ambassador?
(03:46) - - 09:13 - What diplomacy achieves
(09:13) - - 10:07 - The US and cyber diplomacy
(10:07) - - 11:51 - Asian countries and their approach to cyber crime
(11:51) - - 15:47 - The five ‘don’t’s and eight ‘do’s’ at UN level
(15:47) - - 19:52 - What happens if someone violates a rule?
(19:52) - - 21:09 - Helping Ukraine with cyber resilience + the Tallinn mechanism
(21:09) - - 23:01 - Efforts against disinformation
(23:01) - - 26:22 - How to ensure information integrity
(26:22) - - 29:12 - What is the Brussels Effect?
(29:12) - - 30:13 - Common ground on worldwide subjects
(30:13) - - 30:35 - Treasure hunt
(30:35) - - 34:51 - Diplomacy and skepticism
(34:51) - - 37:59 - A European Splinternet - how realistic is this?
(37:59) - - 39:07 - The Cyber Resilience Act and China
(39:07) - - 47:23 - Initiatives to look forward to
(47:23) - - 48:53 - Outro

Related ON2IT Content & Referenced Resources

ON2IT: https://on2it.net/
Threat Talks: https://threat-talks.com/
AMS-IX: https://www.ams-ix.net/ams
Lieuwe Jan Koning: https://www.linkedin.com/in/lieuwejan/
Ernst Noorman: https://www.linkedin.com/in/ernst-noorman-b630ab6/

If this episode gave you a new view on global cybersecurity, subscribe to Threat Talks. Share it with your team – because in a connected world, every company plays a role in cyber peace.

Click here to view the episode transcript.

2 months ago

49 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

Patch Smarter, Not Harder

Patch smarter, not harder.
Lieuwe Jan Koning and ON2IT Field CTO Rob Maas break down why “patch everything now” isn’t a strategy, but a risk multiplier. In this session, they teach a practical patching strategy: know your assets, patch edge first, stage updates, and use Zero Trust segmentation to choke off exposure so you only patch what truly matters: fast, safely, and without outages.

(00:00) - 01:11 - Intro
(01:11) - - 02:28 - Reality check #1: Not everything can be patched
(02:28) - - 05:02 - Reality check #2: Patches are scary
(05:02) - - 08:45 - The solution: Patch in phases
(08:45) - - 10:36 - How Zero Trust enables patch management
(10:36) - - 11:23 - Prioritization matters
(11:23) - - 14:50 - Patching tips and tricks
(14:50) - - 16:21 - Guidelines for patching triage
(16:21) - - 17:37 - Practical advice
(17:37) - - END - Outro

Key Topics Covered

· Why “patch everything immediately” fails; availability vs. security

· Staged deployments and rollback safety for crown-jewel services

· Zero Trust segmentation to reduce urgency and shrink attack surface

· Priority signals that matter: asset criticality, exposure, KEV, CVSS

Related ON2IT content & explicitly referenced resources
ON2IT Zero Trust: https://on2it.net/zero-trust/
Threat Talks (site): https://threat-talks.com/
CVSS (FIRST): https://www.first.org/cvss/
CISA guidance – Citrix/NetScaler (Citrix Bleed example): https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed
Crowdstrike episode: https://youtu.be/IRvWVg1lSuo?si=f8Sj6WYG0KNxlkJD

Click here to view the episode transcript.

2 months ago

18 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

Public Key Infrastructure: The Foundation of Digital Trust

How solid is your digital trust—or are you just hoping your PKI is secure?
Let’s be honest: too many companies run on borrowed trust and forgotten certificates. In this episode of Threat Talks, ON2IT’s Lieuwe Jan Koning and Rob Maas pull back the curtain on what really holds your digital world together—and what can tear it down overnight.
They break down PKI in plain language: the root of trust that must stay locked away, the intermediates that keep your systems running, and the automation that stops your team from clicking “ignore” on yet another warning.
You’ll see why rolling your own keys beats trusting anyone else, how to keep your devices speaking the same language of trust, and why short-lived certificates might just save you from the next big breach.
This isn’t theory—it’s how Zero Trust really starts: by proving that your organization can trust itself.

Additional Resources
• Threat Talks Episode on SSL Decryption – https://youtu.be/Xv_jVHVsD9w
• ON2IT Zero Trust: https://on2it.net/zero-trust/
• ACME protocol (RFC 8555): https://datatracker.ietf.org/doc/rfc8555/
• Let’s Encrypt / ACME protocol – https://letsencrypt.org
• DigiNotar case study background – https://en.wikipedia.org/wiki/DigiNotar
• Mozilla CA Program (trusted root store): https://wiki.mozilla.org/CA
• infographic about encryption  https://on2it.s3.us-east-1.amazonaws.com/20250304_Infographic_Encryption.pdf

Guest & Host Links:
Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/
Lieuwe Jan Koning (Founding Partner, ON2IT): https://www.linkedin.com/in/lieuwejan/

Key Topics Covered
• Why root certificates must never be online—and how intermediates provide a safe fallback.
• Real-world PKI failure: DigiNotar compromise and lessons for CISOs.
• How ON2IT built a secure, low-cost PKI with offline key bearers and ACME automation.
• The hidden risks of training employees to ignore certificate warnings—and how Zero Trust demands the opposite.

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

2 months ago

34 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

Why Your Cyber Hygiene Matters?

One unlocked phone can unravel the defenses of a billion-dollar enterprise—because in cybersecurity, small mistakes don’t stay small for long. Attackers can read notes, steal IDs, or impersonate you on WhatsApp. A reused password can launch a remote tool that looks completely legitimate.

Rob Maas (Field CTO, ON2IT) and Luca Cipriano (Cyber Threat Intelligence Program Lead, ON2IT) reveal how poor cyber hygiene erodes trust, endangers partners, and weakens enterprise defenses.
CISOs, CIO and IT managers remember: in a Zero Trust world, your weakest link might not even be inside your organization.

(00:00) - Why your cyber hygiene affects others
(00:28) - Meet the speakers (Rob Maas, Luca Cipriano)
(00:47) - Cyber hygiene defined for CISOs
(03:00) - Unlocked phone → passwords in notes, WhatsApp fraud, ID photos
(05:53) - SOC case: contractor email compromise → remote tool drop (ConnectWise)
(09:40) - OSINT: 19 breaches + iterative password reuse
(17:01) - What to fix now: MFA, vaults, device lock, breach monitoring
(20:24) - Final takeaways & resources

What You’ll Learn (From Real-Life Example Discussions)
• How a stolen phone quickly turns into identity theft, impersonation, and scams targeting your contacts.
• A real SOC case: a contractor’s reused password allowed attackers to hide a remote access tool inside normal IT activity.
• How OSINT and dark web data reveal how password reuse spreads risk across accounts.
• Why shared tools like Google Docs can quietly multiply breaches when one user slips up.
• Simple upgrades—MFA, password vaults, breach alerts, and secure devices—that cut your organization’s exposure fast.

Click here to view the episode transcript.

Related ON2IT Content & Referenced Resources
• ON2IT: https://on2it.net/
• Threat Talks: https://threat-talks.com/
• AMS-IX: https://www.ams-ix.net/ams
• WatchYourHack: https://watchyourhack.com
• Have I Been Pwned: https://haveibeenpwned.com

Guest and Host Links:
Rob Maas, Field CTO, ON2IT: https://www.linkedin.com/in/robmaas83/
Luca Cipriano, Cyber Threat Intelligence Program Lead, ON2IT: https://www.linkedin.com/in/luca-c-914973124/

If this helped, subscribe to Threat Talks. Share this episode with your partners and contractors—stronger cyber hygiene across your ecosystem protects everyone.

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

2 months ago

21 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

Resilience Over Fragmentation: The Risk You Can’t Ignore

The internet promised freedom. Now it monetizes you. The trade-off? Convenience for control.
In this episode, Lieuwe Jan Koning and Prof. Jacobs reveal how scattered tools like meta and X create security gaps—and how one policy, fewer interfaces, and less data shared cut exposure and keep operations running.

Real examples you’ll hear:
• The neighborhood chat stuck on WhatsApp—and how switching to Signal breaks dependency.
• How your address book upload leaks other people’s data to platforms.
• Why secure doesn’t mean private on platforms that profit from your data.
• Age checks done right: passport chip + selective disclosure instead of oversharing.
• Patient groups and municipalities using PubHubs for private, verified rooms (no ads).
• Continuity risk in the real world: federated login outages, US-dependent authenticators, transatlantic cable cuts, and a court moving email to ProtonMail to stay operational.

(00:00) - – Free vs. monetized internet
(02:22) - – Facebook: secure ≠ private
(05:31) - – WhatsApp vs. Signal trade-offs
(07:05) - – Metadata & social graph risk
(11:58) - – Attribute-based auth (Yi)
(19:55) - – Decentralized login; split keys
(28:11) - – PubHubs: private, verified rooms
(49:54) - – Continuity: vendor/cable risk
(56:01) - – Close & takeaways

Related ON2IT Content & Referenced Resources
• ON2IT: https://on2it.net/
• Threat Talks: https://threat-talks.com/
• AMS-IX: https://www.ams-ix.net/ams
• Yivi (privacy-preserving authentication): https://yivi.app/
• PubHubs (privacy-first social platform): https://pubhubs.net/
• European alternatives (mentioned): http://european-alternative.eu/
• Privacy tools (mentioned): https://privacytools.io/

Guest and Host Links:
Lieuwe Jan Koning (ON2IT Co-Founder): https://www.linkedin.com/in/lieuwejan/
Bart Jacobs: http://www.cs.ru.nl/~bart/

If this helped you strengthen your Zero Trust policy, subscribe, like, and share. New episodes weekly. Follow Threat Talks on YouTube, Spotify, and Apple Podcasts.

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

3 months ago

56 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

Zero Trust Step 5B: Maintain Controls

Boards don’t buy dashboards—they buy assurance. Breaches are late-stage symptoms of drift: rules pile up, logs lose signal, cloud/Kubernetes outpace governance. Lieuwe Jan Koning (ON2IT Co-Founder) and Rob Maas (Field CTO) show how Zero Trust Step 5B (Maintain) proves your controls still work—today.

(00:00) - — Welcome & Zero Trust Step 5B
(00:57) - — Five steps: fast recap
(03:12) - — Maintain = policy validation
(05:31) - — Vendor updates, hidden features
(08:46) - — Traffic flows vs. reality
(10:19) - — Behavior analytics, baselines
(11:56) - — Cloud/K8s/service-mesh shifts
(16:32) - — Wrap-up & next actions

Related ON2IT Content & Referenced Resources
• Threat Talks homepage: https://threat-talks.com/
• ON2IT Zero Trust: https://on2it.net/zero-trust/

Zero Trust Series
Step 1: https://youtu.be/mC66i-tEEFs
Step 2: https://youtu.be/wp0q9aZHuXc
Step 3: https://youtu.be/eGsw2JCnrac
Step 4A: https://youtu.be/qT_nqbBEkVw
Step 4B: https://youtu.be/fnKyMITZes8
Step 5A: https://youtu.be/N7pWXLxI6kY

Guest and Host Links:
Lieuwe Jan Koning (ON2IT Co-Founder): https://www.linkedin.com/in/lieuwejan/
Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/

If this helped you strengthen your Zero Trust policy, subscribe, like, and share. New episodes weekly. Follow Threat Talks on YouTube, Spotify, and Apple Podcasts.

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

3 months ago

17 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

Defend Against Hacktivist Groups like APT Handala | The Cyber Security Podcast

Hacktivists don’t need zero-days to hurt you—they weaponize people. Host Lieuwe Jan Koning sits down with Yuri Wit (SOC analyst) and Rob Maas (Field CTO) to dissect APT Handala: how they hunt targets, deliver wipers, and brag about leaks. We map their moves to the Lockheed Martin Kill Chain and turn it into a Zero Trust defense playbook you can actually use—today.

(00:00) - - 01:40 - Introduction
(01:40) - - 02:27 - What is APT Handala?
(02:27) - - 05:27 - Kill Chain Step 1: Reconnaissance
(05:27) - - 06:43 - Kill Chain Step 2: Weaponization
(06:43) - - 10:39 - Kill Chain Step 3: Delivery
(10:39) - - 14:37 - Kill Chain Step 4: Exploitation
(14:37) - - 17:34 - Kill Chain Step 5: Installation
(17:34) - - 23:39 - Kill Chain Step 6: Command and control
(23:39) - - 26:40 - Kill Chain Step 7: Act on objectives
(26:40) - - 29:35 - How to respond to being hacked
(29:25) - - 30:22 - Closing notes

Key Topics Covered
• Handala’s playbook: people-centric recon, phishing kits, wipers, boast-and-leak ops.
• Zero Trust counters: deny-by-default egress, newly-registered-domain blocks, hard EDR, passkeys.
• SOC tells: DNS DGA spikes, encrypted C2 on common apps, “human error” as the biggest CVE.
• Comms reality: when openness helps—and when strategic silence limits amplification.

Additional Resources
• ON2IT Zero Trust: https://on2it.net/zero-trust/
• Lockheed Martin Cyber Kill Chain: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
• Tor Project (onion services): https://www.torproject.org/
• Threat Talks hub: https://threat-talks.com/

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🕵️ Threat Talks is a podcast created in collaboration with ON2IT and AMS-IX. Each episode features leading cybersecurity experts sharing real-world insights on emerging threats, trends, and defense strategies — helping organizations stay secure in today’s rapidly evolving digital world.

ON2IT website: https://on2it.net/
AMS-IX website: https://www.ams-ix.net/ams

3 months ago

30 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

Promptlock – The First AI-Powered Malware | The Cyber Security Podcast

First documented case: AI inside the breach.
Promptlock marks the first time malware has used AI during execution, not just in preparation. In this Threat Talks deep dive, Rob Maas (Field CTO, ON2IT) sits down with Yuri Wit (SOC Analyst, ON2IT) to break down how it works: a Go loader calling an attacker’s LLM in real time, generating fresh payloads that adapt on the fly.

This episode strips away sci-fi hype. You’ll see the psychology of an adversary that thinks mid-attack—and the Zero Trust defenses that box it in. When AI runs inside the kill chain, malware doesn’t just evolve. It crosses into super-malware.

(00:00) - — Cold open: “What if malware could think?”
(00:18) - — Welcome: Rob Maas & Yuri Wit
(00:41) - — First reaction to PromptLock
(01:02) - — How attackers already use AI (phishing, coding, negotiations)
(03:02) - — Why PromptLock is different: AI during execution
(03:35) - — How it works: Go → Ollama → LLM → Lua
(06:36) - — Proof-of-concept tells (the Satoshi wallet)
(07:55) - — Defense shift: hashes die, behavior wins
(10:40) - — Detecting LLM calls: SSL inspection realities
(11:26) - — Quick wins: block interpreters (Lua/Python/PowerShell)
(12:23) - — Zero Trust moves: default-deny egress & segmentation
(12:41) - — What’s next: dynamic exploits & on-demand EDR bypass
(16:21) - — Timelines & hardware: why adoption could accelerate
(18:21) - — Wrap-up & CTA

Key Topics Covered
• The first documented case of AI inside the breach — why Promptlock changes the game
• Promptlock’s core loop: calling an LLM mid-attack to generate fresh payloads.
• Why hash-based detection breaks against AI-powered malware detection, ever-changing scripts.
• Behavioral defense over signatures: EDR/XDR, sandboxing, and SSL inspection.
• Zero Trust in practice: block script interpreters, restrict egress, and shrink blast radius.

Additional Resources
ON2IT Zero Trust: https://on2it.net/zero-trust/
Threat Talks hub: https://threat-talks.com/
Ollama (referenced in episode): https://ollama.com/
The Rising Threat of Deepfakes: https://youtu.be/gmtZ_aYmQdQ

Guest & Host Links:
Rob Maas, Field CTO, ON2IT: https://www.linkedin.com/in/robmaas83/
Yuri Wit, SOC Specialist, ON2IT: https://www.linkedin.com/in/yuriwit/

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

ON2IT website: https://on2it.net/
AMS-IX website: https://www.ams-ix.net/ams

3 months ago

19 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

Data Bouncing: How HTTP Headers Leak Data | The Cyber Security Podcast

Your tools say “secure.” Your headers say “leaking.”
In this Threat Talks Deep Dive, ON2IT’s Luca Cipriano (CTI & Red Team Lead) exposes Data Bouncing—a stealthy exfiltration trick that hides inside HTTP headers and abuses DNS lookups through trusted third parties. We show the demo, decode the psychology of the attack, and translate it into Zero Trust moves you can deploy today.

(00:00) - – Why your defenses aren’t enough
(00:11) - – What is Data Bouncing?
(01:22) - – How attackers exfiltrate data via DNS & headers
(05:20) - – Live demo: DNS lookups & Burp Suite interception
(10:48) - – Reassembling stolen files undetected
(15:24) - – Can you defend against Data Bouncing?
(19:20) - – Testing it in your own environment
(21:00) - – Key takeaways & call to action

Key Topics Covered
• How Data Bouncing enables covert data exfiltration
• Abuse of headers like X-Forwarded-For to bypass firewalls
• Live demo: attacker vs. victim scenario
• Defensive measures: decryption, inspection, Zero Trust, and SOC awareness

Additional Resources
• ON2IT Threat Talks Podcast: https://www.on2it.net/threat-talks
• Zero Trust Resources: https://www.on2it.net/zero-trust/

Guest & Host Links:
• Luca Cipriano, Cyber Threat Intelligence Program Lead, ON2IT: https://www.linkedin.com/in/luca-c-914973124/
• Rob Maas, Field CTO, ON2IT: https://www.linkedin.com/in/robmaas83/

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

ON2IT website: https://on2it.net/
AMS-IX website: https://www.ams-ix.net/ams

3 months ago

21 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

AI, Play It Safe: Why CISOs Are Wrong to Ban AI

Playing it safe with AI sounds smart, but is banning it really how you prevent data leaks?

In this episode of Threat Talks, ON2IT’s Lieuwe Jan Koning (ON2IT Co-Founder) sits down with Rob Maas, Field CTO at ON2IT, to tackle the hard question: How can CISOs and security leaders embrace AI safely—without exposing their organization to destructive data leaks?

From Samsung’s ChatGPT ban to real-world AI hallucinations, we unpack why “AI, play it safe” doesn’t mean blocking innovation—it means controlling it.

(00:00) - 00:00 – AI, play it safe introduction
(00:00) - 00:41 – Customer fears: Ban AI or embrace it?
(00:00) - 01:13 – Real case: $1 Chevrolet Tahoe & AI chatbots gone wrong
(00:00) - 02:46 – Samsung’s ChatGPT ban: lessons for CISOs
(00:00) - 06:50 – How AI transforms work & productivity (coding, translation, ops)
(00:00) - 17:00 – Data exposure & AI governance: the #1 risk
(00:00) - 30:21 – LLM on Prem
(00:00) - 33:10 – AI hallucinations & unsafe outputs (dangerous examples)
(00:00) - 40:50 – The CISO dilemma: Fall behind or take control

Key Topics Covered
• Why “banning AI” is a bigger risk than using it with the right safeguards.
• Real-world AI risks: hallucinations, unsafe outputs, and data exposure.
• Zero Trust approach to AI adoption: categorize sanctioned, tolerated, unsanctioned tools.
• How CISOs can transform AI fear into competitive advantage with the right strategy.

Additional Resources
• ON2IT Threat Talks Podcast: https://www.on2it.net/threat-talks
• Zero Trust Resources: https://www.on2it.net/zero-trust/

Guest & Host Links:
Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/
Lieuwe Jan Koning (Founding Partner, ON2IT): https://www.linkedin.com/in/lieuwejan/

If you’re a CISO, CIO, or security leader navigating the AI storm, this episode is a must-watch.

Click here to view the episode transcript.

🔔 Follow and support our channel! 🔔
===
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

4 months ago

44 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

Zero Trust step 5A: Stop Breaches—Inspect Every Event Now | The Cybersecurity Podcast

Zero Trust step 5A is where monitoring turns raw logs into decisive action.
Hosts Lieuwe Jan Koning and Rob Maas (Field CTO, ON2IT) expose why MDR alone isn’t protection—and how context closes the gap. Learn to inspect every event, use Indicators of Good/Compromise, and set Rules of Engagement that stop lateral movement and alert fatigue.

(00:00) - — Welcome & Step 5A (Monitor) setup
(00:37) - — Steps 1–4 recap: protect surfaces, flows, architecture, policy
(04:12) - — MDR vs protection: why “collect all logs” fails
(07:28) - — Events vs logs: inspect every event & retention reality
(10:22) - — Context from protect surfaces: mapping IPs to business systems
(13:41) - — IoG vs IoC vs Unknown: triage model & beating alert fatigue
(17:59) - — Rules of Engagement: automation, kill switch & blast radius (prevention first)

Key Topics Covered
• MDR ≠ protection: why Step 5A only works after Steps 1–4 are in place.
• Events vs logs: what to keep, what to act on, and how to avoid SIEM sprawl.
• Context from protect surfaces: mapping IPs to business systems to triage fast.
• Automation with Rules of Engagement: IoG/IoC/Unknown, kill switches, and reducing blast radius.

If this helped sharpen your Zero Trust monitoring strategy, subscribe to Threat Talks and turn on notifications—don’t miss Step 5B (Maintain).

Additional Resources
• https://on2it.net/zero-trust/
• https://on2it.net/managed-security/protect-surface-management/
• https://on2it.net/wp-content/uploads/2023/02/Zero-Trust-Dictionary-EN.pdf
• https://on2it.net/context-is-key-the-data-challenge-of-cybersecurity/
• https://threat-talks.com/
• https://www.ams-ix.net/

Guest & Host Links:
Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/
Lieuwe Jan Koning (Founding Partner, ON2IT): https://www.linkedin.com/in/lieuwejan/

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

ON2IT website: https://on2it.net/
AMS-IX website: https://www.ams-ix.net/ams

4 months ago

25 minutes

Threat Talks - Your Gateway to Cybersecurity Insights

From Stealth to Wipers: Inside Russia’s APT 44 AKA Seashell Blizzard | The Cybersecurity Podcast

Russia’s most notorious cyber unit—Seashell Blizzard (also known as Sandworm, APT 44 and Iron Viking)—has taken down shipping giants, Olympic systems, and Ukraine’s power grid.

In this Threat Talks deep dive, Lieuwe Jan Koning, Yuri Wit (Red Team), and Rob Maas (Blue Team) reveal exactly how these attacks unfold, why they’re so hard to stop, and how Zero Trust can tip the balance back to defenders.

(00:00) - – Cyber warfare in the Ukraine conflict: setting the stage
(01:10) - – Who is Seashell Blizzard? Names, aliases, and Russian GRU ties
(04:00) - – NotPetya, Olympic Games, and high-profile disruption campaigns
(07:31) - – Initial access: stealth exploits on edge devices
(11:40) - – Privilege escalation via Living-off-the-Land (LOLBin) tactics
(15:23) - – Weaponizing Group Policy Objects with “Tank Trap” for mass wipers
(19:13) - – Objectives: disruption, damage, and public bragging rights
(23:40) - – Zero Trust defenses, segmentation, and last-resort recovery

Key Topics Covered
• Seashell Blizzard’s attack chain: from stealth reconnaissance to mass destruction.
• NotPetya & global fallout: when a Ukraine-targeted attack crippled global shipping.
• Defense strategies: hardening edge devices, segmentation, and EDR behavior detection.
• Zero Trust in action: protecting critical assets before the breach happens.

Related ON2IT Content & Referenced Resources
• ON2IT Threat Talks Playlist: https://www.youtube.com/@ThreatTalks/playlists ON2IT Zero Trust Resources: https://on2it.net/zero-trust
• MITRE ATT&CK – Sandworm Team (APT 44): https://attack.mitre.org/groups/G0034/

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

4 months ago

25 minutes