A podcast cover image with the title "Cloudy with a Chance of Misattribution" and "Breaking Badness Podcast" logo. Four hosts are pictured below with "RSAC 2025 Edition" in the corner, all set against a blue and white ransomware supply chain theme.
Podcasts

Attribution in the Age of AI: Cloud Threats, Real Attacks,and Zero-Knowledge Adversaries

06/18/2025
iTunes SoundCloud Spotify RSS

Attribution Is Harder Than Ever—But Still Essential
“Attribution is one of cybersecurity’s most contested topics. It’s messy, political, and when done wrong, dangerous.” – Kali Fencl

As threat actors increasingly reuse tools, spoof identities, and operate in the cloud, traditional attribution methods are under pressure. Tal Darsan and Etay Maor of Cato Networks emphasized the challenge of assigning blame in an era where attackers “live off the land” using legitimate tools and public infrastructure.

The rise of ransomware groups like Medusa and Hunters International shows how easily attackers can blur lines using shared TTPs, resulting in attribution that is murky at best.

Shadow AI and Zero-Knowledge Threat Actors Are Redefining the Game
“We dubbed them the Zero Knowledge Threat Actor.” – Etay Maor

Attackers no longer need deep technical expertise. Etay and Tal shared how AI tools can now be used to generate malware, create EDR killers, and evade AI-based detection systems themselves. These zero-knowledge actors leverage platforms like ChatGPT to generate sophisticated attacks with minimal background.

Etay outlined four lenses for evaluating AI’s impact in security:

  1. How defenders use AI
  2. How attackers use AI
  3. How attackers evade AI
  4. Shadow AI—unauthorized tools brought into the org by employees

This creates an opaque “black box” environment where visibility is critical but often lacking. AWS Identity Leaks and GCP Privilege Escalation: Real-World Cloud Incidents
“We investigated a case where data was being exfiltrated for nearly a year.” –Yonaten Khen

  • Attackers using leaked access keys and the Get Caller Identity API to quickly identify and exploit cloud accounts.
  • Abuse of the domain-wide delegation feature in Google Workspace, allowing full access to user emails and documents.
  • A privilege escalation path from GCP into Google Workspace, which was still unpatched at time of recording.

From the Hunters research team, Yonaten Khen shared insights from a live incident investigation in AWS and GCP environments. His team found:

He emphasized that many organizations are still unaware of these threats and that some vulnerabilities stem not from bugs, but from design choices in cloud platforms.

Visibility Is the First Line of Defense
“Everything starts from visibility.” – Etay Maor

Whether it’s TLS decryption, misconfigured detection tools, or cloud logging gaps, both teams stressed the need for visibility across infrastructure. Without it, attacks that leverage legitimate pathways (like service accounts or unmanaged devices) can operate for months undetected.

Tal emphasized that some attacks could have been prevented if organizations had simply enabled core security features or reviewed default settings.

Prevention Starts with Understanding
Attribution may never be perfect, but improving detection and response capabilities—especially in cloud environments is possible and essential.

  • Identity and access missteps are among the most exploited vectors in AWS and GCP
  • AI is both an attack enabler and a detection disruptor
  • Shadow AI and misconfigurations open the door to sustained breaches
  • Attribution matters less than actionability. Focus on patterns, signals, and intent

Further Reading and References:

Related Content

Four people are pictured in black and white on a blue background with the text "You had me at DNS." The "Breaking Badness Podcast" logo appears in the top right corner, highlighting discussions on ransomware and supply chain threats.
Podcasts

Why DNS Is Still the Biggest Blind Spot in Threat Intelligence

Listen Now
Two women smiling in a promotional image for the Breaking Badness Podcast. The text reads, “Surge Forward: From Newsrooms to Threat Rooms—ransomware supply chain insights. RSAC 2025 Edition.” The background has a blue gradient.
Podcasts

From Newsroom to Threat Room: Audra Streetman’s Journey into Cybersecurity

Listen Now
Two smiling people in business attire are shown on a blue gradient background. Large text reads “Quantum of Attack Surface,” with “Breaking Badness Podcast” and “RSAC 2025 Edition,” highlighting ransomware supply chain insights.
Podcasts

The Multi-Cloud Mess: Why Complexity Is Killing Visibility

Listen Now
DomainTools Logo
Pricing Contact Login Support Request a Demo

© 2025 DomainTools

DomainTools® and DomainTools™ are owned by DomainTools, all rights reserved.

Privacy Policy    |    California Privacy Notice
Do Not Sell My Personal Information    |    Terms of Service    |    Sitemap