Investor Lawsuit Over CrowdStrike Outage Dismissed
A judge has ruled that the plaintiffs failed to demonstrate intent to defraud investors.Β
The post Investor Lawsuit Over CrowdStrike Outage Dismissed appeared first on SecurityWeek.
A judge has ruled that the plaintiffs failed to demonstrate intent to defraud investors.Β
The post Investor Lawsuit Over CrowdStrike Outage Dismissed appeared first on SecurityWeek.
![]()
What happens when you ditch the tiered ticket queues and replace them withΒ collaboration, agility, and real-time response? In this interview, Hayden Covington takes us behind the scenes of the BHIS Security Operations Center, which isΒ where analystsΒ donβtΒ escalateΒ tickets,Β they solve them.
The post Inside the BHIS SOC: A Conversation with Hayden CovingtonΒ appeared first on Black Hills Information Security, Inc..
For a while now, the security community has been aware that threat actors are using AI. Weβve seen evidence of it for everything from generating phishing content to optimizing malware. The recent report from Anthropic on an βAI-orchestrated cyber espionage campaignβ, however, marks a significant milestone.
This is the first time we have a public, detailed report of a campaign where AI was used at this scale and with this level of sophistication, moving the threat from a collection of AI-assisted tasks to a largely autonomous, orchestrated operation.
This report is a significant new benchmark for our industry. Itβs not a reason to panic β itβs a reason to prepare. It provides the first detailed case study of a state-sponsored attack with three critical distinctions:
Together, these distinctions show why this case matters. A high-level, autonomous, and successful AI-driven attack is no longer a future theory. It is a documented, current-day reality.
For those who havenβt read the full report (or the summary blog post), here are the key facts.
The attack (designated GTG-1002) was a βhighly sophisticated cyber espionage operationβ detected in mid-September 2025.

Source: https://www.anthropic.com/news/disrupting-AI-espionage
To have a credible discussion, we must also look at what wasnβt new. This attack wasnβt about secret, magical weapons.
The report is clear that the attackβs sophistication came from orchestration, not novelty.
This matters because defenders often look for new exploit types or malware indicators. But the shift here is operational, not technical. The attackers didnβt invent a new weapon, they built a far more effective way to use the ones we already know.
So, if the tools arenβt new, what is? The execution model. And we must assume this new model is here to stay.
This new attack method is a natural evolution of technology. We should not expect it to be βstoppedβ at the source for two main reasons:
The attack surface is not necessarily growing, but the attackerβs execution engine is accelerating.
While the techniques were familiar, their execution creates a different kind of detection challenge. An AI-driven attack doesnβt generate one βsmoking gunβ alert, like a unique malware hash or a known-bad IP. Instead, it generates a storm of low-fidelity signals. The key is to hunt for the patterns within this noise:
The detection patterns listed above create the central challenge of defending against AI-orchestrated attacks. The problem isnβt just alert volume, itβs that these attacks generate a massive volume of low-fidelity alerts.
This new execution model creates critical blind spots:
When the attack is autonomous, the defense must also have autonomous capabilities.
We cannot hire our way out of this speed and scale problem. The security operations model must shift. The goal of autonomous triage is not just to add context, but to handle the entire investigation process for every single alert, especially the thousands of low-severity signals that AI-driven attacks create.
An autonomous system can automatically investigate these signals at machine speed, determine which ones are irrelevant noise, and suppress them.
This is the true value: the system escalates only the high-confidence, confirmed incidents that actually matter. This frees your human analysts from chasing noise and allows them to focus on real, complex threats.
This is exactly the type of challenge autonomous triage systems like the one weβve built at Intezer were designed to solve. As Anthropicβs own report concludes, βSecurity teams should experiment with applying AI for defense in areas like SOC automation, threat detectionβ¦ and incident responseβ.
To defend against this threat, we must be able to test our defenses against it. All offensive security activities, internal red teams, external penetration tests, and attack simulations, must evolve.
It is no longer enough for offensive security teams to manually simulate attacks. To truly test your defenses, your red teams or external pentesters must adopt agentic AI frameworks themselves.
The new mandate is to simulate the speed, scale, and orchestration of an AI-driven attack, similar to the one detailed in the Anthropic report. Only then can you validate whether your defensive systems and automated processes can withstand this new class of automated onslaught. Naturally, all such simulations must be done safely and ethically to prevent any real-world risk.
The Anthropic report doesnβt introduce a new magic exploit. It introduces a new execution model that we now need to design our defenses around.
Letβs summarize the key, practical takeaways:
This report is a clear signal. The threat model has officially changed. Your security architecture, processes, and playbooks must change with it. The same applies if you rely on an MSSP, verify theyβre evolving their detection and triage capabilities for this new model. This shift isnβt hype, itβs a practical change in execution speed. With the right adjustments and automation, defenders can meet this challenge.
To learn more, you can read the Anthropic blog post here and the full technical report here.
The post What the Anthropic report on AI espionage means for security leaders appeared first on Intezer.

![]()
But what if we need to wrangle Windows Event Logs for more than one system? In part 2, weβll wrangle EVTX logs at scale by incorporating Hayabusa and SOF-ELK into my rapid endpoint investigation workflow (βREIWβ)!Β
The post Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) appeared first on Black Hills Information Security, Inc..

![]()
In part 1 of this post, weβll discuss how Hayabusa and βSecurity Operations and Forensics ELKβ (SOF-ELK) can help us wrangle EVTX files (Windows Event Log files) for maximum effect during a Windows endpoint investigation!
The post Wrangling Windows Event Logs with Hayabusa & SOF-ELKΒ (Part 1) appeared first on Black Hills Information Security, Inc..
![]()
Remember the good βol days of Zip drives, Winamp, the advent of βOffice 365,β and copy machines that didnβt understand email authentication? Okay, maybe they werenβt so good! For a [β¦]
The post Stop Spoofing Yourself! Disabling M365 Direct Send appeared first on Black Hills Information Security, Inc..
![]()
In this video, John Strand discusses the complexities and challenges of penetration testing, emphasizing that it goes beyond just finding and exploiting vulnerabilities.
The post 5 Things We Are Going to Continue to Ignore in 2025 appeared first on Black Hills Information Security, Inc..
![]()
Changes to the msds-KeyCredentialLink attribute are not audited/logged with standard audit configurations. This required serious investigations and a partner firm in infosec provided us the answer: TrustedSec.Β So, credit where [β¦]
The post Enable Auditing of Changes to msDS-KeyCredentialLinkΒ appeared first on Black Hills Information Security, Inc..
![]()
Recently in the SOC, we were notified by a partner that they had a potential business email compromise, or BEC. We commonly catch these by identifying suspicious email forwarding rules, [β¦]
The post Monitoring High Risk Azure LoginsΒ appeared first on Black Hills Information Security, Inc..
![]()
While social engineering attacks such as phishing are a great way to gain a foothold in a target environment, direct attacks against externally exploitable services are continuing to make headlines. [β¦]
The post In Through the Front Door β Protecting Your PerimeterΒ Β appeared first on Black Hills Information Security, Inc..
![]()
Be sure to read PART 1! Metadata and a New-Fashioned Bank Robbery Letβs face it, some cases are just more interesting than others and, when you do incident response for [β¦]
The post OSINT for Incident Response (Part 2) appeared first on Black Hills Information Security, Inc..
![]()
Being a digital forensics and incident response consultant is largely about unanswered questions. When we engage with a client, they know something bad happened or is happening, but they are [β¦]
The post OSINT for Incident Response (Part 1) appeared first on Black Hills Information Security, Inc..

![]()
Patterson Cake // PART 1 PART 2 In part one of βWrangling the M365 UAL,β we talked about acquiring, parsing, and querying UAL data using PowerShell and SOF-ELK. In part [β¦]
The post Wrangling the M365 UAL with SOF-ELK and CSV Data (Part 3 of 3) appeared first on Black Hills Information Security, Inc..
Patterson Cake // When it comes to M365 audit and investigation, the βUnified Audit Logβ (UAL) is your friend. It can be surly, obstinate, and wholly inadequate, but your friend [β¦]
The post Wrangling the M365 UAL with PowerShell and SOF-ELK (Part 1 of 3) appeared first on Black Hills Information Security, Inc..

![]()
Troy Wojewoda // In honor of Shark Week1, I decided to write this blog to demonstrate various techniques Iβve found useful when analyzing network traffic with Wireshark, as well as [β¦]
The post Welcome to Shark Week: A Guide for Getting Started with Wireshark and TShark appeared first on Black Hills Information Security, Inc..
![]()
Tom Smith // At Black Hills Information Security (BHIS), we deal with all manner of clients, public and private. Until a month or two ago, though, weβd never dealt with [β¦]
The post Why Do Car Dealers Need Cybersecurity Services?Β appeared first on Black Hills Information Security, Inc..
![]()
rvrsh3ll //Β IntroductionΒ This blog post is intended to give a light overview of device codes, access tokens, and refresh tokens. Here, I focus on the technical how-to for standing [β¦]
The post Dynamic Device Code PhishingΒ appeared first on Black Hills Information Security, Inc..

![]()
Derek Banks // Living Off the Land Binaries, Scripts, and Libraries, known as LOLBins or LOLBAS, are legitimate components of an operating system that threat actors can use to achieve [β¦]
The post Sshβ¦ Donβt Tell Them I Am Not HTTPS: How Attackers Use SSH.exe as a Backdoor Into Your Network appeared first on Black Hills Information Security, Inc..
![]()
Hal Denton // Have you ever been given an encrypted hard drive to perform forensic analysis on? What could go wrong? Probably the first thought rolling through your mind is [β¦]
The post Whoβs Bootinβ? Dissecting the Master Boot Record appeared first on Black Hills Information Security, Inc..
![]()
Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_AttackTactics7LogsYouAreLookingFor.pdf So we went through an attack in the BHIS Webcast, βAttack Tactics 5! Zero to Hero Attack.β Then we went through [β¦]
The post Webcast: Attack Tactics 7 β The Logs You Are Looking For appeared first on Black Hills Information Security, Inc..