At InfoSec World 2025, TrustNet’s CISO Trevor Horwitz and CTO Mike Kerem took the stage to deliver a thought-provoking session that pulled no punches.
“Cybersecurity has entered a new era.” “We’re no longer just defending borders — we’re hunting ghosts inside our own walls.”
TrustNet’s “Behind Enemy Lines: How Hackers Weaponize Your Security Vulnerabilities,” explored the uncomfortable truth most defenders already suspect: the biggest threats don’t come from sophisticated zero-days, but from the everyday abuse of trust, misconfigurations, and blind spots.
Through real-world examples and attacker playbooks, Trevor and Mike walked the audience through how adversaries exploit the very systems and identities organizations rely on.
For those who couldn’t attend, here’s a field report from behind enemy lines.
From RSA to InfoSec World
Earlier this year at RSA Conference 2025, Trevor and Mike led “The Dark Side of SOC 2,” a technical session on third-party risk and hidden gaps in vendor assurances. InfoSec World built on that foundation, shifting the focus from compliance blind spots to how attackers actively weaponize those weaknesses in real environments.
For more on their RSA session, revisit our recap:
TrustNet Returns to RSA Conference 2025 to Unmask ‘The Dark Side of SOC 2’.
Understanding the Attacker
Building effective defenses starts with understanding the adversary. Attackers today are neither reckless nor random. They operate with patience, discipline, and a clear process that mirrors professional analysis more than traditional hacking.
They exploit trust, timing, and visibility gaps rather than software flaws. Whether through stolen credentials, misconfigured roles, or neglected service accounts, they find the weakest link and build from there.
The goal isn’t to break in; it’s to blend in.
The classic cyber kill chain still applies: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Exfiltration. Each phase provides a potential point of detection or disruption before the attacker achieves their objective.
As highlighted during the session, a breach doesn’t happen all at once. It’s a series of moves and pivots. When teams understand how attackers scan, test, and exploit, they can put visibility and controls exactly where they’re needed most.
Motivation ultimately shapes the attack. Some groups are financially driven, others state-sponsored, and many are persistent operators seeking long-term, undetected access.
What unites them is method: a deliberate, data-informed approach that turns visibility gaps and misplaced trust into entry points.
Social Engineering & Trust Exploitation
Once attackers understand their targets, the next step is to influence them. Social engineering is still the attacker’s favorite weapon because it doesn’t exploit code; it exploits trust.
Phishing and spear phishing remain major entry points. These attacks are far more convincing than the crude spam of the past. Messages now mimic vendors, executives, and internal tools so closely that they bypass both filters and human intuition.
Pretexting and baiting add another layer. Attackers impersonate IT or HR with a sense of urgency to trick employees into resetting passwords or sharing MFA codes. Others offer something in return, such as a fake update or a “confidential” USB drive left in a parking lot.
AI has made these tactics even more dangerous.
Deepfake voices, videos, and live chats can now replicate the voices of company leaders or partners with unsettling accuracy.
In one notable case, fraudsters impersonating executives convinced Ubiquiti Networks to wire $46 million. Attackers also run multi-channel campaigns that combine email, text, social media, and phone calls to build layers of credibility.
As highlighted during the session, once attackers gain a foothold, they move deeper, harvesting credentials, escalating privileges, and spreading laterally through trusted accounts or vendors. The SolarWinds breach showed how that trust can become the delivery mechanism itself.
In summary, social engineering succeeds because it manipulates identity, urgency, and assumed trust.
Identity Abuse: Core Attack Surface
Identity has quietly replaced the perimeter. Compromised credentials and weak or misconfigured MFA are now the easiest way in. When an attacker uses a valid login, most defenses never trigger.
This shift has made identity the most valuable target in the kill chain. Adversaries begin by stealing usernames and passwords through phishing, then replay them across multiple systems. Misconfigured cloud roles, over-permissioned accounts, and orphaned service identities make their job easier.
Shadow IT adds even more risk, expanding access beyond what security can see.
Also, attackers don’t stop at theft, they scale it. Initial access brokers now trade stolen VPN and remote-desktop credentials in bulk, selling ready-made entry points to ransomware groups and data extortion crews.
What used to be a manual effort is now an economy of access.
Once inside, attackers use techniques like pass-the-hash, pass-the-ticket, and golden or silver ticket attacks to stay hidden indefinitely. These footholds fuel ransomware operations, crypto mining, and espionage across cloud and hybrid environments.
Real-world breaches continue to prove the point. In 23andMe’s 2024 credential-stuffing incident, reused passwords exposed millions of user profiles. The attackers didn’t need an exploit; they simply logged in. It was a reminder that modern intrusions often hinge on identity, not infrastructure.
As Mike put it during the session, identity abuse is now a business model — persistent, monetized, and scalable.
Shadow IT: Unmonitored Infrastructure
Even with strong identity controls, attackers look for new footholds. The next opportunity often comes from systems that exist outside formal security oversight.
Shadow IT is the hidden attack surface inside every organization. It isn’t malicious by design; it’s dangerous because it’s invisible.
These are the applications, cloud services, and systems that employees use without IT approval, such as free SaaS tools, personal storage accounts, or private email. Each one creates a potential backdoor. Without patching, monitoring, or governance, attackers can slip through completely undetected.
The scale of the problem is growing. As cited by Trevor, about 11% of all cyber incidents now involve shadow IT assets, roughly one in ten breaches. In each case, the weakness wasn’t sophisticated malware but simple invisibility: defenders didn’t even know the systems existed.
Once discovered, attackers start with reconnaissance, scanning for unmonitored applications or leaked credentials that expose forgotten entry points. From there, they move to exploitation, targeting misconfigured cloud apps, outdated third-party tools, or rogue APIs with weak authentication.
Persistence comes next. Attackers quietly embed themselves in systems that have no endpoint protection or patch oversight, creating safe havens for long-term access. The final step is exfiltration, siphoning data through unsanctioned storage or SaaS channels that the SOC cannot see.
In many cases, compromised shadow accounts are used to escalate privileges and pivot into core systems while blending in with legitimate traffic. Shadow IT becomes a low-friction entry point, an invisible way through otherwise strong defenses.
As Trevor noted during the session, shadow IT isn’t just invisible infrastructure; it’s a massive risk hiding in plain sight.
AI-Enhanced Attacks
As attackers look for new ways to exploit complexity and speed, artificial intelligence has become their next advantage.
Machine learning automates reconnaissance, scraping OSINT, and leaked data at scale to map targets faster than human teams ever could.
Generative models accelerate exploit development and craft highly personalized lures. AI-driven phishing adapts the message tone, timing, and content in real-time, so each interaction feels uniquely convincing. Deepfake audio and video further erode the gap between impersonation and reality.
AI also changes how attacks evade detection. Adversarial machine-learning techniques teach malware what defenders look for, helping it bypass filters and endpoint controls. Autonomous malware can mutate inside an environment, adapt its payloads, and escalate privileges without direct human guidance.
On the orchestration side, ML-driven command-and-control systems coordinate operations at machine speed, and AI can hide exfiltration by mimicking legitimate user behavior or embedding data within normal traffic so well that it vanishes in plain sight.
Put simply, offense now scales with automation. Complex, multi-stage campaigns that once required large teams can be launched and tuned by attackers with far less effort.
Defensive Playbook
With the offensive landscape mapped, the session turned to defensive playbooks.
Social Engineering
Defenses start with people. Multi-channel phishing simulations and continuous awareness programs train users to pause and verify before acting.
Technical measures add another layer: enforcing MFA for all external access, using sandboxed email gateways, and monitoring for anomalies such as impossible logins or unfamiliar device profiles.
Above all, a zero-trust mindset should guide every interaction. Vigilance and verification — not assumption — keep organizations safe.
Identity Abuse
Applying least privilege and just-in-time access reduces the opportunity for credential misuse. Phishing-resistant MFA and conditional access policies further strengthen authentication.
Identity Threat Detection and Response (ITDR) helps expose token or SSO abuse, while continuous monitoring of privileged accounts limits lateral movement.
Shadow IT
Cloud Access Security Broker (CASB) and SaaS Security Posture Management (SSPM) tools uncover unsanctioned SaaS and rogue cloud workloads. From there, a centralized asset inventory across SaaS, cloud, and endpoints creates a foundation for control.
Allow-listing and API governance ensure only trusted applications connect. Integrating shadow assets into risk and vulnerability programs brings them under the same controls as approved systems. Simplifying access to sanctioned tools helps teams stay secure without slowing down their work.
AI-Enabled Threats
AI-driven anomaly detection surfaces subtle behavioral changes that humans might miss. Model validation prevents poisoning or prompt injection, and AI red-teaming helps test resilience against emerging threats.
The most effective SOCs combine automation with analyst expertise, cutting false positives by up to 70% through AI-assisted triage. That efficiency lets teams focus on what matters most — the real threats.
Operationalization
The insightful session closed with a focus on turning defense into practice. Controls are only effective when they are operationalized, measured, owned, and continuously refined.
Centralizing logs, telemetry, and identity events establishes the visibility needed to connect signals across systems. When network, endpoint, and cloud data converge, signs of lateral movement and abnormal flows become easier to spot.
Ownership matters as much as visibility. Each attack path should have clear accountability and mapped defensive controls, so teams know not only what to protect but also who is responsible when alerts trigger.
Response playbooks must also reflect how real adversaries operate. Maintain and test them regularly, aligning steps with actual attacker behavior rather than generic scenarios.
Operational discipline is what turns strategy into resilience.
Final Takeaways
Every control can fail, and every tool can be bypassed.
Resilience stems from a team’s ability to detect, adapt, and recover quickly. Security is not a checklist; it is a dynamic system that learns, anticipates, and responds in real-time.
At TrustNet, we believe resilience is built through visibility, discipline, and speed. Patch fast, monitor continuously, and balance automation with human expertise.
Cybersecurity is no longer about stopping every breach. It is about building organizations that can endure, adapt, and lead through them.
Discover additional insights, frameworks, and resources on our website, or book a consultation with our experts and explore how TrustNet can help you operationalize resilience.
