Inside Access

David DellaPelle: Thank you so much everyone for being here. My name is David DellaPelle. I am the CEO of Dune Security. We are so excited about this webinar today. The title is Inside Access: APTs, Insider Threats, and the New Multi-Channel Attack Surface. I am thrilled to be joined today by Alicia Lynch, who has a storied career and is currently the global CISO of TD SYNNEX. I am also joined by Keith Schlosser, who has an equally storied career and most recently served as the global CIO for Axis Capital. I will pass first to Alicia for an introduction.

Alicia Lynch: Thanks for having me here. I am super excited to spend time with Dune Security — this is a great opportunity. My background is defense. I spent over 25 years in the US Army as an intelligence and cyber officer. From there, I moved into the defense industrial base and worked for a number of companies supporting that space, including BAE Systems and SAIC on the defense and federal side, and then moved into large global-scale companies like Cognizant, where I was the Chief Security Officer and CISO. I am currently the CISO at TD SYNNEX, which is a Fortune 100 company and the largest distributor of IT products and services in the world.

Keith Schlosser: Hi, I am Keith. I have been in the highly regulated insurance industry for over 36 years, recently somewhat retired, and am now advising various firms and doing consulting work, specifically around agentic AI and cybersecurity.

David DellaPelle: Amazing. Thank you so much for being here with your busy schedules. Keith, I believe you are calling in from Jackson Hole, Wyoming — appreciate you taking the time.

So, to introduce the topic: enterprises today are facing a new wave of threats. We talk a lot about the quality and quantity of social engineering. Insider threats and business email compromise are changing. The attack surface is changing with AI. Attackers are using all the latest technologies we use, but without guardrails — they can use models that do not carry the constraints that many of the common AI tools we use might have. Over 90% of breaches are still originating in what we call the user layer — some form of user behavior — but attackers are now using AI to scale impersonation, deepfake voices, deepfake videos, and contextual phishing with deep precision. Every user can receive a phishing message that is completely specific to them — not just their company or function, but their individual profile.

What we have found is that the market needs something different. Large multinational corporations have been addressing this with generic awareness training, standardized security training delivered to every employee in the company. We have found this to be quite counterproductive: high-risk employees are not held accountable, low-risk employees have their time wasted, and it can create an adversarial relationship between security teams and end users.

In this new threat landscape, we want to explore how advanced persistent threat groups like Scattered Spider are weaponizing insiders; how AI-personalized phishing is driving three times the engagement of traditional lures; and how this risk landscape is spreading faster than teams can keep up, largely because of the technologies attackers now have access to.

Goals for today: we will discuss how insider threats are evolving in the AI era and why manipulated employees can be even more dangerous than malicious ones. We will talk about how threat groups use AI to impersonate at scale, mimic workflows, exploit authority and urgency, and drive multi-channel attacks. And we will talk about how CISOs are fighting back — moving beyond static training toward real-time visibility, targeted simulation, and adaptive remediation to reduce user layer risk.

Thank you so much, Alicia and Keith. My first question is for Keith. We have seen that insider threats are no longer just about malicious employees. We are seeing compromised or manipulated users who become the entry point. Why is this shift so dangerous, and what have you seen in the industry?

Keith Schlosser: Well, it is a growing area for cyber actors, and what I believe they have realized is that corporations across the globe have focused their insider threat programs almost entirely on the malicious employee. I would say we are wholly unprepared for this next wave of attack.

What makes it so important to get ahead of is that they are able to use very targeted, individual-specific attacks that incorporate social media feeds, LinkedIn profiles, and an understanding of someone's persona within the organization. They are so good at this that employees are often being deceived with no awareness that it is happening. The traditional corporate insider threat program was built around the employee stealing files for personal use — someone planning to leave the company who downloads a client list. That is still the program deployed at many corporations. That has changed. They are now aggressively targeting specific personas and employees within organizations, and once they have engaged that person, that person is working on their behalf without realizing it. That is why I believe it is so dangerous.

Alicia Lynch: I can add to that as well. I think this is becoming increasingly dangerous for companies, not just in terms of a direct breach, but also through managed service relationships. If you are contracted to run a help desk for another company, you have specific protocols and processes you are supposed to follow. Help desk personnel are often incredibly resilient — they handle a high volume and variety of requests every day. What I see break down most frequently is the failure to consistently follow the verification process every single time.

There was a very recent situation where one company was providing managed services to a Fortune 200 global company, and a help desk employee was contacted by a threat actor who had the name of a real employee and possibly even their employee ID number. What the help desk person did not do was go through the proper authentication process — verifying the caller two, three, or four times before resetting a password. It is documented in court filings that the managed services provider did not follow the required process, the password was reset for the threat actor, and the threat actor walked right in. The filing does not specify the extent of the damage to the customer company, but there is now a lawsuit exceeding $350 million against the company that failed to enforce proper process and allowed a threat actor into their customer's environment. That is alarming, especially in managed service environments where we have strict contractual obligations to our customers.

David DellaPelle: We have also seen threat actors compromising employees by purchasing their credentials, often from a third-party breach. Alicia, let me pass to you for a broader question: who are these APT groups, why are they so focused on social engineering and using AI to create more insider threats, and what is the next evolution in their methods?

Alicia Lynch: There are some fun facts I like to share in conversations like this around what a nation-state advanced persistent threat actor actually is. Having spent so many years in the military, this is probably one of my most passionate areas. What I find when I talk to people around the world is that everyone is focused on the techniques being used and the damage being done, but fewer people really think about why these things are happening.

Nation-state threat actors are, quite literally, nations. China, Russia, North Korea, Iran, Syria — they have formidable state-sponsored forces conducting these activities. For nation-state actors, it is typically not about financial gain. They are conducting operations to gather intelligence: what are the war plans for a country they are monitoring? What contingency plans are being discussed? What sanctions might be coming? That is why they are trying to get in — and they are not getting in to cause immediate damage. The persistent part of "advanced persistent threat" is exactly that: they get in, they lay low, they watch, they monitor, and they collect as much information as they can.

China, for example, has spent an enormous amount of time penetrating our defense space, primarily through the defense contracting base. I have studied this for over 10 to 15 years, and in that time there have been probably more than 50 military weapon systems compromised. The reason is straightforward: it reduces their R&D timeline and cost significantly.

A notable recent development was an entire campaign against US critical infrastructure called Volt Typhoon. This was a significant turning point in understanding what these persistent threat actors are doing. Volt Typhoon got into our telecommunications infrastructure — AT&T, Verizon, T-Mobile — as well as transportation, including rail and aviation, water systems, and power. They got in and they simply laid there. They were eventually discovered and disclosed by CISA, and Director Jen Easterly spoke publicly about it. They were getting in through various methods — phishing, exploiting external-facing vulnerabilities — and positioning themselves for a future moment when they might need to act. The Chinese are not thinking two years out the way we often do. They are thinking 20 or 100 years out. These are strategic pre-positioning activities on the battlefield of the future.

There is also APT42, the Iranian advanced persistent threat group also known as Charming Kitten. They focus on cyber espionage and surveillance and conduct sophisticated spear phishing campaigns targeting individuals and organizations of strategic interest — particularly those involved in US and Israeli policy and sanctions. They have developed complex, custom exploits using AI, and they focus specifically on the human attack path. They impersonate journalists, event organizers, and anyone who would be a familiar and credible contact to their target. They do it with highly realistic deepfake audio and video, and it is very personalized. People are naturally reluctant to believe they are being deceived, and that instinct is what these actors exploit to steal credentials and bypass security measures.

Over the last couple of years, we have also seen nation states attempt to embed their own people inside organizations by compromising the hiring manager and the HR process. Once that occurs, they are effectively handed the keys to the kingdom. In IT and cybersecurity, we talk a lot about espionage and stealing company secrets, and they accomplish this through what are known as laptop farms. Once someone is hired remotely, a laptop farm spins up, ships the device, and everything appears to function normally — and the organization is now unknowingly providing a nation-state actor with inside access. It is inexpensive, and it is incredibly effective.

Keith Schlosser: Alicia, have you seen that at companies you have been at?

Alicia Lynch: Yes, I have dealt with it at a couple of companies. I think COVID opened the door for that type of activity to accelerate. We also did not have proper vetting processes in place at the time. Video was previously not an exploitable medium, but now it is. There are vetting processes you have to implement when hiring someone in another country — better identity verification, more rigorous screening. Most companies in the United States, and others I have encountered, have struggled to weed this out. There are some emerging products that can provide insight into anomalous employee behavior, but when it first started happening, it largely relied on coworkers noticing something peculiar and raising a flag. It is still an ongoing problem.

David DellaPelle: There are both digital and analog approaches to this. On the technology side, we just established a partnership with Reality Defender — probably the deepest technical capability in deepfake detection at scale, which is very complementary to what we do at Dune Security. On the analog side, we require in-person interviews when hiring. Almost going back to how things were done before Zoom, Skype, or WebEx existed — we require a physical in-person interview for candidates. We have an in-person culture, but even just for the interview process alone, it is a meaningful safeguard.

Keith Schlosser: I have heard so many colleagues now requiring that, driven by the security team.

David DellaPelle: It makes sense, and there are cultural benefits beyond just the security ones. To summarize that section: the methods are always evolving, no two threat actors are the same, and the motivations are varied — political, ideological, financial. It is an endless cat-and-mouse game, and for a global CISO at a large company it can feel almost impossible to stay on top of.

Alicia, let us talk about multi-channel attacks. Email remains a prevalent vector, but we are seeing attacks via SMS, voice, deepfake video, and encrypted messaging applications. How has that changed the threat landscape compared to five or ten years ago?

Alicia Lynch: Even though email can feel like an old topic, it is still, as you said at the outset, where the majority of breaches originate. If I had to prioritize from high to lower risk, email is still at the top. Threat actors are using evasion tactics to get past our security protocols, and billions of dollars are lost because of it every year.

But let us talk about collaboration tools — that is a rapidly growing risk. Slack, Teams, Zoom — employees treat those platforms like internal safe zones. They trust them. And what we do not have right now are mature monitoring and alerting tools for those types of applications. What happens is that when employees receive something on what they consider an internal system, they are far less skeptical. Someone sends you a link in Teams and you assume it is safe — you do not stop to think that a link in a Teams message could take you to a credential harvesting page that looks like a meeting sign-in. People will enter their credentials into almost anything their corporate environment prompts them for. Those collaboration tools simply do not have the mature detection and alerting that secure email gateways have. When attacks happen in those environments, they spread faster and they are harder to spot.

Keith Schlosser: I have seen, over the last couple of years, situations where an insider will invite a threat actor into a video meeting, and from there the actor is able to gather all sorts of information. What we tried to teach employees was: if you are hosting a meeting, you need to know everyone on that call. If you sent ten invitations and there are eleven participants, close the meeting and start over. Those kinds of social intrusions are less sophisticated, but they can certainly lead to serious consequences.

Alicia Lynch: The voice and video impersonation piece is an emerging capability. It is very high impact when it works successfully, but the frequency is lower — it requires a significant amount of effort on the attacker's side to scrape enough source material from websites and YouTube to convincingly replicate someone's voice or likeness. I would categorize it as high impact, low frequency. But that is the leading edge of AI being used as a direct attack method against us.

David DellaPelle: And in a company like TD SYNNEX or a major insurance company with tens or hundreds of thousands of employees — doing vishing testing at scale, for instance, the compute required for AI voice models alone makes it incredibly difficult. There are some capabilities, like callback vishing testing, but it is by nature a very targeted, relatively manual approach. How do you defend against something that is so specific and targeted?

Alicia Lynch: The callback vishing approach is time-consuming, but it is probably highly effective, because people are kind-hearted — they think: someone called me, so this must be real, and they hand over whatever is asked of them.

David DellaPelle: What about encrypted channels? Before we move on — you mentioned informal channels and collaboration tools. What if a threat actor gained access to Slack and posed as a Slack Connect user from a different organization? Keith, can you share what you have seen or heard regarding encrypted channels like WhatsApp, Signal, and Telegram? We ran a survey and found that 0% of CISOs reported having any visibility into what their employees are doing on these off-channel encrypted applications.

Keith Schlosser: What I have seen — and this actually happened to me personally — was receiving a WhatsApp message that appeared to be from the CEO, saying: "Hey, I need you to help me facilitate a payment to a vendor. We made a mistake and the CFO is out sick, so I am reaching out to you as a member of the executive council to help get this done." Of course I immediately started making phone calls to verify whether it was real.

The challenge with WhatsApp, Signal, and other applications is that as CIO or CISO you simply have no visibility into them. Most of our employees have access to one or more of those apps. We would constantly try to train people: if you get a message on WhatsApp or Signal from someone claiming to be a member of the company, investigate before you do anything, because we do not conduct company business over those channels. That message should not exist. But it is a real problem, and it is especially dangerous when the target is someone in a position to authorize or facilitate a funds transfer. That is when we started creating very specific training for those particular job types.

Some of this training feels meaningless to employees who go through it — it is not applicable to their role — but for others it is very directly applicable. Training going forward should cover all the ways someone can be contacted, not just the traditional internal communication methods.

Alicia Lynch: It is routine now, unfortunately. I remember the first time it happened to me at a prior company — it shook us to our core. Now it is so frequent that when I stepped into my current company, the CEO had already been targeted. People were calling me saying it was happening. We had to immediately establish a process: as soon as we see it, we take screenshots, communicate out to the company that this is not real, and flag it broadly. It used to be that I handled every incident directly, but there are now so many that my team owns the process. That is a measure of how much it is happening. Unfortunately, most companies have experienced one or two of these before they build out a real response process.

David DellaPelle: Let us change gears and talk about psychological factors. Attackers use different tactics, and we have data showing that urgency — "your account will be locked if you do not act now" — produces much higher engagement and failure rates than reward-based lures like a gift card offer. Keith, can you walk through some of the psychological methods adversaries use to manipulate people inside companies?

Keith Schlosser: I will go back to the help desk example, because that is often where the manipulation begins. Those employees are frequently third-party contractors under immense pressure to deliver value to the customer. When a senior-sounding person calls in with urgency — "I need my password reset, I do not have time for this process, I am late for a meeting" — several psychological levers are being pulled simultaneously. There is urgency. There is authority. There is commercial pressure on a third-party service provider to satisfy a demanding caller.

These threat actors often do their research. They will have a list of the executive committee, know who someone's boss is, and use that: "If you do not certify this step in the process, you are going to be in trouble." They have known about these psychological levers for years. What has changed is the precision. Two or three years ago it was a more generic approach — "I need you to reset my password." Now they can say "I need you to reset my password for this specific system" and name it correctly. They add just enough specific detail to make it feel real, and they will mention key employees within the organization to add credibility.

Alicia Lynch: There is really not much to add to that. It is highly personalized now, which makes a person genuinely want to comply with what they are being asked to do. And they are using the multi-channel approach we talked about — coming at the target from multiple directions simultaneously, so that the redundancy of contact starts to feel like validation. The hybrid, multi-channel attack makes it feel more real.

David DellaPelle: Let us talk about third-party risk. Alicia, you are the global CISO of TD SYNNEX, a Fortune 100 company and the largest distributor of technology in the world. How has AI changed the risk calculus when the threat is not just a direct employee but potentially a third-party employee being socially engineered?

Alicia Lynch: Third-party risk is intensely magnified when you work in companies with long supply chains. Some companies I have worked at have 10,000 vendors in their supply chain. Something can happen to one of those vendors and blow back into your own environment depending on your connectivity with them.

From a CISO perspective, there have to be formalized processes in place. You have to assess those companies, and not just assess them — you have to prioritize the risk they carry that transfers to you. That means paying attention to their cyber hygiene: their external-facing scores from platforms like Bitsight or SecurityScorecard, so you can understand what they look like. You have to use enterprise risk management processes to evaluate them: how critical are they? Some may be the only provider in the world for a very specific component. In that case you have to protect them as you would protect your own company.

There is a growing amalgamation happening between companies where you have to share this type of information. Some of our largest customers grill us on our cybersecurity practices on a quarterly basis, requiring adherence not just to the NIST Cybersecurity Framework but to additional guardrails they send us — custom documentation covering additional controls and evidence they want to see. It creates an enormous amount of work, and with that volume of complexity, there are inevitably situations where threat actors are getting through — simply because of the scale of the job required to maintain visibility across it all.

David DellaPelle: It is a hard one. Let us transition — for Keith, let us talk about APT groups. Scattered Spider is in the news most frequently. ShinyHunters is another. Using them as archetypes: their tactics are getting more sophisticated. How can enterprises realistically keep up? What technologies can they put in place?

Keith Schlosser: It is a good question and it is changing very fast — I have not seen anything like the current pace of evolution. I really believe a couple of things, and one is directly tied to what Dune Security offers: training that is specific to the person's role within the organization, because that is exactly what these threat actors are targeting. They are looking at LinkedIn profiles and social media posts and crafting very targeted, specific attacks against that individual.

What Dune does is meaningful in that it equips employees through knowledge and education, attacking the attacker through the informed behavior of the workforce. I do believe it starts with educating people on what these threat actors are doing, how they are doing it, and how their specific role makes them vulnerable. The goal is to get the employee to stop and ask that extra question — to question things they would not normally question. That is the key.

Alicia Lynch: The only thing I would add is that a lot of these threat actors, Scattered Spider in particular, started by exploiting external vulnerabilities. The first way they get in is phishing, and the second is exploiting external-facing vulnerabilities through basic cyber hygiene gaps. It is unglamorous, but it is critically important: vulnerability management, scanning, knowing what your vulnerabilities are, and getting them remediated before they can be exploited. That is my operational reality every day, and it does bring down your attack surface. Scattered Spider is still very scary to me because they have a couple of superpowers: the ability to get in through almost any external opening, and the use of AI to get to the person and gain the foothold they need. It is hard to defeat both of those simultaneously.

David DellaPelle: We talked about some of the technical tools that can act as filters. I think about Abnormal Security as a strong email security product. I think about Reality Defender, whose partnership we just announced, for deepfake detection at scale. But no matter how high the castle walls are, attackers are always going to find a way around, and there is a danger to having a false sense of security. The best AI-integrated cloud email security system in the world is still going to let something through. If it is not email, it will be a different channel. They are even bypassing multi-factor authentication now — if you do not have the right strength of MFA, one-time passwords can be compromised. You need really robust multi-factor authentication at this point, and they are starting to work around just about everything we are putting in place.

There needs to be a bolder approach here to user risk — comprehensively quantifying it based on all available data and then individually reducing or remediating risk based on those individual risk profiles. What about culture? What additional steps can enterprises take to build a genuine security culture?

Keith Schlosser: It starts with the CEO and the board of directors. Everywhere I have worked, I have encouraged the CEO to make cyber risk a standing agenda item. First line of defense is the employee, on every call, in every communication. The board needs visibility into the cyber program — which is now required by law if you are an SEC registrant or operating in Europe — but beyond visibility, they need to actively promote a culture of cyber hygiene and cyber awareness. Everything starts at the top. If you want to build a culture, it has to start with the CEO and senior leadership.

Alicia Lynch: I completely agree. But the reality is that in global companies where revenue, speed, and market agility are the focus, security is often the last thing they are thinking about. What I do at every company is bring metrics that matter to the board — not 200 metrics they will never use. I have walked into board briefings where the prior CISO was presenting 200 different metrics, and I thought: what are any of these for?

One metric I use is CrowdStrike's 1-10-60 model: one minute to detect an incident, ten minutes to scope and understand it, sixty minutes to contain it. That is the benchmark. When I come into a new company, the first thing I do is measure that against actual data — and it is typically in days, not minutes, even at companies with significant cybersecurity investment. Showing that number, making them see that we are not where we need to be, that there is real risk here and we need to keep improving — that is what moves the needle.

The other thing I find is that the business will eventually drive how much attention gets paid to cybersecurity, but usually after an incident. When companies get hit at the business level, they turn to the CISO team saying "Help us." We help them put out the fire and restore operations, and then they become evangelists for us. They come back, they do what we recommend, and it starts to spread organically. It is a slow process, but it is heartwarming to watch. Culture does not change because a CEO says so in a briefing — it changes because different parts of the business have been impacted and have become believers. They start coming to you ahead of time to ask for help, and that is when you know the culture is taking hold.

David DellaPelle: Thank you so much for these insights — this has been a fantastic conversation. A few key takeaways: the nature of attacks is changing. Insider threats are no longer just malicious insiders — people outside the company are manipulating, soliciting, and socially engineering people inside. Attackers are using every available channel with great specificity and the most advanced technologies, AI chief among them. Around 90% of breaches are still originating in the human layer, and AI is accelerating that, not decelerating it. Multi-channel attacks across SMS, voice, collaboration tools, and encrypted apps are increasing. Supply chain and third-party risk grows alongside all of this — already a nearly impossible problem to solve. At Dune Security, we believe enterprises need real-time visibility into user risk, full adversary emulation, role-based analysis, adaptive training and testing, and adaptive workflows to stop risk as it emerges. Thank you so much, Alicia and Keith — I really appreciate your time. Any parting words for our viewers?

Alicia Lynch: I just read about a new attack technique, and it was referenced in an Anthropic threat intelligence report — which is notable given that Anthropic is the builder of Claude. They found a sophisticated criminal operation they designated something like GTG-2002 that pulled off what is considered an alarming AI-powered cyber attack. What this group did was use a large language model, interact with it through natural language prompts, and direct it to autonomously execute nearly every stage of a cyberattack campaign. The report identified 17 organizations targeted through this method. They are calling it vibe hacking — derived from vibe coding, a practice where developers use natural language to tell AI what to build. This is the first publicly documented case where a leading AI system automated nearly every stage of a cybercrime campaign end to end. It is showing major progression in how AI platforms are being weaponized.

Keith Schlosser: The only thing I would say, David, is that what you all do is really changing the way people engage with training. As CIO, I cannot tell you the number of complaints I received from executives and leaders — this training is meaningless, why do we have to do it so many times a year? What Dune is doing is not only protecting the firm, but genuinely serving the employees by engaging them with training that is relevant and germane to what they do day to day. That is super important. I encourage everyone to keep at it, and I think people should take a look at the product because it will get real results.

David DellaPelle: Thank you so much, Keith and Alicia. Thank you for your time today — it has been an amazing conversation, and we will put together a great summary for everyone who joined.