Cybersecurity Reading List - Week of 2025-10-27

It’s almost November, and I’m behind on my reading. 

Which isn’t anything new – I’ve been behind on my reading since about sixth grade. But the uptick in infosec-related news and activity definitely feels substantial, a crescendo building towards the end of the year, or next year’s spring offensives, or whatever’s looming over the Taiwan Strait. 

De-escalation feels like a quaint notion. The cosmic microwave background of China-nexus actor persistence and ever-present staccato of Russian organized crime and nation-state operations vie for different forms of our attention, but never our rest. 

F5 network dwell time has been reported as nearly two years; nearly two years from initial compromise to detection, making coffee every day, going through life events, picking the kids up from soccer practice, two sets of holiday parties. 

One of the things I’m stuck thinking about as the days get longer in multiple ways is time. F5 is not the only one that’s had a dwell time like that, and it’s certainly a difference from short-duration actors with more traditional criminal motives. But we’re also seeing the landscape change as Large Language Model-assisted cyber operations begin surfacing. Most uses there are in their infancy, similar to the defender usage of LLMs – still in the “horseless carriage” phase of technology, to steal a concept from Douglas Rushkoff. But they’re maturing – slow, fast, and otherwise. 

Looking back to some earlier artificial intelligence work, Google’s AlphaGo took several years to gain mastery level in the game Go, across thirty million games. AlphaZero reached mastery in 4.9 million games, and learned how to beat AlphaGo in 3 days when pitted against it adversarially. OpenAI’s DOTA2 bot amassed 45,000 years of experience in ten months’ time. This was all years ago.

I am left wondering, if AI-based cyber threat offense reaches a more mature level, what happens when you take a system that can learn centuries’ worth of lessons in days, and connect it with strategic actors whose focus is sometimes across decades. 

What does that do to time? 

And in the interests of time, let’s move on to the news and chatter. 

Several of us from DomainTools Investigations will be at CYBERWARCON in Arlington, VA on November 19th. If you’re there as well, don’t hesitate to say hello. Or tell us your secrets. 

We’re good at secrets. 

Podcasts

Three Buddy Problem – JAGS LABScon 2025 keynote: Steps to an ecology of cyber – Like last month, also from LABScon; in this case, Juan Andres Guerrero-Saade’s keynote presentation on the state of cybersecurity, how to navigate it, and what to look for next. Thirty minutes of some of the best cross-disciplinary exploration I’ve heard. 

China Talk – PLA Purges and How Xi Rules with Jon Czin –  Background and practical implementation of thinking and planning that informs the Chinese government’s operational stances. 

Lawfare – CYBERCOM Legal Conference: The Role of the Private Sector in Conflict – Reposted episode from April but a good panel on public/private work in cyber, specifically in the context of conflict.

Articles

Bloomberg – Hackers Had Been Lurking in Cyber Firm F5 Systems Since 2023 – This has been a bit of a sleeper story so far, but most of the watershed compromises haven’t been declared yet. Spent a night or three tracking possible DNS threads that roughly indicated the same time fence, but you never know until it’s out in print.

GTIG – Pro-Russia Information Operations Leverage Russian Drone Incursions into Polish Airspace – Rare (I think?) and very well-done Google Threat Intelligence piece on opportunistic hybridity in a real-world information campaign. All the notional borders we build fade into the background once feedback loops between cyber, info, and kinetic blend natively like the rest of the world. 

Infoblox – Vault Viper: High Stakes, Hidden Threats – The ubiquity of gambling alongside fraud in cyber threat intelligence is no surprise to analysts, but the interconnections and scale often astound. Infoblox doing one of those things they do so well: sketch the outline of the badness, isolate and connect clusters, and lay it all out at micro- and macro-levels. 

RecordedFuture – Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals – “Cybercrime in this environment cannot be understood solely as a commercial enterprise; it is also a tool of influence, a means of information acquisition, and a liability when it threatens domestic stability or undermines Russian interests.” – Fascinating deep-dive that paints a much more complex and ambiguous picture of Russian state interaction with cybercrime groups than we’re used to.

Trail of Bits – Prompt injection to RCE in AI agents – Great writeup centering around mapping and exploiting commands marked as “safe” in AI agents and thus allowed to circumvent human review. 

Ars Technica – New image-generating AIs are being used for fake expense reports – Well that’s creative. Admittedly, as a teen I pulled a dot matrix printer and Tandy out of the attic to forge my report cards (which worked great in the short term, not so much in the long term, but that’s a story for another time). 

Research Papers and Reports

arXiv – Living Off the LLM: How LLMs Will Change Adversary Tactics – Speculative paper on translating LLM proficiencies into living-off-the-land techniques for adversaries. Read, and start planning. 

Dartmouth ISTS – From Chaos To Capability: Building the US Market for Offensive Cyber – Novel research specifically around private-sector circumstances supporting government cyber operations, including current state of play, gaps, and opportunities in this largely gray area. Feels substantially different from the separate hybrid models we’re used to reading about in China and Russia, among other places.