Cybersecurity Reading List - Week of 2025-11-24

Infosec, know thyself. 

It’s no surprise that I’m an advocate for deeply introspective paths. My autism positions me for rumination (and much overthinking), but also self-examination and self-evaluation in order to identify strengths to capitalize on and inefficiencies to drum out. In talks I give on autism in cybersecurity with my good friend and work partner from the TechOps side, we emphasize engaging in substantive evaluation of your own thinking, reactions, and sensitivities in relation to your work and environment. 

At the right dose, self-reflection can be a superpower all its own, as well as enable more superpowers in its wake. 

When cybersecurity professionals become vulnerable enough to engage in metacognitive and other reflection in public, it makes us all better defenders. One good example can often be found amidst Tricia Howard’s work over at Akamai – whether she’s writing on resilience, toxicity and mental health, and more. 

The recent example I want to really amplify here, though, is a great piece from the folks at SpyCloud published on Halloween: It All Counts: From Small Wins to Global Takedowns, How Being Mission-Driven and Curious Influences Cybersecurity Investigations for Good. 

You had me at “mission-driven”; after all, the RAND study quote on neurodivergents being essential for national security due to “missions that are too important and too difficult to be left to those who use their brains only in typical ways” is deeply resonant with me. You also had me at “curious” – every investigation I approach, I do so with a natural sense of curiosity that makes it all the richer. But SpyCloud’s piece revolving around their investigators sitting down to talk brains and wins provides even more insight.

From connecting threat actor motivation to behavior and likely evolution, to being able to influence threat actor decision-making in impactful ways, and motivating the team itself by empowering curiosity and impacting justice in the wider world, the conversation speaks deeply to me about critical lessons for our profession, and our industry. 

To quote the piece, “iron sharpens iron, and together we get better.”

Let’s work together to form and maintain the sharpening blocks we need to make 2026 the worst year for threat actors on record.

Let’s go. 

Articles

GreyNoise Intelligence – When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game – Excellent, brief article from Greynoise’ boB Rudis with clear technical observations to evaluate sanctions on Stark. We need more of this, and we need to prioritize review of our current enforcement methods. More on this to come…

KrebsOnSecurity – Aisuru Botnet Shifts from DDoS to Residential Proxies – Aisuru’s power boggles the mind, as seen in this recent BleepingComputer article, but its evolution is even more interesting. Some of its roots appear to spring from Minecraft disputes, others to embarrass the Chinese Communist party. And the move to offer residential proxy access is not a welcome development.

BBC – A Chinese firm bought an insurer for CIA agents – part of Beijing’s trillion dollar spending spree – This should perhaps precipitate a much wider review of PRC-owned assets with deep data insights on critical American sectors. Data is now national security-critical infrastructure. 

DomainTools Investigations – APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets – From us last week, another natsec deep dive. I’m always fascinated by structural differences between threat actor groups, especially nation-state ones. In this case, it’s the regimented and almost rigid structure, contrasted with more flexible APT schemas.

CISA – Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers – Overdue, but a good starting reference on BPH. Necessary to highlight CISA’s advice here on ASN blocking, an absolutely critical feature that many commercial products lack. Looking at you here, Palo. 

NYT – Cryptographers Held an Election. They Can’t Decrypt the Results. – Turns out someone lost the key. Ironic but relatable – there but for the grace of Shamir go I. 

TechCrunch – CrowdStrike fires ‘suspicious insider’ who passed information to hackers – Going to be interesting to see if charges are filed – opening Crowdstrike up to discovery there. If I was a betting man…

Mandiant – Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem – Iran-nexus actor with a pretty complicated portfolio compared to some of their pals. 

Politico – Cybersecurity breach at Congressional Budget Office remains a live threat – At least it’s not the State Department this time? Smells faintly like Chinese trade espionage, but that’s entirely speculation. 

SpyCloud – October Cybercrime Update: LummaC2’s Decline, Data Theft Extortion & Hacktivist Leaks – Good roundup on a few fronts, but especially the LummaC2 update. Someone’s got Lumma in their sights, or perhaps multiple someones. 

Research Papers and Reports

Anthropic – Disrupting the first reported AI-orchestrated cyber espionage campaign – There is some ongoing controversy about this report, and understandably so. Anthropic’s reports tend to be higher-quality than the other AI firms out there, and in a narrative sense they explain their analysis well – operational tempo, request volumes, and activity patterns seem the right way to do it. But we need IOCs, TTPs, and other technical indicators as narratives are not enough. It’s worth noting that it took a while to convince any industry to share those, so here’s hoping Anthropic blazes the trail with this as well. 

arXiv – Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models – This may be my favorite paper ever on LLMs. There’s something incredibly funny in the Humanities coming back to haunt a technology industry and educational system that systematically defunded and deprioritized them.