< Back
Episode #
114

You Can't Trust Your Zoom Call Anymore — Deepfakes, DPRK & the New Attack Surface

Show notes: 

Deepfakes have moved well past the uncanny valley and into active threat operations, and Tom Cross, Head of Threat Research at GetReal, has the client-side case studies to back it up. Tom explains how North Korean IT worker infiltration campaigns have transformed HR and video conferencing from administrative functions into active attack surface, albeit one that most security teams aren't monitoring, logging, or ingesting into their SIEM.

Drawing on a long-running collaboration with a former West Point professor and intelligence officer, Tom also applies the military framework of tactical, operational, and strategic intelligence to cybersecurity, arguing that most CTI programs are really just lists of burned indicators. The actual value of IOCs, he contends, is retrospective: discovering you were communicating with a known-bad actor means you may still be compromised. He makes the case for connecting adversary intent models, red team findings, and vulnerability data into a unified predictive picture. 

Topics discussed:

  • How North Korean IT worker infiltration has converted HR processes and video conferencing into an active, unmonitored attack surface
  • Voice-cloned peer impersonation via messaging apps, followed by deepfaked video calls and malware delivery
  • Why deepfake audio attacks on IT help desk credential reset processes are among the most likely near-term vectors
  • Biometric indicators of compromise and the significant false-positive risks that distinguish them from traditional IP or domain IOCs
  • How the military intelligence framework of tactical, operational, and strategic analysis applies to CTI programs
  • The strategic importance of retrospective IOC analysis versus forward-looking ingestion
  • Why DPRK's financial motivation model expands their target set far beyond what traditional nation-state threat modeling would predict

Key Takeaways: 

  • Ingest video conferencing logs into your SIEM.
  • Audit your remote credential reset process for social engineering resistance.
  • Map red team findings and vulnerability data to specific adversary profiles rather than treating them as a generic remediation backlog.
  • Implement retrospective IOC analysis alongside forward-looking blocking.
  • Treat DPRK's financial motivation as an equalizer when assessing APT exposure.
  • Build threat intelligence at the strategic layer by modeling adversary intent and objectives, not just cataloging observed TTPs.
  • Apply extra care to biometric IOC sharing.
  • Monitor employee working-hour patterns against claimed time zones as a behavioral indicator of potential employment fraud.
  • Extend IOC taxonomy to include multimedia and biometric formats.

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website