No Sleep on State-Backed Threats: Train for Cyber Conflict Before It Starts

In 2025, the cybersecurity landscape isn’t just evolving – it’s accelerating. State-backed cyberattacks, geopolitical tensions, and a fragmented regulatory environment have placed cyber resilience squarely at the top of boardroom agendas. But while the threats are growing, clear directives and unified mandates are not.

Cybersecurity leaders are left asking: If federal policy won’t dictate readiness, how can we validate that we’re prepared?

The policy gap: Why the One Big Beautiful Bill won’t save us

Despite its sweeping scope, the recently passed One Big Beautiful Bill Act (H.R.1, P.L. 119-21) is notably silent on cybersecurity policy. It includes:

• Investments of $150M to the Department of Defense for business system modernization, including AI-aided financial auditing
• $200M for AI-enabled audit systems
• $20M to DARPA cybersecurity research efforts
• $250M for Cyber Command’s AI “lines of effort”
• $685M toward military cryptographic modernization, including quantum benchmarking

While these appropriations equip government agencies to modernize and strengthen cyber and crypto capabilities, they stop short of mandating new cross-industry controls, standards, or compliance obligations for private sector entities.

Organizations can’t depend on Washington to drive cyber resilience strategy, given how dynamic the landscape is today. 

Instead, leaders must build proactive, measurable programs rooted in industry frameworks like NIST CSF, ISO 27001, and MITRE ATT&CK. At the same time, they need to monitor shifting government priorities (vis-à-vis risks), evolving state-level regulations, and sector-specific requirements like the Digital Operational Resilience Act for financial services.

In short, cyber resilience remains an internal obligation, not an external mandate.

The stakes are rising: Salt Typhoon breach proves it’s about people

In June 2025, a DHS memo confirmed that Salt Typhoon, a Chinese state-linked hacking group, gained extensive, months-long access to a U.S. Army National Guard network. This breach wasn’t just a military problem – it highlighted systemic risks across civilian infrastructure, state governments, and critical services.

The attackers stole administrative credentials, internal diagrams, network configurations, and PII of service members, creating opportunities for lateral movement and follow-on attacks against civilian sectors.

As Ellis, a cybersecurity advisor quoted in the memo, pointed out:

"An intrusion on a National Guard isn't a 'military only' operation. States regularly engage their Guard to assist with cyber defense of civilian infrastructure."

This breach underscores the harsh reality that cyber adversaries aren’t bound by the Law of Armed Conflict – and they’re fully prepared to target civilian infrastructure as part of their strategy.

Cyberwar is official: NATO’s Article 5 sets a new precedent

NATO now explicitly recognizes cyberattacks as potential triggers for Article 5 collective defense measures. 

This isn’t about responding to routine ransomware or phishing scams – it’s about preparing for strategic-level attacks that can disrupt economies, paralyze infrastructure, or compromise national defense.

To meet this challenge, NATO is expanding joint cyber exercises like Locked Shields and Cyber Coalition, simulating real-world adversaries and integrating civilian infrastructure into their scenarios.

Our key lesson? Modern conflict starts in cyberspace – and organizations need to train for it before the first packet hits.

Train like the threat is already inside

1. State-sponsored threat actor playbooks

Train your team to recognize and respond to APT tactics in the wild. From credential harvesting to stealthy exfiltration, hands-on simulations build muscle memory against real adversary behaviors – not textbook theory.  

• Get hands-on with Threat Actors: Salt Typhoon and explore a recent SNAPPYBEE Campaign Analysis to see how the group uses backdoors to conduct espionage operations.  
• Our complete Threat Actors collection covers a wide range of threat groups and their TTPs, providing practical simulations that build muscle memory against real adversary behaviors.  
• We’ve talked about APT29 before 🙅‍♀️🐻 and they remain an active threat. Refresh with APT29: Threat Hunting with Splunk and dig into practical nation-state threat intelligence and IOC analysis. 

2. Salt Typhoon TTP training

Defend against the tactics actually used in the Salt Typhoon breach:

• Lateral movement: Our MITRE ATT&CK collection covers lateral movement tactics, providing comprehensive training on how attackers move within a network and how to defend against such actions.
• Credential compromise: The Credential Access collection offers practical experience in understanding and mitigating credential access vulnerabilities, which is crucial for defending against credential compromise.
• Network reconnaissance: Our Reconnaissance collection focuses on various techniques and tools used for gathering information, which can help in understanding and defending against network reconnaissance.
• Data exfiltration: Another hit for the Incident Response collection! These labs are specifically designed to teach incident responders how to detect data exfiltration. 

Put your team in the hot seat and test their response before the next real-world incident hits.

3. AI-readiness for cyber defenders

AI is transforming both red and blue team tactics. Prepare with practical training to drive understanding of AI model risks (e.g. prompt injection, data leakage) and build skills defending AI-enabled environments before attackers exploit them.  

• The AI Fundamentals collection offers a broader understanding of AI's role in cybersecurity, covering topics like data ethics, TensorFlow for machine learning, and emerging threats. 
• The AI Challenges collection focuses on identifying vulnerabilities in AI systems, such as AI plugin injection and prompt injection attacks, providing hands-on experience in mitigating AI security risks.  

Together, these collections provide comprehensive training on both understanding and defending AI-enabled environments against potential threats.

4. Incident response: No-doze drills

Run full-cycle incident response simulations, from detection to containment to recovery. Focus on the messy middle: ambiguous alerts, cross-team coordination, and real-time decision-making under pressure.

• Train with our Introduction to Incident Response and Incident Response collections. These collections cover the entire incident response process, including detection, containment, and recovery, with an emphasis on cross-team coordination and real-time decision-making. 
• Then, test your skills with our new Cyber Range Exercise inspired by Salt Typhoon with simulated malware, or our Crisis Simulations focused on nation-state attacks.  

5. Critical infrastructure and IT/OT defense modules

Your OT environment isn’t off-limits to adversaries. Practice defending blended IT/OT networks, identify cascading risks, and rehearse failover processes when the grid comes under cyber-fire.

Explore the following collections that are part of our new Operational Technology offering:

• OT: Fundamentals
• OT: Threats and Vulnerabilities
• OT: Devices and Protocols 

These labs are valuable for practicing defense strategies in blended IT/OT networks and understanding cascading risks in critical infrastructure.

You can also experience actual incidents like the Norwegian Dam Compromise: Campaign Analysis!  

Conclusion: Build cyber resilience before the next state-backed attack

The One Big Beautiful Bill won’t mandate cyber resilience. NATO knows cyberwar is already here. And Salt Typhoon’s breach shows that the human element is still the biggest vulnerability facing businesses, entities, and nation states alike.

That’s why continuous skills development, validated readiness, and real-world scenario training aren’t optional. Adhere to tested frameworks and operational rigor for your people, processes, and technology.  

Share your thoughts

If you’re not sleeping on state-backed threats, set the alarm and kickstart your team’s readiness. Have you prioritized specific procedures or skills in response to the latest nation-state activity from groups like Salt Typhoon? Share your tips (or your favorite preparedness quote) in the comments below!

 

Train like it’s game day – because for state-backed threats, it already is. Stay sharp and threat-ready by following the Human Connection blog for more updates like this.