No Sleep on State-Backed Threats: Train for Cyber Conflict Before It Starts
In 2025, the cybersecurity landscape isn’t just evolving – it’s accelerating. State-backed cyberattacks, geopolitical tensions, and a fragmented regulatory environment have placed cyber resilience squarely at the top of boardroom agendas. But while the threats are growing, clear directives and unified mandates are not. Cybersecurity leaders are left asking: If federal policy won’t dictate readiness, how can we validate that we’re prepared? The policy gap: Why the One Big Beautiful Bill won’t save us Despite its sweeping scope, the recently passed One Big Beautiful Bill Act (H.R.1, P.L. 119-21) is notably silent on cybersecurity policy. It includes: Investments of $150M to the Department of Defense for business system modernization, including AI-aided financial auditing $200M for AI-enabled audit systems $20M to DARPA cybersecurity research efforts $250M for Cyber Command’s AI “lines of effort” $685M toward military cryptographic modernization, including quantum benchmarking While these appropriations equip government agencies to modernize and strengthen cyber and crypto capabilities, they stop short of mandating new cross-industry controls, standards, or compliance obligations for private sector entities. Organizations can’t depend on Washington to drive cyber resilience strategy, given how dynamic the landscape is today. Instead, leaders must build proactive, measurable programs rooted in industry frameworks like NIST CSF, ISO 27001, and MITRE ATT&CK. At the same time, they need to monitor shifting government priorities (vis-à-vis risks), evolving state-level regulations, and sector-specific requirements like the Digital Operational Resilience Act for financial services. In short, cyber resilience remains an internal obligation, not an external mandate. The stakes are rising: Salt Typhoon breach proves it’s about people In June 2025, a DHS memo confirmed that Salt Typhoon, a Chinese state-linked hacking group, gained extensive, months-long access to a U.S. Army National Guard network. This breach wasn’t just a military problem – it highlighted systemic risks across civilian infrastructure, state governments, and critical services. The attackers stole administrative credentials, internal diagrams, network configurations, and PII of service members, creating opportunities for lateral movement and follow-on attacks against civilian sectors. As Ellis, a cybersecurity advisor quoted in the memo, pointed out: "An intrusion on a National Guard isn't a 'military only' operation. States regularly engage their Guard to assist with cyber defense of civilian infrastructure." This breach underscores the harsh reality that cyber adversaries aren’t bound by the Law of Armed Conflict – and they’re fully prepared to target civilian infrastructure as part of their strategy. Cyberwar is official: NATO’s Article 5 sets a new precedent NATO now explicitly recognizes cyberattacks as potential triggers for Article 5 collective defense measures. This isn’t about responding to routine ransomware or phishing scams – it’s about preparing for strategic-level attacks that can disrupt economies, paralyze infrastructure, or compromise national defense. To meet this challenge, NATO is expanding joint cyber exercises like Locked Shields and Cyber Coalition, simulating real-world adversaries and integrating civilian infrastructure into their scenarios. Our key lesson? Modern conflict starts in cyberspace – and organizations need to train for it before the first packet hits. Train like the threat is already inside 1. State-sponsored threat actor playbooks Train your team to recognize and respond to APT tactics in the wild. From credential harvesting to stealthy exfiltration, hands-on simulations build muscle memory against real adversary behaviors – not textbook theory. Get hands-on with Threat Actors: Salt Typhoon and explore a recent SNAPPYBEE Campaign Analysis to see how the group uses backdoors to conduct espionage operations. Our complete Threat Actors collection covers a wide range of threat groups and their TTPs, providing practical simulations that build muscle memory against real adversary behaviors. We’ve talked about APT29 before 🙅♀️🐻 and they remain an active threat. Refresh with APT29: Threat Hunting with Splunk and dig into practical nation-state threat intelligence and IOC analysis. 2. Salt Typhoon TTP training Defend against the tactics actually used in the Salt Typhoon breach: Lateral movement: Our MITRE ATT&CK collection covers lateral movement tactics, providing comprehensive training on how attackers move within a network and how to defend against such actions. Credential compromise: The Credential Access collection offers practical experience in understanding and mitigating credential access vulnerabilities, which is crucial for defending against credential compromise. Network reconnaissance: Our Reconnaissance collection focuses on various techniques and tools used for gathering information, which can help in understanding and defending against network reconnaissance. Data exfiltration: Another hit for the Incident Response collection! These labs are specifically designed to teach incident responders how to detect data exfiltration. Put your team in the hot seat and test their response before the next real-world incident hits. 3. AI-readiness for cyber defenders AI is transforming both red and blue team tactics. Prepare with practical training to drive understanding of AI model risks (e.g. prompt injection, data leakage) and build skills defending AI-enabled environments before attackers exploit them. The AI Fundamentals collection offers a broader understanding of AI's role in cybersecurity, covering topics like data ethics, TensorFlow for machine learning, and emerging threats. The AI Challenges collection focuses on identifying vulnerabilities in AI systems, such as AI plugin injection and prompt injection attacks, providing hands-on experience in mitigating AI security risks. Together, these collections provide comprehensive training on both understanding and defending AI-enabled environments against potential threats. 4. Incident response: No-doze drills Run full-cycle incident response simulations, from detection to containment to recovery. Focus on the messy middle: ambiguous alerts, cross-team coordination, and real-time decision-making under pressure. Train with our Introduction to Incident Response and Incident Response collections. These collections cover the entire incident response process, including detection, containment, and recovery, with an emphasis on cross-team coordination and real-time decision-making. Then, test your skills with our new Cyber Range Exercise inspired by Salt Typhoon with simulated malware, or our Crisis Simulations focused on nation-state attacks. 5. Critical infrastructure and IT/OT defense modules Your OT environment isn’t off-limits to adversaries. Practice defending blended IT/OT networks, identify cascading risks, and rehearse failover processes when the grid comes under cyber-fire. Explore the following collections that are part of our new Operational Technology offering: OT: Fundamentals OT: Threats and Vulnerabilities OT: Devices and Protocols These labs are valuable for practicing defense strategies in blended IT/OT networks and understanding cascading risks in critical infrastructure. You can also experience actual incidents like the Norwegian Dam Compromise: Campaign Analysis! Conclusion: Build cyber resilience before the next state-backed attack The One Big Beautiful Bill won’t mandate cyber resilience. NATO knows cyberwar is already here. And Salt Typhoon’s breach shows that the human element is still the biggest vulnerability facing businesses, entities, and nation states alike. That’s why continuous skills development, validated readiness, and real-world scenario training aren’t optional. Adhere to tested frameworks and operational rigor for your people, processes, and technology. Share your thoughts If you’re not sleeping on state-backed threats, set the alarm and kickstart your team’s readiness. Have you prioritized specific procedures or skills in response to the latest nation-state activity from groups like Salt Typhoon? Share your tips (or your favorite preparedness quote) in the comments below! Train like it’s game day – because for state-backed threats, it already is. Stay sharp and threat-ready by following the Human Connection blog for more updates like this.People, Not Just Firewalls: Why OT Cybersecurity Starts with Training
The wake-up call no one wanted Just after midnight on September 22, 2024, a suspected ransomware attack forced operators at the Arkansas City, Kansas, water-treatment plant to switch to manual controls, anxiously safeguarding drinking water for the town’s residents. Downtime hurts more than you think According to the ITIC 2024 Hourly Cost of Downtime Survey, over 90% of mid-size and large organisations now put the price of a single hour of outage above $300,000, with 41% saying the bill tops $1 million. For OT industries, such as energy, costs can go up to $2.48 million per hour. When a cyber incident can drain six figures before a morning coffee break, prevention clearly beats recovery. Why training, not just tech, keeps the plant running Early threat spotting – Staff who know what an abnormal human-machine interface (HMI) screen looks like can isolate a rogue process long before malware reaches the production line. Fewer human-error openings – Phishing remains OT’s favourite attacker on-ramp; rehearsed teams click fewer bad links. Regulatory head-start – Standards such as IEC 62443 demand demonstrable cyber competence; fines for non-compliance often dwarf the cost of training. Three quick wins Quick win What it looks like The win Role-based micro-modules Deliver bite-sized, job-specific training. e.g. Modbus for SOC analysts, cyber awareness for OT Engineers. Builds practical, role-relevant cyber instincts. Table-top drills Simulate a cyber incident alert and map “who calls whom, who shuts what”. Prepares teams for real-world response. Visible leadership Get managers in the room with frontline staff during training. Makes security a shared responsibility. Bottom line Tools catch packets; people catch trouble. Invest in your workforce’s OT-security skills today, and the next midnight alarm could become just another drill instead of headline news. Learn more at my Labs Live OT Special Sign up for my Labs Live OT Special on July 15 as I tackle a brand new OT lab collaboratively, with you on a webinar. Register your attendance here! Share your thoughts Thoughts or questions? Drop them in the comments. Let’s keep the conversation (and the plant) running.Operational Technology: What It Is, Why It Matters, and Why Cybersecurity Can’t Wait
What is OT? Operational technology refers to the hardware and software systems that monitor and control physical devices, processes, and infrastructure. This includes everything from the systems that manage electricity generation and water treatment to manufacturing lines, railway signals, and building automation. Think programmable logic controllers (PLCs), SCADA systems, and human-machine interfaces (HMIs). Unlike IT, which focuses on data, OT is about controlling the physical world, keeping lights on, water flowing, trains running, and factories producing. Why is OT important? OT is the backbone of our critical infrastructure. A malfunction or compromise in these systems doesn’t just result in data loss; it can cause physical damage, safety incidents, environmental harm, or massive economic disruption. In other words, OT is where digital risk becomes real-world impact. Why is OT cybersecurity becoming critical? Historically, OT networks were isolated; the so-called “air gap” kept them separate from the internet and IT systems. But that gap has been shrinking fast: IT/OT convergence means OT systems are increasingly connected to enterprise networks for efficiency, monitoring, and remote access. Legacy systems not designed with cybersecurity in mind are being exposed to new threats. Ransomware and other attacks are now hitting OT environments, either indirectly as collateral damage from IT infections or directly as intentional targets – as seen in the Colonial Pipeline incident. The result? OT systems are now in the crosshairs of threat actors, but they often lack the same level of visibility, patching, and protection that IT environments enjoy. Share your thoughts Have you encountered OT in your role? What challenges have you faced? Drop a comment and let’s build some shared knowledge. Ready to double down on OT? Sign up for my Labs Live OT Special on July 15 as I tackle a brand new OT lab collaboratively, with you on a webinar. Register your attendance here!
