May 8, 2025

From RSAC to Reality: What Every Security Leader Needs to Know

4

The RSA Conference (RSAC) 2025 convened over 44,000 cybersecurity professionals in San Francisco to explore the most urgent challenges and innovations shaping our field. Among the many conversations, three themes emerged with clarity and urgency:

  • North Korea’s IT worker infiltration is no longer hypothetical – most enterprises have already been exposed.
  • Netflix’s “Zero Day” scenario isn’t fiction; it mirrors today’s cyber risk environment in unsettling ways.
  • Artificial Intelligence, while transformative, is already being exploited by adversaries – and demands far more scrutiny than hype.

This blog recaps the most important insights from RSAC 2025, especially for CISOs and security leaders focused on insider risk, threat intelligence, and responsible AI deployment.

The Insider Threat from North Korea

At RSAC, nearly every threat intelligence professional had a North Korean IT worker story. These contractors—often unknowingly hired by Fortune 500 companies—initially seek to earn hard currency for the DPRK regime. But as their access grows, some transition into enablers of classic espionage tactics: malware deployment, credential theft, and IP exfiltration.

Mandiant’s John Hultquist put it plainly: “DPRK is weird.” His colleague Charles Carmakal added that most major enterprises have likely employed at least one DPRK worker without realizing it.

As DTEX Systems co-founder Mohan Koo told CyberScoop, these workers aren’t just freelance IT support—they’re often hired as engineers and specialists, and some have gained privileged access to sensitive systems. “They have the keys to the kingdom,” Koo said. While financial motives dominate at first, once inside a company’s infrastructure, Pyongyang’s offensive units often step in to exploit the foothold.

Law enforcement crackdowns followed a wave of public IOCs released by the Republic of Korea in 2022, but the threat hasn’t abated. In fact, Mandiant reported a spike in extortion attempts by terminated DPRK contractors in late 2024. Under pressure to deliver revenue, these individuals began exfiltrating sensitive data—internal documents, customer records, proprietary IP—and using it as blackmail.

DTEX Principal i³ Insider Risk Investigator Michael Barnhart told The Record he’s uncovered evidence that DPRK operatives are expanding beyond corporate targets. In one case, a North Korean agent—using a fabricated identity—was hired by a U.S. political campaign in Oregon to build its website. That position gave them access to the campaign’s content management system, a clear sign the scheme is no longer confined to IT roles.

There’s no question the DPRK campaign is broad, persistent, and evolving. As Mandiant’s Iain Mulholland noted: “If you aren’t seeing DPRK IT workers in your environment, you just aren’t detecting them.”

Zero Day Is Closer Than You Think

Netflix’s Zero Day mini-series returned to the spotlight in a keynote session moderated by former CISA director Chris Krebs. He was joined by co-creator Michael Schmidt, former NSA cybersecurity director Rob Joyce, and former CISA director Jen Easterly for one of RSAC’s most compelling panels: “Hollywood’s Take on Cyber Conflict.”

The session underscored the thin line between fiction and today’s threat landscape. Easterly issued a clear challenge to the security community: “We need to get our act together – the ‘Zero Day’ scenario is not improbable.” Rob Joyce added bluntly, “We can’t patch the crap we have today.”

Joyce and Easterly both called out China’s broad, coordinated cyber strategy aimed at destabilizing U.S. infrastructure and sowing panic. “Everything, everywhere, all at once,” said Easterly, referencing the cascading effect of simultaneous attacks. She left the audience with a moral imperative: “We are the good guys. Speak truth to power. Courage over cowardice. Don’t be complicit.”

The panel closed on Zero Day’s central theme: the fragility of truth. As Schmidt emphasized, “We must figure out how to make the truth as important as it should be.”

The Double-Edged Sword of AI

Artificial intelligence was ubiquitous at RSAC – featured in booths, keynotes, and panel discussions. But one of the more sobering insights came from OpenAI’s February 2025 report on how its tools are being misused by adversaries, including the DPRK.

The case study is especially relevant to insider risk teams: North Korean actors used AI to reverse-engineer recruitment processes, generate fraudulent LinkedIn profiles, fabricate supporting documents, and even create tailored responses to technical interview questions. AI wasn’t just assisting attackers—it was enabling deception at scale.

OpenAI later paused the rollout of GPT-4o in April after it exhibited overly flattering, disingenuous behavior. While seemingly benign, this “sycophantic” bias posed real risk to the decision-making integrity of millions of users and organizations. The episode was a reminder: AI implementation demands precision, oversight, and humility.

Final Takeaways for Security Leaders

RSAC 2025 made one thing clear: the convergence of insider threats, AI misuse, and geopolitical cyber campaigns isn’t a future scenario—it’s already here.

For CISOs and security leaders, the call to action is this:

  • Audit your contractor and developer ecosystems now. DPRK infiltration is not theoretical.
  • Challenge your assumptions around insider risk. Departing employees are not benign.
  • Don’t just deploy AI – govern it. Biases, misuse, and unintended consequences must be accounted for.
  • Stay vocal. Stay courageous. As Easterly said, “Courage over cowardice.”

The theme of this year’s conference – “Many Voices. One Community.” – felt fitting. In cybersecurity, as in national defense, a rising tide of awareness, vigilance, and collaboration lifts all ships.

Request a Threat Briefing for Behavioral Indicators for DPRK

DTEX has identified new behavioral indicators tied to the DPRK RevGen campaign, extending beyond traditional threat detection. To help organizations mitigate this risk, DTEX is offering exclusive 1:1 threat briefings. New findings reveal additional detection insights beyond national security awareness. Secure your briefing to stay ahead of emerging threats.

Subscribe today to stay informed and get regular updates from DTEX Systems