Evolving Threats: Cequence CISO Randolph Barr on API Abuse, Identity Attacks, and the Future of Cyber Defense

As cyberattacks grow more sophisticated, defenders must evolve just as rapidly. In this Q&A, Randolph Barr, CISO at Cequence Security, breaks down the latest threat actor methodologies — from API abuse to identity-based attacks — and shares how security teams can stay ahead. His insights shed light on the shift from malware to manipulation, and why proactive threat hunting is no longer optional.

How have threat actor methodologies evolved in the past 12-18 months, particularly in terms of initial access and lateral movement techniques? Can you share specific examples or campaigns?

Over the past 12–18 months, we’ve seen a growing shift from traditional malware-based approaches to more subtle, authentication-focused attacks. Initial access is increasingly achieved through methods like credential stuffing, brute force and phishing kits that capture session cookies and bypass MFA protections. Attackers are leveraging known-good credentials from past breaches and pairing them with automation to validate and compromise accounts at scale.

One notable trend is the targeting of login and mobile APIs, an attack surface often overlooked by traditional security controls. The TracFone breaches are a prime example, where attackers exploited the mobile providers misconfigured APIs to access customer data without needing to bypass typical authentication checks. On top of that, APIs lack support for CAPTCHA-based defenses and are optimized for speed and automation—making them ideal vectors for credential abuse. These attacks often go unnoticed until damage is done, especially in organizations that haven’t integrated behavioral analytics into their authentication flows.

For lateral movement, adversaries are exploiting federated identity systems and misconfigured single sign-on (SSO) environments. Campaigns like Volt Typhoon and the Scattered Spider breaches illustrate how attackers weaponize valid credentials and legitimate tools such as RMM platforms or PowerShell, to stay undetected while pivoting through networks.

Are you seeing a shift in the use of commodity malware versus custom-developed tools among APTs and financially motivated actors? What does that imply for defenders?

Yes, and it’s a nuanced shift. While advanced persistent threats (APTs) still develop bespoke tooling for highly targeted operations, both APTs and financially motivated actors are increasingly relying on publicly available and commercial tools to achieve their goals. Commodity malware, open-source remote access trojans (RATs) and legitimate IT tools like AnyDesk, TeamViewer or PsExec are favored for their availability and ability to blend into normal traffic.

From a defender’s perspective, this blurs the line between nation-state and criminal activity, making attribution more difficult. It also raises the bar for detection. Rather than relying on malware signatures or known IOC lists, defenders must focus on how tools are used, in what context, and with what intent. This makes techniques like behavioral analytics, threat hunting informed by MITRE ATT&CK and contextual anomaly detection far more valuable than traditional perimeter controls.

Can you walk us through a recent incident where an attacker’s methodology stood out, either in creativity, stealth, or persistence? What should defenders learn from that case?

While not as recent, one of the most striking examples that has stood out to me was the wave of fake “CrowdStrike fixes” that circulated in the aftermath of the well-publicized Falcon Agent update outage. Threat actors quickly spun up domains like “crowdstrike.a.com,” which, at a glance, looked legitimate but were used to distribute data wipers and malware.

What made this campaign effective was not novel tooling but social engineering and timing. Attackers capitalized on a moment of industry-wide confusion and urgency, knowing that admins were under pressure to restore services. It was a textbook case of exploiting trust in familiar brands and the human impulse to act quickly during a crisis.

However, security isn’t just about technology. It’s about people. Creating a culture of security awareness means training employees to pause, verify URLs, and think critically before clicking. Simulated phishing exercises and continuous education help build this muscle memory. Still, even seasoned professionals can slip up. That’s why it's crucial to pair awareness with robust, adaptive security tools. Human vigilance is essential, but it’s not infallible.

From a defender’s standpoint, how can threat actor methodology inform better threat hunting practices? Can you share a concrete example of this in action?

Threat actor methodology, specifically their tactics, techniques and procedures (TTPs), is a roadmap for proactive defense. Instead of waiting for alerts to fire, defenders can use known TTPs to build hypotheses and hunt for signs of compromise.

Consider this: if you know your organization is a likely target for credential abuse, especially through mobile APIs, your security team can build hypotheses around how those attacks would manifest. Threat actors often validate stolen credentials using login endpoints, leveraging automation to rapidly cycle through attempts. By applying that knowledge, your team can proactively hunt for indicators like high-velocity login attempts from diverse IP addresses, the reuse of common passwords across multiple accounts, or spikes in failed authentications during off-hours.

The goal isn’t to chase every anomaly. It’s to operationalize threat intelligence in a way that aligns with real business risk. When threat hunting is guided by adversary methodology, it becomes a force multiplier for your existing controls and helps surface issues before they become incidents.

For organizations without mature threat intelligence teams, what are some realistic first steps to integrating threat actor methodology into their security operations?

Start small but strategic. The first step is to map your existing detection capabilities to a threat framework like MITRE ATT&CK. This exercise helps uncover blind spots and informs where you can improve visibility or enrich logs with better telemetry.

Next, prioritize a few high-impact use cases, like defending against credential stuffing or lateral movement via remote admin tools and build detections or hunts around known TTPs associated with those threats. You can source these from open intelligence feeds, trusted research blogs or even your SIEM’s built-in threat libraries.

Also, integrate threat modeling into incident response planning. Instead of generic “malware outbreak” scenarios, simulate how real-world attackers might gain access to your systems and what they’d target first. This sharpens both your detection rules and your team’s muscle memory.

Lastly, educate your broader IT and DevOps teams. Security doesn’t exist in a vacuum. When developers understand why APIs are targeted in brute force campaigns or why certain IAM misconfigurations lead to privilege escalation, they become partners in defense, not just bystanders.