Unmasking fraudsters is a challenge the art world has faced for decades, and Ermil de Holy’s work offers valuable lessons that can be applied to the world of defensive cybersecurity. In the 1960s, de Hory gained notoriety as a leading forger, passing masterpiece forgeries by Picasso, Matisse, and Renoir to unsuspecting collectors and prestigious museums. Over the ensuing decades, more than 1,000 of his works have slipped through the hands of experts who rely on reliable signatures, well-known patterns, and reliable provenance.
This is similar to the challenges SOCs currently face. We are truly entering the age of imitation. AI-powered cyber attackers have learned to imitate familiar users, masquerade as trusted users, and hide their activities within legitimate processes and normal network traffic. History shows that identifying scammers is often easy if you know what to look for.
Key points for defenders:
Imitation is the new normal: 81% of attacks do not contain malware Agentic AI allows attackers to hide more effectively within innocuous network traffic and behavior Defense in depth requires more layers to extend protection across software supply chains and federated identities NDR increases visibility to detect and neutralize “fake”
The rise of imitation in modern attacks
Just as de Holey repurposed old canvases and pigments to make his paintings appear more authentic, attackers employ similar techniques in the digital realm, leveraging trusted tools and credentials to inject malicious activity. And while imitation-based techniques have long been a staple of attacker strategies, they have become more sophisticated over the past few years. Living-off-the-Land (LotL) attacks and AI-enhanced attack tools are raising the bar for counterfeiting. According to CrowdStrike’s 2026 Global Threat Report, 81% of attacks currently do not involve malware and instead rely on legitimate tools and techniques, which is a hallmark of LotL tactics. Identifying these fakes right away is not just an option. This is one of your best chances to stop an attack before it causes any real harm.
Field guide to network impersonation:
Agent AI Support Actor
These are autonomous or semi-autonomous, generating fake identities, codes, and mimicking behavior at scale.
De Hory had a complex support network for selling his paintings, involving art dealers and other representatives from many countries and cities. When some potential buyers became suspicious, he began selling his work under various pseudonyms. This is similar to what is currently happening with the use of cheap AI agents. Not only are they used to forge trusted identities to commit fraud, they are now being used to create exploit code to leak secrets and scripts to infect endpoints, forming the basis of large-scale attacks. Sophisticated self-learning agents observe network behavior, continuously adjust their own traffic, and mirror their patterns to fool anomaly detection. They convert C2 traffic into bursts that match legitimate spikes and manipulate the signal just enough to avoid standing out. Legitimate agents are then used as orchestrators of other exploit tools to automate and scale attacks.
Supply chain and cloud fraudsters
Counterfeit or compromised components masquerading as trusted software, updates, or cloud services.
Attackers use malicious AI agents to create layers of complexity in the software supply chain. The agent replaces the malicious software and disguises this code as just another benign update, making it difficult to uncover the origin and root cause of the exploit. These types of exploits mean that attackers don’t have to directly fool network defenders or software developers. This is what Microsoft researchers discovered in the Shai Hulud v2 worm. Attackers modified hundreds of software packages to provide a coordinated ecosystem for harvesting developer credentials and API secrets, which they then increased their effectiveness by masquerading as legitimate software updates and propagating them through trusted internal network shares. Supply chain attacks have been around for years (think SolarWinds), but AI agents have sped up the production and distribution of attacks.
Cloud-based deception is also accelerating. For years, attackers have used fake login pages and spoofed cloud repositories that mimic the design and branding of legitimate services to trick users into handing over their credentials. AI-powered tools have the potential to enhance the creation of these convincing fakes, allowing attackers to generate fraudulent sites faster and at scale.
covered tunnel
Techniques for hiding malicious traffic within authorized protocols or encrypted channels
De Hory expanded his network by using galleries and other agents to hide his transactions and sell counterfeit goods. Today’s attackers are doing similar things, using IP tunnels to hide network conversations and hide malicious activity within legitimate-looking traffic. Another cloaking mechanism uses intentionally mismatched requests and responses, such as requests for sensitive web data from unknown destinations, to avoid detection. Attackers use these methods to disable security protections and hide within corporate networks for months, waiting for the right moment to attack. In addition to these techniques, mobile app stores have long been plagued by fake apps containing malware, including recent examples of visual search tools hiding remote execution exploits.
rogue infrastructure
An attacker-controlled server, domain, or service designed to mimic legitimate infrastructure.
De Hawley evaded detection by traveling frequently from city to city around the world. Cyber attackers employ similar strategies, launching similar servers, domains, and services under their control that impersonate trusted infrastructure. Recent research from Microsoft shows that attackers lured users with fake Teams meeting messages and directed them to credential harvesting sites disguised as legitimate login pages. These fake connections can be the precursor to a series of attempts to take control of network resources and data. The fake server could then be used to compromise and extract sensitive data, which could later be used to launch a ransomware campaign.
Finally phishing
And deception is at the heart of any phishing campaign. Today’s campaigns utilize all sorts of forgery, including using fake email addresses that appear to be part of a domain, which is part of a homograph or homograph attack. These attacks can impersonate legitimate domains by substituting similar characters, redirecting conversations under the hacker’s control, or being used as part of subsequent phishing campaigns. De Holly will surely be delighted, as he took great pains to imitate the master’s brushstrokes, color choices, and style.
How NDR exposes fakes
The similarities between De Horry’s forgery and modern cyberattacks are striking. Both rely on imitation, movement, and the exploitation of trusted systems. De Holly was eventually exposed when experts compared multiple works and found stylistic traces that he was unable to hide. Network detection and response (NDR) can catch attackers in the same way, by monitoring for behavioral patterns and anomalies that betray what’s actually happening on your network.
Here are some ways NDR can help expose malicious activity hiding in plain sight.
Detecting behavioral anomalies: Even when credentials appear to be legitimate, identify deviations from established network baselines, such as unusual login times, unusual data transfers, or unexpected lateral movements that may indicate imposter behavior. Uncover protocol and metadata mismatches: Discover mismatches that attackers cannot easily hide, such as strange protocol combinations, traffic to newly registered or homographed domains, or encrypted sessions with suspicious certificate details. Providing context: Enriching raw traffic with metadata that describes the big picture, such as where a connection is coming from, how it behaves over time, and whether it fits a normal pattern, allows analysts to quickly separate real threats from noise. This example shows how a SOC analyst can test different hypotheses to identify attacks.
As attackers become more sophisticated and leverage AI to extend their deception, defenders will need tools that can see through the noise. NDR works with other security products to provide SOCs with visibility to detect these threats early, before they cause any real damage.
Corelight’s Open NDR platform enables SOCs to detect emerging threats, including those powered by AI techniques. Its multi-layered detection approach includes behavioral and anomaly detection that can identify a range of unique and anomalous network activities. As adversaries develop new attack methods, security teams deploying NDR can strengthen their enterprise defense strategies. For more information, visit corelight.com/elitedefense.
Source link
