Google’s Luke McNamara on Outsmarting Hackers

Luke McNamara of Google Threat Intelligence on AI, identity-driven attacks, and global collaboration to outpace advanced cyber adversaries.

In today’s cyber battleground, attackers are evolving faster than ever—and defenders can’t afford to play catch-up. Luke McNamara, Deputy Chief Analyst at Google Threat Intelligence Group, has spent over a decade at the forefront of uncovering and countering some of the world’s most sophisticated threat actors. From state-sponsored espionage campaigns to financially motivated cybercriminal operations, McNamara has seen how tactics, techniques, and procedures (TTPs) have shifted—where phishing gives way to credential abuse, and identity has become the new front line.

In this conversation, McNamara explores the changing nature of cyber threats, the balancing act between AI-driven speed and human tradecraft, and the strategic collaborations needed between governments, enterprises, and global intelligence communities to counter advanced persistent threats. He also shares his perspective on what it takes to turn overwhelming volumes of threat data into actionable insights—and the skills the next generation of cyber professionals must master to stay ahead.

Full interview; 

How have the TTPs of nation-state and financially motivated cyber threat actors evolved over the past decade, and what key shifts will shape the threat landscape in the next five years?

There is diversity in the landscape today regarding the TTPs of advanced threat actors. Exploits against edge infrastructure continue to make up roughly a third of the incidents we investigate. Phishing, while still prevalent, has declined as a percentage of initial intrusion vectors over the last three years. Identity has become much more important than ever, and brute force attacks or leveraging stolen credentials have become more prevalent. Ultimately, while many of the motivational drivers of state-sponsored or criminal actors remain the same today, these threats more often manifest in a way that seeks to exploit the visibility gaps of defenders.  

How does Google Threat Intelligence cut through vast cyber threat data to deliver actionable insights for enterprises and governments?

With a global customer base across many different industries and sectors, it can be a challenge to prioritize the right threats. Ultimately, when we are doing our job best, we are scoping down the right threats our customers need to focus on. There can be a lot of noise in an ever-changing environment, but threat intelligence should help enterprises zero in on the threats that, from a prolificacy, impact, or emerging nature, matter the most. 

How do you balance using AI for threat detection without overreliance, which could hide evolving threats or add new risks?

Speed in detection and response is paramount in dealing with today’s threats. For example, the global median dwell time (the time between initial intrusion and detection) for ransomware last year was only 6 days. We must find new ways to leverage artificial intelligence to close the gap and neutralize threats before data exfiltration or an impactful incident occurs.

Speeding up the triaging alerts, reducing false positives and negatives in malware analysis, and discovering new vulnerabilities are just some of the ways that AI is shaping how we respond to threats. Every region and sector faces a workforce shortage and skills gap in cyber. Hence, the more we can upskill faster and help enable human defenders to do more in countering the adversary, the better.

What strategies can strengthen global collaboration between the private sector, governments, and allies to counter advanced cyber threats?

Threat intel sharing and training (especially around specific use cases, such as threat hunting for a particular actor) are two areas where there is always room for more collaboration. While threats can manifest globally, sometimes different countries or industries see more of a given threat, and sharing those insights can make us all safer. Increasing our partners’ capability to find more threats increases our collective understanding of the threat landscape. 

In high-pressure cyber incidents, what core leadership principles guide your team and drive decisive action?

Threat intelligence can often face the problem of information silos, where data is not as widely shared as it needs to be. Having processes in place to marshal resources when there is an incident or large-scale event, and especially to ensure that information is shared with as broad an audience of defenders as possible, has been found to be critical. After-action reviews following such events are also essential to assess room for improvement. 

How does Google Threat Intelligence balance speed with depth and accuracy in responding to emerging threats?

Getting attribution right has always been a core value of our organization’s goals. Stealthy threat actors who take care in obfuscating their behavior do not always lend themselves to speedy analysis, but we must get those calls right. Going back to the importance of processes, balancing the ability to provide assessments on emerging threats with methodical tradecraft rapidly is part of the fundamental work of any intelligence team. 

What key skills and mindsets will be most valuable for future cyber threat intelligence professionals?

The adoption of AI will enable security professionals to spend more time on higher-level tasks. We know the threats we will face and the technology we use will continue to change from what they are today, but creative thinking and communication skills will continue to be paramount for anyone working in any organization tackling the next generation of security challenges.