Who has the upper hand in cyber, between the criminals and the security teams? asks Andy Swift, pictured, Cyber Security Assurance Technical Director at Six Degrees, a cloud managed service provider.
The battle between cybercriminals and security teams has defined and shaped much of the 21st century. Unfortunately, security teams often find themselves playing catch-up โ and, while cyber-attacks frequently grab the headlines, wins and victories over cybercriminals are rarely publicised (for obvious reasons). Security teams are always disadvantaged because they must defend all possible entry points. An attacker only needs to find and exploit one weakness or vulnerability. It reminds me of that chilling taunt from the IRA to Margaret Thatcher after the Brighton bombingโ โwe only have to be lucky once; you have to be lucky every dayโ.
AI in the hands of cybercriminals
The mainstream emergence of AI has provided a new weapon for cybercriminals and new defence capabilities for security teams โ but which side will ultimately benefit? At first glance, we might expect the bad actors to be quickest off the mark. Like it or not, they tend to be more agile and innovate at a faster pace than large organisations or governments. But is that actually the case? Could AI offer some hope of victory for security teams?
More cybercriminals, more frequent attacks
In the same way that AI could help you or me draft a dissertation in half an hour โ even with no real understanding of the topic, AI can help people with little or no cyber-attack experience to generate exploit code quickly. This is worrying, as it has the potential to create swathes of new cybercriminals. If that wasnโt bad enough, AI can also help advanced cybercriminals create more complex attacks and increase the pace at which they are launched.
Tricking AI chatbots to do your dirty work
AI makes it far easier to create malware and exploit vulnerabilities. Even the most popular chatbots such as ChatGPT can help with certain nefarious endeavours โ you just have to know the right questions and how to frame them to avoid suspicion. If you ask ChatGPT to build malicious code that would extract sensitive system files, or perform a well known pattern of exploitation – opening an executable file via a DLL file maybe – itโll say no. But, if you break down the task and ask about each action in isolation, you can eventually get a full answer with a bit of patience.
AI is good at impersonating humansโฆ and fooling them
AI is also helping bad actors create ever-more complex phishing templates by producing legitimate-looking content and conducting fast, in-depth analysis of potential victims to find and exploit their weaknesses. In addition, generative AI allows attackers to recreate emails in the style of the person they want to impersonate by mimicking personal details such as speech patterns, writing styles, and nicknames.
Fighting fire with fire: AI as cyber security defence
There is, however, reason to be optimistic. Not every AI-related development or implementation is exclusively helping cybercriminals. AIโs ability to conduct data analysis at speed and scale has handed a major advantage to security teams. Itโs just a matter of applying and focusing its power. Here are two examples to consider:
Turbo-charged log parsing
Almost every IT component (servers, laptops, smartphones, applications) generates a log that contains operational and performance-related information. IT teams have always used these logs to find the root of failures or performance drops. But security teams, seeing their value in tracing the origins of cyber-attacks, began investigating, too.
Without getting too technical, these logs while helpful are not always in a standard format and often need converting into a common format for analysis. Often, customised tools need to be written to automate reading and analysing data (known as log parsing). For a long time, both creating tooling and reviewing data was a manual task, sometimes backed with some programmatic logic to identify potential artefacts of interest. But as the speed, frequency, and sophistication of attacks grew, security teams were often left on the back footโsometimes only identifying attacks after theyโd entered the network and caused significant damage.
AI and machine learning has recently helped speed up and scale this process to the advantage of defensive teams. They can help spot known and sometimes new malicious attack patterns, create algorithms/tooling that can spot the early warning signs of a cyber-attack by uncovering subtle changes in a hostโs behaviour. These use cases can not only help speed up the investigation processes following a breach but also move security teams from a reactive to a proactive stance, transforming log analysis for the better.
Taking this one step further, combining AI with common SIEM and SOC tools can allow security teams to get one step ahead of cybercriminals, predict potential threats on their network before cybercriminals strike, and address any system weaknesses that could benefit bad actors.
Fuzz testing or fuzzing
Fuzz testing or fuzzing is a form of software testing. It was originally used by software developers to discover and rectify coding errors, defects, or vulnerabilities within an input to a given piece of software.
This also gained popularity among security teams in a bid to stay one step ahead of cybercriminals by identifying vulnerabilities/bug hunting. Fuzzing works by โinjectingโ random or unexpected inputs into various software inputs and then monitoring said software to see how it reacts. If it succumbs, produces an error, crashes, etc. the security team will look at how the program is handling input and identify ways to close down the vulnerability. In a similar way to log parsing, reviewing results of a fuzz test and subsequent actions to build a working exploit can be somewhat of a manual process.
At the start of this year, Google open-sourced its own AI-boosted fuzzing framework, and there are a growing number of AI-enhanced fuzzing solutions on the market. As with log parsing, AI speeds up and scales up the process. This enables security teams to bombard their software with significantly more inputsโhelping to spot a greater number of potential vulnerabilities at an even faster pace.
As theyโre AI-based and drawing on machine learning, this new generation of fuzzing solutions should be able to gather information and outputs from new cyber-attacks as they happen around the world, analyse them, and inject the necessary test inputs into an organisationโs IT infrastructure. In theory, this could help keep security teams one step ahead of the cybercriminals for quite some time.
Itโs true that AI is lowering the bar of entry for creating malware, exploits and vulnerabilitiesโand speeding up the rate at which attacks can be launched. But, as yet, it hasnโt created any new threats; itโs all the old familiar tactics that security teams have seen before. However, given the pace of change that AI can facilitate, it can only be a matter of time until we see a new breed of attacks that exploit different system vulnerabilities.
Itโs also correct that some AI-enhanced cyber defence tools and techniques, such as fuzzing, are also being appropriated by bad actors. However, itโs still quicker and easier for focused security teams to analyse and fix vulnerabilities in their own systems than for bad actors to identify them from scratch. So, on balance, I think security teams now have a major ally in AI, at least at this point in timeโand itโs one they should exploit sooner rather than later.
But I would sound a note of caution: having AI-enhanced cyber defence is all well and good, but itโs like having a gym membership. Simply owning it and paying the monthly subscription isnโt enough; you have to use it regularly to get the benefit and see the results. Used in conjunction with AI, automation and machine learning are invaluable tools, but security teams must stay on top of regular testing, monitoring, and checking for vulnerabilities. They also need to keep reminding staff across the organisation to always be vigilant and on their guard โ particularly as AI takes on even more human characteristics.
