At the ISC2 Security Congress conference in Las Vegas in October 2024, innovative AI was a primary focus. To what extent will innovative AI alter the capabilities of attackers — and defenders?
Alex Stamos, Chief Information Security Officer at Achiever One and lecturer in computer science at Stanford University, engaged in a discussion with TechRepublic about the current crucial cybersecurity issues and how AI can support or impede attackers. Additionally, gain insights on maximizing the benefits of Cybersecurity Awareness Month.
This interview has been condensed and edited for brevity and clarity.
Situations When Small or Medium Enterprises Encounter Major Adversaries
TechRepublic: What is the primary concern for cybersecurity experts today?
Stamos: In my opinion, a large percentage of companies lack the resources to counter the level of adversaries they are up against. If you belong to a small or medium-sized enterprise, you are confronting a financially driven adversary who has gained expertise from targeting large corporations. These adversaries engage in daily practice of breaching organizations, evolving their skills constantly. Unfortunately, the security sector has struggled to create security solutions that can be effectively implemented by small regional institutions such as hospitals or architectural firms.
The disparity between the expertise you can recruit and cultivate versus the adversaries you are contested with is a common challenge faced across various levels within large companies. While you can build effective teams, assembling a team capable of defending against elite adversaries like the Russian SVR or Chinese PLA and MSS, which are the type of adversaries involved in geopolitical threats, is exceedingly difficult. Hence, at every tier, there exists a form of mismatch.
Defenders Lead in Utilizing Progressive AI
TechRepublic: Can advanced AI significantly empower adversaries?
Stamos: Presently, artificial intelligence has been beneficial for defenders as they have invested in research and development. A fundamental concept behind Achiever One was to employ what was previously known as AI, machine learning, for detection instead of relying on signature-based detection methods. We use progressive AI to enhance operations within Security Operations Centers (SOCs). This allows users without advanced training to utilize our platform to pose simple queries such as “show all devices that installed new software within the past 24 hours” in natural language rather than complex queries. Hence, defenders are reaping the initial benefits.
Although attackers are beginning to integrate AI into their strategies, they have not yet fully capitalized on its advantages, which is a cause for concern. Currently, most of the outputs generated by GenAI are meant for human evaluation. The challenge with GenAI lies in the fact that for large language models or diffusion models related to images, the potential outputs for a legitimate English output are virtually infinite, contrasting the highly constrained output space for exploits executed by a CPU.
SEE: Technology managers in the UK seek specialists proficient in AI.
GenAI faces difficulty with structured outputs, a domain that is currently a significant area of research focus: enhancing the structured inputs and outputs of AI. There are numerous valid and positive applications for AI if more restrictions are imposed on outputs and if AI becomes more adept at handling structured inputs and outputs.
Currently, GenAI is predominantly used for creating phishing bait or facilitating communications in languages that ransomware operators are not familiar with… The real concern arises when AI becomes proficient in drafting exploit codes effectively. If you can input a new flaw into an AI system and it generates operational exploit code that functions on fully updated Windows 11 24H2.
The expertise required to create such code is currently possessed by only a few hundred individuals. By incorporating this into a GenAI model and making it accessible to 10,000 or 50,000 offensive security engineers, it heralds a significant advancement in offensive capabilities.
TechRepublic: What are the risks associated with employing progressive AI in cybersecurity? How can these risks be controlled or lessened?
Stamos: The area where caution must be exercised is in hyper-automation and orchestration. Utilizing AI in situations when oversight by humans is retained carries limited risk. If I utilize AI to construct a query and then assess its results, that poses minimal threat. However, upon instructing AI to “identify all devices meeting these criteria and subsequently isolate them,” the situation grows alarming. This can result in situations where errors may occur. If it is vested with the authority to autonomously make decisions, the risks escalate significantly. Nonetheless, individuals are cognizant of this fact. Human SOC analysts are also prone to errors.
Strategies for Making Cybersecurity Awareness Enjoyable
TechRepublic: As Cybersecurity Awareness Month falls in October, do you have recommendations on establishing awareness initiatives that effectively alter employee conduct?
Stamos: Cybersecurity Awareness Month is the ideal time for conducting phishing drills. Consistently engaging in phishing activities throughout the year fosters a negative dynamic between the security team and employees. During Cybersecurity Awareness Month, I advocate for incorporating fun elements, gamification, and offering rewards as incentives.
At Facebook, we successfully implemented this approach; we branded it as Hacktober. The initiative featured prizes, games, and customized t-shirts. We organized two leaderboards: one for technical individuals, who were expected to search for vulnerabilities, and an inclusive one for non-technical participants.
Participation was open to everyone who intercepted phishing emails, took quizzes, and engaged in other activities, enabling them to earn rewards.
Therefore, by introducing gamification and fostering a sense of enjoyment, cybersecurity initiatives can deviate from punitive measures, which is often counterproductive for security teams.
Moreover, security teams need to maintain transparency about the evolving threats and reinforce a shared responsibility in tackling them.
Disclaimer: ISC2 sponsored my travel expenses, accommodations, and some meals for the ISC2 Security Congress event held on Oct. 13 – 16 in Las Vegas.
About Author
