It never gives up: why AI could be the perfect threat actor


The cybersecurity battlefield has rapidly reshaped to accommodate and integrate artificial intelligence (AI). Meanwhile, autonomous AI threat actors could completely change the game, a veteran cybersecurity insider told Cybernews.

Even though generative AI is still in its infancy, the abuse of technology has become a headache for many. According to a recent survey from cybersecurity firm Darktrace, which consulted 1,800 CISOs, security leaders, administrators, and practitioners, three out of four respondents have already noticed AI-powered cyber threats impacting businesses.

The consensus at the current stage of AI development is clear – so far, attackers benefit from the tools far more than defenders. Or, as the president of SANS Technology Institute, Faculty at IANS Research, and veteran cybersecurity professional Ed Skoudis puts it: “at least for now, AI has changed the landscape significantly in favor of the attackers.”

ADVERTISEMENT

Living in the “assistant” stage

The most basic example of how generative AI, or genAI for short, has impacted the security game is phishing attacks. Most of them rely on well-crafted emails, websites, and other, often text-based mediums, to trick a victim into parting with their credentials, bank account details, or passwords.

“You could do OSINT, create fake personas, and create pictures at a level of quality that was unachievable before. And that's just on the social engineering component of spearfishing,” Skoudis told Cybernews.

“I've read memes that say we actually live in a dystopian future now, but we just don't realize it. Maybe we do live in this dystopia. But that said, I try to be an optimist and a joyful person.”

Ed Skoudis.

Beyond that, however, attackers successfully leverage AI tools to develop malware, a process once reserved for the best and the brightest. Now, all it takes is an AI agent and a bit of creativity to pass all the guardrails that developers use to protect against malicious actors from developing, for example, ransomware. Not only that, but AI-based tools can even provide invaluable information on how to create exploits that allow breaching systems.

“It used to take a skilled researcher a lot of time and intellect to create that. It still does require some, but not as much, because AI is a fantastic assistant in creating exploits for given software vulnerabilities and then weaponizing them. AI is tilting things in favor of the attacker,” Skoudis said.

However, he added that attackers are often the pioneers of any new technology. It’s in their nature to look for the easiest way in. Meanwhile, defenders take time to adjust to new threats until they sweep in and “see what attackers do that's novel and kind of clean that up.”

“Cyber Terminator”

ADVERTISEMENT

The scary thing about AI-based threats is not that it lowers the entry point for attackers but that we could come to a point where human attackers are no longer needed. Skoudis recalled a time several decades ago when computer worms were the big thing. Most importantly, how they would propagate after the initial person who released them was detained.

“That could happen with AI in the future. We're not there yet, but I can't think of very many examples where the technology becomes the actual threat, not a risk or a vulnerability,” Skoudis explained.

It’s not unreasonable to think that genAI’s capabilities will improve significantly in a few years’ time. We could reach a point where a persistent threat actor devises an AI-based threat with a singular task: penetrating organization Y. AI doesn’t need to sleep or care for its needs. It doesn’t get bored or frustrated. Just like James Cameron’s Terminator, the AI hacker works until it gets what it wants.

Ed Skoudis
Ed Skoudis. Image by the SANS institute.

“And the AI keeps trying and trying and trying. It can use different methods, try out different tactics, and look for new ways to fulfill its task. And then maybe you arrest that person who created it. Maybe that person goes away. But the AI keeps on going, and it becomes this continuous threat again. While we're not there yet, I can easily envision a path to that,” Skoudis said.

While the technology is not there, it’s anyone’s guess how such tools could be leveraged. However, we could get an idea. At the moment, attackers employ AI agents to produce and post content on social media to get people to interact with it. While it’s still rudimentary and tech-savvy users can distinguish reality from AI-made fiction, some still fall for it.

Extrapolate Cyber Terminator roaming through an organization, impersonating user after user. The only limit to what an attacker could do with such power is imagination.

“I've read memes that say we actually live in a dystopian future now, but we just don't realize it. Maybe we do live in this dystopia. But that said, I try to be an optimist and a joyful person,” Skoudis said.

No magic wand

However, until the dystopian future arrives, defenders still need to work against AI-based threats users and organizations face today. The boring part is that no matter how many security solutions have “AI” plastered over them, defense teams need to work to their strengths.

ADVERTISEMENT

“Unfortunately, there's no magic wand. On the defense side, due to the offensive use of AI, we just have to double down on our defenses. There's not some new type of defense that has come up. I mean, yes, they're trying to put AI into various defensive products, and that helps. But you're dependent on your vendors for that,” Skoudis explained.

First and foremost, users and employees must be taught how to distinguish threats and act accordingly. Meanwhile, organizations need to be very wary of who has what permissions in their systems. Ransomware defenses need to be better than ever, and networks need to be segmented to prevent or at least complicate lateral movement for attackers.

“It's just revisiting the stuff we've known about at a deeper, more thorough level because of the new AI usage of attackers. That's not a very satisfying answer, but it's true,” Skoudis concluded.