It feels like it’s been around forever, but it’s only been about two years since ChatGPT made its illustrious debut back in November 2022. Overnight, previously labor- and time-intensive knowledge work tasks became lightning fast – content writing, research, document summarization, you name it. The ability to elicit complex results using natural language like you were asking a fellow human to do it was revolutionary for almost anyone who picked it up.
The issue though, is that it didn’t just make our jobs easier.
AI has made scaling the types of operational tasks that used to take dozens of people and hours of research easy, and handed the keys to anyone with a credit card. Cyberattackers were among the first to recognize this and start putting this powerful new tool to work. What had already been an arms race between threat actor groups and the security community has now entered a new phase, with AI supercharging the speed, sophistication, and time-to-market of attacks and tool development.
AI and Social Engineering
Take for example social engineering. Social engineering is an attack that aims to manipulate the human beings in a target organization, hoping to elicit information or induce a desired action to be performed – think clicking a malicious link or telling us useful further intelligence on the target. This was always fundamentally a research task at its heart, requiring the gathering, synthesizing, and summarization of large amounts of data to do the following:
- Identify ideal targets, both corporate and individual.
- Understand commonalities and potential weaknesses to target pretexts to.
- Develop a realistic scenario from real-world information.
- Write personalized messages or create other media assets to send to the target.
The technique itself might not have changed all that much, but researching and putting together a convincing pretext and personalized email used to be a time-intensive and iterative process. Now? It can be done with a few targeted prompts to any one of the popular consumer AI companies (OpenAI, Anthropic, etc.) until you have a targeted dossier on your target and your first draft at a pretext and email in a matter of minutes.
Adversarial Machine Learning
That’s just looking at written communication, by the way. Attackers can now use adversarial machine learning to produce video, audio, or even real-time deepfakes of individuals – extremely realistic reproductions of a real person’s likeness and even voice. You’ve likely seen the famous video of Tom Cruise that went around a few years ago, developed by what became Metaphysic.ai Studios.
It seemed like a novelty back then, but both the technology and the technical firepower needed to develop a deepfake have both advanced dramatically in the meantime. Now, what used to be cutting-edge has become drastically more democratized in the age of widespread AI and enables the less scrupulous among us to perform advanced target identification, persona building, and communications personalization at a scale previously impossible.
AI and Programming
Where AI has really changed the game, though, is in its ability to rapidly generate (mostly) working code in almost any language you can name. Transformer-based AI models (like ChatGPT that many of us are familiar with) are trained on vast amounts of real-world data in order to produce code in line with listed guidelines and support documentation that it was trained on before being released.
The major companies in the market have at least rudimentary defenses against creating materials for cybercrime, but what if you hosted your own open-source large-language model like Meta’s LLaMa and trained it on a bunch of data breach information, malicious code, and data gathered from the dark web? Then, you have something very similar to a ChatGPT but with none of the protections in place, that absolutely will generate malware on command for you and at a scale previously impossible without a large team.
Using AI to Combat New Threats
It’s a trite cliche to say “the landscape has changed” at this point, but it’s true. There’s a fundamental asymmetry now between attackers and defenders. Many Security Operations Centers are still operating on a technologically enhanced, but still more or less, human-centric model.
Analysts can do their jobs faster than ever before, but at the most basic level they are still performing a form of triage on machine-based alerts – alerts generated by understanding previous attack signatures and techniques.
As discussed above, AI-powered tools can generate and launch a dozen personalized social engineering emails in the time it takes a SOC analyst to open up Splunk. Malicious code can be generated and modified on the fly to evade signature-based detection systems, and by people without the advanced development skillset this work once required.
To defend effectively in this new era, SecOps needs to evolve. But how? By fighting fire with fire, AI with AI. The rise of AI agents has changed things in favor of the defenders.
AI agents are software programs that can use artificial intelligence to:
- Actually interact with environments they’ve been deployed in,
- Gather information for you, and
- Make decisions and act based on their training.
With human SOC analysts performing a repeated set of actions and interactions with a set of software and network interfaces, these workflows can be automated. These automated workflows can then be handed to and performed by an AI agent. Suddenly, one SOC analyst can direct and manage a dozen AI agents and act on their results instead, performing at multiples of their previous speed and output.
AI-powered security orchestration can lead to agents performing monitoring tasks, then taking automated containment actions when a given anomalous condition is detected – faster than a human SOC analyst would ever likely have seen, reacted to, triaged and acted on a standard alert. These agent-powered monitoring programs could work 24/7/365 and help lighten the workload of overstretched and burnt-out workforces.
Conclusion
In the end, AI is a tool. A powerful tool with great potential to increase the volume and speed of security operations while simultaneously increasing the capability and scale of malicious actors. Growing in understanding of these tools and your ability to use them will increase your effectiveness and help defang the attacks of threat actors who are keeping pace with the latest breakthroughs.
As impactful as AI has already proven, there will be situations that require a trained mind in a warm body. If you are looking for such training, TCM offers the Security Operations (SOC) 101 course that will provide in-depth instruction for common SOC tools, as well as what is going on under the hood. For proof of these skills, the Practical SOC Analyst Associate certification simulates a real-world day in the life of a security analyst, testing your knowledge and providing practical experience.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Email List | LinkedIn | YouTube | Twitter | Facebook | Instagram | TikTok
Contact Us: [email protected]
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.