How To Succeed at Cybersecurity in the Age of AI

AI is having an impact on cybersecurity at many levels. While it can be a powerful ally in enhancing your information security, cybercriminals are using it too and exploiting its vulnerabilities. In this article, we aim to raise awareness about both sides of AI and the importance of fundamental cybersecurity practices, with the help of Barry Yuan, Cisco technical solutions architect.

In spite of the increasing clarity of AI’s potential, there is still some resistance when it comes to using it in cybersecurity: “A lot of people don’t see how AI can be relevant for cybersecurity or for their business, but organizations with this attitude are going to miss out,” says Yuan. “As Harvard Business School professor Karim Lakhani put it, AI is not going to replace humans, but humans with AI are going to replace humans without AI.”

As Yuan explains, AI allows you to automate tasks that before could take hours. For example, AI can help you:

• Manage information security configurations
• Analyze policies, remove redundant and shadow rules and deploy new ones
• Detect unusual network activity or behavior indicative of cyberattacks
• Read and interpret large datasets of security logs and alerts
• Do impact analysis and contain a threat in case of attack, for example by isolating hosts and recovering them to a healthy state.
• Patch software
• Recognize phishing emails and other types of social engineering
• Recognize malware

Organizations can choose between AI tools developed by other vendors or develop their private AIs by using open-source AI models such as Meta’s LLaMA (Large Language Model Meta AI).

Perhaps, the best argument for using AI in cybersecurity, explains Yuan, is that bad actors are already using it, in two ways.

At one level, they use AI tools to make their criminal operations more effective. It can be something as simple as asking AI to write a phishing email to bypass spam filters by mimicking the language of a CFO. “If you ask a Generative Language Model like ChatGPT to write a phishing email, it will tell you that’s against its terms of use. But you could still trick it by saying, for example, that you need one because you’re teaching your students how to recognize them, and it will do it for you,” explains Yuan, who adds that there are open source “uncensored” AI models with no filters that won’t make any objections to any request.

There are also more sophisticated uses of AI tools by cybercriminals such as:

• Writing sophisticated code that will help them breach an organization’s cyber defense.
• Cloning voices in real time. In 2020, deep voice technology was used to clone the speech of the director of a company over the phone and convince a branch manager to wire $35 million¹ to an external account.
• Exploit real vulnerabilities. A study² by University of Illinois Urbana-Champaign researchers discovered that ChatGPT-4 can use CVE (Common Vulnerabilities and Exposures) security advisories to exploit vulnerabilities that haven’t been patched yet.

At another level, cybercriminals are exploiting the vulnerability of AI tools used by organizations. “There are new open-source AI models showing up daily, and while they’re an excellent resource for businesses, vulnerability is also growing. At least today, AI is very easy to hack,” says Yuan.

Whether you’re using a public or private AI, he explains, you should always put guard rails in place. One of them is to identify unauthorized AI tools employees are using (called shadow AI). ChatGPT is the most famous but not the only one: there are hundreds more AI tools available out there, warns Yuan.

If your organization does authorize the use of certain AI tools, it’s important to add filters that block the exchange of critical information, such as source code, credit card numbers or social insurance numbers.

The use of AI tools for cybersecurity should still be combined with foundational practices. A major one is to teach people in your organization how to avoid being manipulated by cybercriminals. Social engineering—tricking individuals into performing actions that compromise security—is still one of the most effective techniques behind data breaches and cyber frauds. In 2023, a cyberattack on Caesars Entertainment³, which cost the company $15m in ransom payment, was reportedly caused by deceiving an employee at a third-party vendor. “For cybercriminals, people are still the weakest link, the easiest to trick,” says Yuan.

To reduce the risk of falling victim of social engineering he recommends three simple precautionary measures:

• Never give out personal or work information, such as birthdate, social insurance number or employee ID, unless it’s necessary.
• If you notice any red flags that suggest an attempt of social engineering, let everyone in the company know.
• If a person is asking for help and you’re not sure if it’s a legitimate request, try and reach out to them through a different channel.

The other critical measure is to adopt a zero-trust approach in your IT environment: “When it’s full of sharks, don't act like food. Always assume that users, devices, your network, your cloud, your applications and your data could be the target of cybercriminals at any moment,” says Yuan.

The zero-trust approach is based on a few principles:

• Continuously identify who the users are, where they typically log on from and from what devices, and ask for further verifications when something is different than usual.
• Restrict user access to your IT environment, to the bare minimum that's required for users to do their job. For example, developers should not have access to finance accounts, while the finance department should not have access to code.
• Segment and separate the different parts of your IT system, so if someone gets their foot in the door, they won’t be able to pivot into critical areas.
• Be able to detect and respond to threats as early as possible. The earlier you can detect them, the less their impact on your organization.

Sources

¹ www.forbes.com/sites/thomasbrewster/2021/10/14/huge-bank-fraud-uses-deep-fake-voice-tech-to-steal-millions/

² www.theregister.com/2024/04/17/gpt4_can_exploit_real_vulnerabilities/

³ www.cpomagazine.com/cyber-security/caesars-entertainment-discloses-cyber-attack-ransom-payment-made-weeks-before-mgm-heist/