Leron Zinatullin Cybersecurity Risk Consultant
Cybersecurity suffers from a skills shortage in the market. As a result, the opportunities for artificial intelligence (AI) automation are vast. In many cases, AI is used to enhance and improve certain defensive aspects of cybersecurity. Prime examples are combating spam and detecting malware.
From the attacker point of view, there are many incentives to using AI when trying to penetrate others’ vulnerable systems. These incentives include the speed of attack and low costs of AI, combined with the likely situation that the system being attacked is understaffed in its cyber-protections (due to the skills shortage). These factors add up to create an attractive environment for bad actors.
Current research in the public domain is limited to white hat hackers employing machine learning to identify vulnerabilities and suggest fixes. At the speed AI is developing, however, it won’t be long before we see attackers using these capabilities on a mass scale, if they aren't already.
How do we know for sure? It is true that it is quite hard to attribute a botnet or a phishing campaign to AI rather than a human. Industry practitioners, however, believe that we will see an AI-powered cyber-attack within a year; 62% of surveyed Black Hat conference participantsseem to be convinced in such a possibility.
Many believe that AI is already being deployed for malicious purposes by highly motivated and sophisticated attackers. It’s not at all surprising – AI systems make an adversary’s job much easier.
Why? Resource efficiency aside, AI systems introduce psychological distance between attackers and their victim. Indeed, many offensive techniques traditionally involved engaging with others and being present, which, in turn, limited attackers’ anonymity. AI increases the anonymity and distance. Autonomous weapons are the case in point; attackers are no longer required to pull the trigger and observe the impact of their actions.
In addition, let’s take a look at others ways AI can be used in cybercrime.
Social engineering remains one of the most common attack vectors. How often is malware introduced in systems when someone just clicks on an innocent-looking link?
The fact is, to entice the victim to click on that link, quite a bit of effort is required. Historically, it’s been labor-intensive to craft a believable phishing email. Days and sometimes weeks of research, and the right opportunity, were required to successfully carry out such an attack. Things are changing with the advent of AI in cyber.
Analyzing large data sets helps attackers prioritize their victims based on online behavior and estimated wealth. Predictive models can go further and determine willingness to pay the ransom based on historical data, and even adjust the size of pay-out to maximize the chances and, therefore, revenue for cyber-criminals.
Imagine all the data available in the public domain, as well as previously leaked secrets, through various data breaches are now combined for the ultimate victim profiling in a matter of seconds with no human effort.
When the victim is selected, AI can be used to create and tailor emails and sites that would be most likely clicked on based on crunched data. Trust is built by engaging people in longer dialogues over extensive periods of time on social media, requiring no human effort. Chatbots are now capable of maintaining such interaction and even impersonating the real contacts by mimicking their writing style.
Machine learning used for victim identification and reconnaissance greatly reduces attackers’ resource investments. Indeed, there is even no need to speak the same language anymore. This inevitably leads to an increase in scale and frequency of highly targeted spear phishing attacks.
The sophistication of such attacks can also go up. Exceeding human capabilities of deception, AI can mimic voice thanks to the rapid development in speech synthesis. These systems can create realistic voice recordings based on existing data and elevate social engineering to the next level through impersonation. This, combined with other techniques discussed above, paints a rather grim picture.
So, what do we do? Let’s outline some potential defense strategies that we should be thinking about already.
First and rather obviously, increasing the use of AI for cyber-defense is not such a bad option. A combination of supervised and unsupervised learning approaches is already being employed to predict new threats and malware based on existing patterns.
Behavior analytics is another avenue to explore. Machine learning techniques can be used to monitor system and human activity to detect potential malicious deviations.
Importantly though, when using AI for defense, we should assume that attackers anticipate it. We must also keep track of AI development and its application in cyber to be able to credibly predict malicious applications.
To achieve this, a collaboration between industry practitioners, academic researchers and policymakers is essential. Legislators must account for potential use of AI and refresh some of the definitions of “hacking.” Researchers should carefully consider malicious application of their work. Patching and vulnerability management programs should be given due attention in the corporate world.
Finally, awareness should be raised among users on preventing social engineering attacks, discouraging password re-use and advocating for two-factor-authentication where possible.