Is the AI Hacker going to destroy my business?

TL;DR probably not.

Detail: Whilst I dislike talking #AI in most situations, because it's often presented as this magical box that ... does everything better than humans (it doesn't), and is it really AI or just automation, but I digress. AI or LLMs are not some magic box. Essentially, AI solutions are a blackbox, you don't know how it's learning or what exactly it's doing - especially if you're a consumer of someone else's AI solution. However, it can achieve certain things, and process things quicker then a human (but may be inaccurate). There needs to be controls in place to measure accuracy, hallucinations, drift, the list goes on. Quality control is a must.

When it comes to being 'attacked' by AI, let's be honest, there is already automation that have been in place for threat actors, there are already cyber criminal groups that pre-package solutions for threat actors to make use of. We're already in a situation where our blue team / responders, need to be prepared to detect and protect against non-humans and quantity vs quality.

Can AI silently take over my network?

It is not a magic box. Theoretically, if it is targeting #shadowIT or infrastructure that has no monitoring in place, then yes, I suppose it could be silent... as there's nothing there to detect it. However, the solution still needs to know what's in the environment and what's vulnerable. That's not changing because it's a human vs automation that is detecting. The difference lies in the speed of processing.

How do organisations ensure resilience in this new world?

Yes, its concerning that threat actors continue to increase their capabilities and make use of technology and innovation, often faster than organsations. However, we can respond, by ensuring our cyber hygiene fits the bill for our threat map:

• Threat map and inherent risk analysis: I wrote the below, but then came back to add, in order to protect yourself, within your means, you first need to know what you're protecting against. Please ensure you validate what you're funding, so you don't by the sexiest sounding software that is not solving the actual problem.

• Patch management programme: still important. Patch everything immediately, doesn't work, but intelligent patch management programme that includes testing/validation, change management, making gaps visible and so on is key. 0-days are scary, but 200-days also put the organisation at risk.

• Know what you have: again, 0-days scare people, but if we've learnt even just one thing from history, knowing what you: have, need, and your dependencies - will start you off on the right foot. There is technology coming out to help with removing the vulnerable exploitable part until you can patch, Cisco Live Protect, and tooling that can advice you quickly do you use $thing and is the way you use it vulnerable, SBOM and VEX, and likely more solutions. Having the insight into your organisation and knowing the context is vital to success.

• Zero trust and layered controls: the goal of zero trust is to validate, it's layering, its continuous checking. If something is compromised, following a zero trust architecture ultimately means the impact of failure is reduced.

• Visibility is key: I talk a lot about identity protection, and it is vital indeed, but that's not to say protections and visibility in other areas are not needed as well. Let's pretend some threat actor makes us of an AI tooling that quickly exploits vulnerabilities to again access to something, if there is no monitoring in place to be alerted of this activity, the attack is silent to Security Operations, because they can't see it. Ensuring the right team(s) know and have visibility into the entire landscape of the business, will ensure a smoother more effective protection and response. It will highlight gaps in controls, and provide reduced response times.

• Skilled workers: I mentioned here briefly, on the cost of retaining skilled workers is high - as it is a continuous effort, pay, training, and so on. For an organisation that security isn't a core competency, outsourcing certain parts make sense. However, regardless of who's responsible for carrying out actions, the organisation is accountable to ensure the required skills and resources exist for the relevant threats to the organisation.

Ultimately, yes, its concerning that threat actors continue to increase their capabilities and can make use of tools that carry out actions without hands on keyboards - but how do organisations respond? by ensuring their environment is known to them, having layered controls, and visibility to take action when needed.