The bots are now running cybersecurity

Back in 1988, a savvy Cornell University student unleashed the infamous Morris Worm, a devilish piece of self-propagating software that wriggled its way into vulnerabilities and then replicated itself across networks it infected. This malicious worm was no ordinary hack; it was a sleek, automated beast that slithered through machines faster than any human could. In less than 24 hours, it paralyzed over two thousand systems with its venomous bite. The Morris Worm was a harbinger of the future, a reminder that the game had changed, and a sign that cyber warfare had entered a new era.

"AI can be used to identify patterns in computer systems that reveal weaknesses in software or security programs, thus allowing hackers to exploit those newly discovered weaknesses... AI can also be used to design malware that is constantly changing, to avoid detection by automated defensive tools.”
Brian Finch, Co-Lead of Cybersecurity at Pillsbury Law

It is as good a definition of conundrum as any: The components of state of the art AI include advanced data analytics of big databases and streaming data, deep neural networks with machine learning, and self-monitoring and self-healing subroutines. These capabilities are brought to bear not only for the task at hand, but also for cybersecurity. At the same time, hackers use them to attack these security measures...

It’s here. Not later, not someday - it’s here right now. Artificial intelligence is now swallowing up all sorts of IT functions. So it’s not entirely surprising that it’s swallowing up cybersecurity as well.

Modern businesses face a myriad of ridiculously dangerous and hard to defend cybersecurity challenges. The latest, (and arguably most pressing), security issues today stem from an exponential increase in machine learning (ML) and artificial intelligence (AI) capabilities over the past few years, leading to an overwhelming surge in AI-enabled automated cyberattacks. That’s right. AI is attacking us, at the hands of nefarious and evil software developers, also known as hackers.

History will herald 2022 [or 2023] as the year that AI went mainstream. The technology finally took center stage with chatGPT’s release, after literally decades of grand promises from AI researchers and scientists that far outpaced the realities of their efforts. Today, what was recently cutting-edge AI technology is widely available and useful outside of research labs, as ordinary people now have free and easy access to perform incredible tasks using AI. What started as asking Alexa for weather report has now evolved into college kids and high-schoolers getting ChatGPT to write their essays for them.  

And it’s dynamic. There is not one singular approach to AI. What took the world by storm in 2022 was a deep learning (a subset of machine learning) technique that used so-called transformer models. In a nutshell, transformers are a type of neural network architecture that analyze correlations between elements in sequential data to learn context. One of the key innovations of transformer modules is the use of "self-attention mechanisms." These mechanisms allow the model to selectively focus on different parts of the input text when processing each token, allowing it to more effectively handle long-term dependencies and produce more accurate output. But besides transformers, there exists a plethora of alternative architectures, including GANs, RNNs, CNNs, and LSTMs, each with distinctive tradeoffs and advantages over the others.

OpenAI, a non-profit research org founded in 2015, is the apparent leader when it comes to public-facing transformer models. Their GPT-3 and GPT-4 large language models are credited as the flame that sparked the explosion of AI adoption and mania throughout 2022 and into 2023. GPT stands for Generative Pre-trained Transformer. GPT-3 is the foundation on which the organization's text-to-image generator DALL-E 2 and popular chatbot ChatGPT are built.  

ChatGPT is so popular that it shattered all previous records for the fastest-growing user base, reaching 100 million users in only two months. This sudden ballooning of AI adoption has caused many cybersecurity experts to raise alarms about the destructive potential this technology poses to modern enterprises as it continues to progress. No longer just fodder for science fiction authors, the invasion of cutting-edge ML and AI advancements into the cyber kill chain is now reality. And it is set to rebalance the scales for all businesses, be they local mom-and-pop shops or billion-dollar multinational conglomerates.  

While we are still very much in the opening innings, it is clear that the global threat landscape is set to undergo a radical step change due to the proliferation of these new, rapidly advancing tools. To take on the malicious actors who are quickly developing and deploying AI-driven automated exploits, organizations will have to deploy "good" AI as a countermeasure. This approach of fighting fire with fire will be the only defense to help ensure that modern business systems and networks stay secure and protected during this upcoming era of automated AI cyberattacks. One cannot help but wonder if there are not existential philosophical and fundamental physical insights that may be revealed in this upcoming meta-digital quantum skirmish.

Hidden Costs of Cyberattacks: A Look at Downtime

Almost half of all company downtime is caused by malicious attacks. That’s a lot. These cybersecurity intrusions can lead to widespread service outages and have lingering consequences that hamper efficiency, diminish productivity and cause significant loss in income. This is due to the fact that downtime has a negative effect on a company's reputation and erodes customer faith.

According to an extensive survey by TechRadar conducted in early 2020, numerous companies of all sizes were impacted by downtime. Ten percent of SMBs (small-medium sized businesses) for instance indicated their hourly downtime cost averaged at least $50,000. Earlier in the survey, at least 52 percent of survey respondents said intrusions, malware, and ransomware were the usual culprits of downtime.

Another IBM report also showed that the average annual cost of downtime as a whole equated between 1 to $2.5 billion.

It doesn’t take an economic expert to see these are harrowing numbers, and in most cases enough to entirely sink a company.

Automation and AI

Let’s clearly define automation

Because so many people are reworking and recharacterizing this space. When we say automation, we are specifically referring to programmatic software that reduces or eliminates the need for human involvement. We build highly complex automation software systems here at Product Perfect, and help our clients build them as well. Automation that is done correctly can enhance productivity, accuracy, and create more efficient workflows. But when mismanaged, it has the potential to create confusion, and disruption, and lead to costly oversights. With the fast evolution and implementation of technologies like IoT, smart devices, machine learning, and of course AI, it is clear that widespread automation is more an inevitability than a passing fad as some detractors might argue. We believe that automation, specifically as it relates to IT and cybersecurity will lead us to a digital world that looks completely different within the next decade.  In this new AI-driven world, automation will be essential for staying ahead of the competition, managing budgets, and mitigating the risks associated with next-generation cybersecurity threats. Automation is, essentially, where the next industrial revolution takes place. But it creates increasing complexity that invites novel cyberattacks and vulnerabilities. That is why automation and professional, proactive cybersecurity must grow together - arm in arm.

So we can broadly classify automation into two distinct categories. The first is basic automation, which in some form or another has been a part of computing since its inception and yet, has taken the form of Excel macros and shadow IT ops / batch scripts. The second is AI-enabled automation, which is rapidly becoming a more promising option in the modern era.

So what is basic automation?

Basic automation focuses on automating simple, straightforward and repetitive tasks. Here, automation tools are employed to digitize and consolidate processes, as opposed to having them fragmented across multiple sources. Business process management (BPM) and robotic process automation (RPA) are two primary forms of basic automation. BPM helps organizations to better monitor and manage processes, while RPA utilizes software robots or "bots" to automate tasks such as data entry, document processing, and information queries. The main vendors / products on the market today for this specific type of automation include (besides Excel macros): UiPath, Automation Anywhere, Kofax, Blue Prism, WorkFusion, Pega, Kryon, NICE, EdgeVerve, AntWorks, and OpenSpan.

And finally, what is AI-enabled automation?

AI-enabled automation, on the other hand, is able to take automation to a much higher level. This type of automation enables more sophisticated and powerful capabilities, such as making decisions and replacing human involvement altogether. It can be useful in extracting meaningful insights from data and generating recommendations or predictions based on said insights.

AI allows for far more sophisticated and adaptive automation capabilities, allowing for the automation of processes that would have previously been too complex or time-consuming to execute with traditional automation tools.

What is AI-enabled, ‘Secure’ Automation

Taking it up a level, and simply put, secure automation is automation that includes all of what we already described under basic, and ai-enabled automation... but now also adding security to that. Security includes authentication, authorization, updatability, and context of user engagement. By utilizing encryption, access controls, and regular software updates, businesses can ensure that their automation system remains secure from external attacks or internal breaches. Adopting a secure automation approach enables businesses to mitigate the risk of data breaches, protect sensitive information, and maintain the integrity of their systems and processes.

In the graph below, you can see how automated cybersecurity processes filter out severe and minor alerts, allowing experts to home-in on IT issues with a red-flag status.

The counter-argument to going all-in on automation

Not that it is a great counter-argument, but there has to be one. So if you’d want to see those notes, you are in the right place.

1. Automation can incur some reasonably significant upfront (licensing) costs

Enter the enterprise software sales dude. This is the good stuff, they say. Where licenses are bought without fully knowing exactly how many developers will need them or how much to spend. It’s a little wild. And, it is often a bit vague in terms of what specific levels of toolkits are needed. There are no one-size-fits-all solutions, meaning these tools can be anywhere from very cheap to very expensive to develop and deploy. The cost variance factors make it difficult for small businesses or orgs with limited budgets to take the dive into automation software.

2. Difficulty in adapting to changing conditions and environments

Automated systems may be efficient and productive during regular operating conditions but can quickly become inefficient or even ineffective due to changes in the environment or process. The bot use to grab a file from this one server location. Well, somehow that shared folder path no longer exists, (bob deleted it), so the entire process breaks. This can lead to additional costs and time expenditures as the automated system needs to be adapted or modified and tested again to accommodate the new folder path on a different server or in the cloud. This happens all the time. IT operations is going to step all over the little chess pieces that we carefully set in place. Thus, logging and instrumentation are so critical. Our analysis engagements are great for isolating these sorts of things and documenting them in these huge, wall-sized diagrams. We’ve dug deep into the innards of many clients and helped them uncover the mess, untangling literally decades of code and integration atrophy, and plot a course for an entirely new and well-orchestrated future.

3. Impact on employment, as some jobs become obsolete due to automation, yet new jobs may also be created

The impact on employment is another potential factor when organizations ponder their automation opportunities. As automated systems become more advanced, they will replace certain types of labor, leading to job obsolescence. Of course, this can have a negative impact on individuals and society as a whole, particularly in areas where quality jobs are hard to come by. Conversely, some research suggests that automation may actually create new jobs, as it opens up opportunities for workers to move away from mundane, repetitive labor towards more creative and meaningful roles. This is also true for software developers, as the creation and maintenance of the bots themselves becomes the new cost basis. Rather than 10 operators, you may have 1-2 developers. This may not seem like a great tradeoff, but it’s inevitable. We mustn’t bury our proverbial heads in the sand on this.

“The point of automation is to relieve people of repetitive tasks so that they can focus on higher-value work that requires creativity and empathy and passion.”
Andrew Ng, founder of Landing AI

“The automation of factories has already decimated jobs in traditional manufacturing, and the rise of artificial intelligence is likely to extend this job destruction deep into the middle classes, with only the most caring, creative or supervisory roles remaining.”
Stephen Hawking, physicist and author.

4. Possibility of exacerbating an already inefficient process by making it even more inefficient or more of a problem than it already is

Bill gates has been talking about this for decades. He said, “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” So it’s not guaranteed that the new stuff will be so much better and smarter than the old stuff. Garbage in, garbage out. A solid set of analysts, and a good solution architect is the usual remedy for this.

5. Possibility of security breaches due to unauthorized access

It always starts with a teams or slack message to the server guy, “Hey dude, can you poke a hole in the firewall for this one script we have to run?”

The security holes often required, (or so we think they are required), by shiny new automation tools will [usually] introduce risk and security exceptions. It’s not easily solved, necessitating a much needed increase in vigilance to secure these systems from malicious actors. This involves the implementation of appropriate security measures, such as - paradoxically - automated threat detection and response systems, to help manage and protect these tools.

Keep in mind that this list of disadvantages are seen through the perspective of automation as it is today. We forecast that as AI-enabled automation continues to progress, factors like high cost, difficulty adapting to change and security issues will be replaced by new concerns, (which may be worse than these, but alas, we shall see).

Detecting and responding to cyberattacks using automation

Ok now for the fun stuff. What if the bots could be our defenders. Bots attacking you? No problem, defend yourself with more bots.

Actually, automated security solutions have been used by organizations to thwart cyberattacks for some time, even before the advent of more advanced AI-driven automation. Traditionally, RPA (Robotic Process Automation) and SOAR (Security Orchestration, Automation, and Response) had been the main automation approaches. But today, it’s a bit more involved, and AI is on the scene in righteous robes of glory. The AI that is being peddled to the enterprises today is, (so they claim), an entirely new generation of AI, now used to create native automated security methods. Native, in that it’s not some snap-on / add-on tool. It’s the core. So that is different. Also, it is riding the ChatGPT and OpenAI wave of enthusiasm. So that also is something.

Let's touch on a few of the AI-infused automation defense techniques.

Robotic Process Automation Security

RPA in cybersecurity involves the utilization of robotic process automation bots to protect organizations from cyber threats and enhance security posture. Bots can be used for a wide range of tasks, from monitoring networks for suspicious activity to implementing automated responses in the event of a detected attack.

By making use of RPA-based security methods, personnel can free themselves to focus on cases that require their attention while 'security bots' automate mundane and repetitive steps in the investigation of cyber threats at scale.

And now for the main beef of this article. Here are legitimate examples of ideal tasks for automation/RPA based cybersecurity with artificial intelligence sprinkled in:

1. Investigating IP addresses
   AI-enabled automation software can be used to scan IP addresses and detect potential threats in real-time. For example, the tool IPinfo can provide information about an IP address, such as its geographic location, ISP, and type of connection, and then an AI machine learning model can scan and intercept that data to cross-check it with other anomalies on the history log to put together a statistical likelihood of what it might end up becoming.
2. Analyzing system log files
   AI-infused automation software and scripts can be used to analyze system log files to identify potential threats. For example, the tool LogRhythm can automatically analyze log files and pump that data into a machine learning model as well, providing instant alerts when it detects suspicious activity.
3. Regulate entry and updates of privileged data
   Automated tools can be used to regulate access to privileged data by providing role-based access controls. For example, the tool CyberArk can be used to manage privileged accounts and monitor access to sensitive data. When access breaks out of a statistical norm, the machine learning system can trigger an alert.
4. Establish a precise audit log of access to confidential data
   AI-infused automation software and scripts can be used to establish an audit log of access to confidential data, which can be used to track who has accessed the data and when. The tool IBM QRadar can be used to generate detailed audit logs of network activity and move that into various types of AI models for further reporting or alerting.
5. Search for, monitor, and report unusual network activity
   Automated tools with AI can be used to detect unusual network activity, such as spikes in traffic or unexpected connections. For example, the tool Darktrace can automatically detect and respond to cyber threats by using machine learning algorithms to analyze network traffic.
6. Look into peculiar registry or system file modifications
   Automated tools can be used to detect modifications to system files or registries that could indicate a security breach. For example, the tool Sysmon can be used to monitor changes to the Windows registry and file system.
7. Investigate abnormalities in database read volumes
   AI-infused automation software and scripts can be used to detect abnormal read volumes in databases, which could indicate a potential data breach. For example, the tool Imperva can be used to monitor database activity and detect suspicious behavior.
8. Automated penetration testing
   Automated software with AI can be used to simulate cyber attacks and identify vulnerabilities in a system. For example, the tool Metasploit can be used to automate penetration testing and identify vulnerabilities in a network. Then that data, again - are you seeing the pattern here? - feed that into the AI machine learning models to predict the outcomes in real time.
9. Activate specific security measures in response to alerts
   AI-infused automation software and scripts can be used to automatically respond to security alerts by activating specific security measures. For example, the tool Phantom can be used to automate incident response by orchestrating security tools and processes.
10. Search for and install the most current software patches
    Automated software tools can be used to scan for software vulnerabilities and install the most current software patches. For example, the tool Tenable can be used to automate vulnerability management by scanning for vulnerabilities and prioritizing patching based on risk.
11. Generate periodic threat reports for human security analysis
    AI-infused automation software and scripts can be used to generate periodic reports that summarize potential threats and vulnerabilities. For example, the tool Splunk can be used to generate reports that provide insights into network activity and potential threats.

You can see some examples of essential services automated cybersecurity suites provide in this graphic.

Security orchestration, automation, and response

SOAR is an approach to information security that interweaves automation, analytics, and communication systems to detect, investigate, and respond to cyber threats. SOAR is crucial in modern security automation because it enables organizations to streamline and standardize incident workflows by automating many of the tedious, labor-intensive tasks associated with such activities.

As is the case with RPA-based security automation, SOAR enables security personnel to shift human focus away from low-level activities toward higher priority initiatives such as active threat hunting and proactive defense against cyberattacks.

SOAR automation can be used for the following purposes:

• Handling zero-day threats
• Consolidating threat feeds
• Countering phishing attempts
• Examining and responding to malware
• Securing remote user access

A look into the AI-driven cybersecurity landscape

AI is enabling the development of more "intelligent" robotic process automation and SOAR security frameworks. This AI-driven trend is allowing these processes to have a greater effect on security overall. Now capable of autonomous ”thought”, problem-solving, and dealing with ambiguity with less manual guidance, these frameworks will undoubtedly still play a leading role in next-generation cyber defense strategies.

Here are the leaders in this AI-powered cybersecurity space:

1. Darktrace
   https://www.darktrace.com/
2. Cylance
   AI-driven endpoint security
   https://www.cylance.com/
3. Symantec
   AI-powered security solutions
   https://www.symantec.com/
4. Palo Alto Networks
   AI-based security platform
   https://www.paloaltonetworks.com/
5. McAfee
   https://www.mcafee.com/
6. Fortinet
   https://www.fortinet.com/
7. Cisco
   https://www.cisco.com/
8. IBM
   https://www.ibm.com/security
9. FireEye
   AI-powered threat intelligence solutions
   https://www.fireeye.com/
10. Check Point Software Technologies
    AI-based threat prevention solutions
    https://www.checkpoint.com/
11. Vectra
    AI-powered network detection and response
    https://www.vectra.ai/

What has changed is, AI-driven automation provides machines the ability to examine files, documents, emails, and images, comprehend the contents and understand the purpose and intentions behind them, a skill that was formerly exclusive to humans. Automation of this nature grants security teams more power to defend against threats, but it also introduces more advanced ways for those with malicious intent to gain access to networks.

Cybercriminals are taking advantage of AI-driven methods for their own gain, leveraging the capabilities of these technologies to circumvent defenses and execute malicious activities on victims' networks. One in-depth review that studied the emergence of AI-driven cyberattacks shows that security researchers are discovering cybercriminals are fast adopting AI techniques at every level of the cybersecurity kill chain. The report outlines that a vast majority of AI-driven attacks are focused on the access and penetration phase at about 56%. The next most prevalent uses for AI attacks were designed for exploitation and command and control at 12% each, whereas reconnaissance and delivery make up roughly 11% and 9% of AI-powered attacks according to the report.

The same study goes on to list several major classes of AI-based attacks for each stage of the infiltration lifecycle.

• In the access and penetration phase, leading categories include automated payload/phishing attacks, password guessing/cracking attacks, and intelligent captcha attacks.
• The researchers found that automated disinformation generation attacks, automated domain generation attacks, and self-learning malware are common classes of AI-based attacks during the exploitation and command and control phases.
• Intelligent concealment attacks and evasive malware are the leaders in the delivery phase, while outcome prediction and intelligent target profiling, and automated information collection attacks are most common during the reconnaissance phases.

The graphic below visualizes the various AI-driven attacks outlined in-detail throughout the report.

IT departments face multiple threats of complexity, growing attack surfaces, and reliance on remote work. There is no catch-all solution to cybersecurity, nor is there a gold standard of automation. Our team at Product Perfect has worked hard to help clients fend off these threats, and build secure apps to prevent them from existing in the first place.

Perhaps one of the brightest points is the reduction of human interaction with systems.  But reducing human saturation in a cybersecurity/IT environment is only one aspect of automated defenses. Automated cybersecurity operations can narrow the gap of expertise in modern digital ecosystems by operating 24/7 to increase threat discovery rates.

You can see how automated options prevent external intrusions by default, sometimes based on smart learning and other times based on a set criteria. Some quick examples of these intuitive defenses are:

• AI and machine learning where smart detectors use a formula and continue to advance based on that criteria
• Pattern detection, where smart functions learn to recognize malicious behavior and act appropriately without IT intervention
• Autonomous “agents” which act as security-based IT personnel and perform similar functions based on smart learning (such as the US military’s NetModX)
• Hybrid firewalls acting as both a firewall and integrate smart functions to filter connections inside and outside a business network

The kill chain process is something we hear a bit about lately. It’s a framework used in cybersecurity to describe the various stages of a cyber attack. The term “kill chain” was originally developed by the military, and was later adapted for use in cybersecurity. The kill chain process typically consists of the following stages:

1. Reconnaissance: The attacker quietly gathers information about the target system and identifies potential vulnerabilities. Sometimes this is from the inside of a network, other times it’s from the outside. To start with, it’s external, until the attacker gains access.
2. Weaponization: The attacker creates a weapon, such as a virus or malware, to exploit the identified vulnerabilities.
3. Delivery: The attacker delivers the weapon to the target system, usually through an email attachment, tricky / fake website link, text message link, or other means.
4. Exploitation: The weapon is executed on the target system, allowing the attacker to gain access and control of servers, computers, firewalls, or similar infrastructure.
5. Installation: The attacker installs additional tools or software to take further control over the target systems/servers.
6. Command and control: The attacker establishes a connection between the compromised system and a remote server, allowing them to remotely control the system and steal data or cause damage.
7. Actions on objectives: The attacker achieves their objectives, which could include stealing data, disrupting services, or causing other damage.

Below shows this in order.

Embracing AI-infused cybersecurity automation

This mental shift, (to talking about AI as if it is normal), is not that hard to start doing. It’s just one of those key issues of acceptance that the Chief Information Security Officer, (CISO), or the CEO, (if there’s no CISO), needs to drive and embrace. Once that takes place, the downstream repercussions are all quite healthy. There’s got to be a few key experts in machine learning and product awareness, etc., but that can be achieved with a few solid hires or a value-added vendor.

“In today’s world we are in uncharted territory and the cold reality is that the strongest will survive and thrive, but they must transform first.”
George Kurtz, CrowdStrike CEO

“Embracing AI in cybersecurity automation will become a critical success factor in effectively detecting and responding to threats. The machine speed of AI can help security teams keep pace with the speed and volume of threats, and free up time for more strategic thinking and action.”
Alissa Johnson, CISO of Xerox Corporation.

“AI in cybersecurity is like a force multiplier. It amplifies the effectiveness of security teams, enabling them to detect and respond to threats in real-time, and ultimately strengthening overall security posture.”
Dave DeWalt, founder of NightDragon Security.

It is clear the danger presented by AI-based threats and this growing complexity demands automated cybersecurity responses. The real question is which solutions are best. There is no exact answer because every enterprise is different. Some have a great deal of expendable capital, others are small teams of hopefuls.

What is emerging today is completely different and many orders of magnitude more sophisticated than previous automated attacks. Market forecasters predict that the demand for AI-driven cybersecurity technologies will increase exponentially over the coming years and grow to surpass $46 billion in value by 2027.

Takeaways

While AI is anticipated to become increasingly incorporated into modern security frameworks, by default, it still requires, (for now), a conscious effort toward truly native and meaningful adoption. Here are a few takeaways...

1. Strategy first.
   Develop a legitimate, respectable, and comprehensive cybersecurity strategy that includes risk assessment, threat detection, threat response, and incident management.
2. Team second.
   Build up your internal security team, (send them to conferences, buy them books, get them into the right rooms), so that they can lead the way.
3. Spend the money. (The ROI is there.)
   Purchase ai-enabled automation software licenses, and pay the vendor some professional services fees to get it put into motion fully and properly. These software tools will monitor networks, databases, firewalls, servers, code, and pretty much everything else, to detect anomalies, respond to threats in real-time, and even predict outcomes. This is a game-changing moment for security and you don’t want to miss out.
4. Do the regular security stuff well.
   Implement MFA, (multi-factor authentication), and strong password policies...Keep software and operating systems up to date with security patches and updates....Conduct regular security awareness training for employees to educate them on cybersecurity best practices and prevent human error.... Use encryption to protect sensitive data both in transit and at rest.... Implement network segmentation and access controls to limit the exposure of critical assets to potential attackers... Conduct regular penetration testing to identify vulnerabilities and test the effectiveness of security measures... etc.