Mark – stock.adobe.com
Some chief information security officers (CISOs) may be grappling with the prospect of artificial intelligence (AI)-mediated cyber attacks, but a top threat analyst from Google believes they should focus more on the tactics, techniques and procedures (TTPs) that hackers are using today, not just the tools they might use tomorrow.
Speaking to Computer Weekly on the sidelines of Singapore International Cyber Week last month, Luke McNamara, deputy chief analyst at Google’s threat intelligence group, urged organisations to right-size the problem of AI in cyber offence.
“The role of AI in the attacks and campaigns we’re seeing today is overemphasised,” he said. “If you look at some of the long-standing campaigns and intrusions, AI is not even playing a role in some of the most impactful breaches.”
While threat actors have started to experiment with AI, such as translating code between programming languages or automating parts of their workflow to improve efficiency, that’s not necessarily a massive uptick in cyber offence capability, he noted.
The bigger question is whether AI will eventually enable rookie cyber criminals to operate with the sophistication of top-tier hacking groups. “We haven’t seen that future yet,” he said. “And while we have to prepare for what might be a more complex threat environment, we need to be grounded in what we’re seeing today.”
One of the earliest fears was that AI could be used to craft flawless phishing emails free of grammar mistakes, making them harder to detect. Although AI can help non-native speakers improve their lures, McNamara pointed out that phishing and business email compromise scams were “incredibly effective” long before the current AI boom.
In fact, he highlighted a counter-intuitive trend from Mandiant’s latest M-Trends report, which draws from Google’s breach response visibility.
“In the past three years, we’ve seen the percentage of phishing as a method of breaching organisations continue to decline,” he said, adding that phishing prevention efforts and security awareness trainings conducted by organisations are starting to pay off.
Instead of getting lost in the AI hype, McNamara advised CISOs to focus their resources on tackling the two biggest themes in security breaches this year: the targeting of edge infrastructure like virtual private networks, as well as credential theft.
“We should be more concerned with the overall attack techniques that are having impact, not necessarily the tools that are being used to conduct the attacks,” he said.
For defenders, AI can offer advantages. McNamara said one of the most notable uses of the technology is operationalising threat intelligence – taking vast amounts of data from different security suppliers and internal logs and then using AI to create customised security playbooks for a specific organisation.
AI can also contribute to the discovery of new threats. He cited Google’s VirusTotal service, which uses AI to analyse a file’s behaviour to determine if it is malicious – even without a known signature.
“There have been a number of different pieces of malware that we’ve discovered where there were no known antivirus detections,” McNamara said. “But we were able to determine that the binary is malicious because of what the code is trying to do. That’s a very powerful use case.”
Beyond discovery, AI is also speeding up the work of digital detectives in cyber forensics. McNamara explained that a core component of their work is attribution – linking attacks to specific threat groups by looking for similarities across malware families.
AI can help to compare the code bases of different malware, he said, allowing analysts to connect seemingly disparate campaigns, such as an attack on a US manufacturing firm and another on a European pharmaceutical company, to the same threat actor.
Ultimately, the race is against the clock. With shorter dwell times and ransomware actors often exfiltrating a company’s data within 48 hours of initial access, speed is key. “It’s a very short window of time, so we have to find ways to be faster than the adversaries.”
Read more on Hackers and cybercrime prevention
