Staying Ahead of Adversarial AI with Incident Response Automation

5 min read·Just now

—

A Security Engineering Commentary from industry insider Rohan Bafna SecOps Engineer.

The security operations (SecOps) community constantly seeks advancements in incident response. Consolidating security telemetry data, upgrading your organization’s cybersecurity posture, and integrating with various artificial intelligence (AI) and machine learning (ML) engines are essential to combatting adversarial AI and ML models.

Hackers will continue to have the upper hand without innovation, including adopting proactive measures and natural language processing (NLP) in the SecOps space. Powered by WormGPT and FraudGPT, hackers and scammers will continue to drive the cost of business higher as organizations pay more for cyber insurance.

This blog discusses the need to phase out traditional security measures and the need to adopt various automation, adaptation control, and processes SecOps teams can use to combat adversarial AI.

Hackers, like organizations, invest in artificial intelligence (AI) and machine learning algorithms (ML) and capabilities. Organizations invest in AI to help transform their business operations and product development, optimize their financial systems, and provide greater automation within their customer success and marketing operations.

Hackers also invest in AI and ML with predictive analytics to help develop their cyberattack tools, increase their attack automation capabilities globally, and optimize their ability to collect ransom in Bitcoin and other cryptocurrencies faster and more securely.

As both entities continue to invest their capital, which one continues to show a return on their investment (ROI)? Surprisingly, the hackers see increased revenue from their illicit activities. Legitimate organizations continue to invest large amounts of capital with little hope of a return, even after adopting new robust security measures.

Hacker-enabled adversarial AI attacks take various forms. Some become enhanced because of AI, and others become new.

91% of all cyberattacks start with email phishing. Hackers continue to strengthen their email phishing by enabling AI to help better adjust their various attack vectors based on real-time analysis of the current campaign. The security telemetry they collect within the Large Language Models (LLM) becomes processed using AI algorithms to create data sets. These data sets provide the specifics for hackers to adjust their phishing attacks.

Generative AI tools like OpenAI, ChatGPT, FraudGPT, and WormGPT help create extraordinary content. The content is excellent and lifelike. The music and motion picture industry has already raised several issues about protecting their intellectual property.

Hackers, scammers, and cybercriminals use these tools to create deepfake content. This content could be an AI-generated picture of a presidential candidate looking intoxicated or an AI-created audio file used in rogue roll-a-dial political campaigns.

Hackers attack supply chains, which is a complicated yet rewarding activity. Supply chains consist of several organizations, including logistics, shipping, product, warehousing, legal, financial, and compliance entities. Any of these entities becomes susceptible to cyberattacks.

Adversarial AI extends many functionalities to hackers, including creating complex and yet effective kill chains against supply chains. These kill chains comprise several attack vectors. Prior to AI, hackers needed to determine which attack tool would deliver the most effectiveness during the execution of the kill chains. With AI, hackers can automatically adjust the sequence of the attacks based on the processed telemetry data in real-time.

Legacy security operations (SecOps) without AI will not stop adversarial AI attacks. Before adversarial AI attacks, most SecOps teams used basic behavior-based analytics, human intervention, and a combination of static and dynamic signature updates across their firewalls, IPS, and antivirus solutions.

Adversarial AI nullifies the ability of legacy cybersecurity protection capabilities to stop next-generation sophisticated attacks. AI tools empower hackers to alter their attack campaigns faster, making their victims’ ability to react even more challenging. Hackers using AI tools can change where the attacks will occur, who is being targeted, and how the velocity of the attack should be. These attack techniques become altered when they detect that the surface of their victims’ attack has changed.

Organizations recognizing the constantly growing threat of adversarial AI update their cybersecurity protection architectures with AI and ML defensive capabilities. Many security vendors, including Trustifi, Cisco, Palo Alto, and Microsoft, incorporated AI into their solutions to help combat adversarial attacks.

At the core of AI-powered cybersecurity solutions is applying automation across all facets of the architecture. Several security solutions, including email security from Trustifiextended detection and response (XDR) from Palo Alto, observability from Cisco/Splunk, and OpenAI within Microsoft 365, help organizations use AI to improve security response times, address the increase in suspicious activities, and reduce the potential damage from zero-day attacks.

Within SecOps, several functions benefit from AI.

• Automated Incident Response.
• A successful function of AI for cyber defense is leveraging a centralized collection of security telemetry information from the entire organization’s hosts, endpoints, network devices, and cloud instances.
• Automated threat intelligence access.
• Automated remediation of critical systems as part of the computerized incident response strategy.
• Enable automated notification and reporting.
• Enable automated playbooks for each attack vector.

Before AI automation, SecOps teams performed several manual functions, including incident response, case management, and threat research. The ability to interact on a per-incident basis is now a thing of the past. SecOps engineers continue to struggle with the stress from the sheer volume of attacks. AI-powered automation tools allow SecOps engineers to focus more on strategy and creating executable automated functions instead of responding to each attack.

Here are some other positive takeaways of enabling security automation powered by AI:

• AI automation can handle several security incidents simultaneously.
• AI becomes a continuous learning machine. As new threats emerge, your organization’s automated incident response becomes even more effective.
• The organization’s ability to lower their mean-time-between-detection (MTTD) and their mean-time-between-response (MTTR) is a successful byproduct of AI automation.

The cybersecurity industry powered by AI is happening now. This important innovation is a must for organizations to enable today, even if it is not perfect. Hackers continue to find innovative and profitable ways to exploit their victims using AI.

Businesses wanting to meet compliance mandates, lower their cyber insurance premiums, and reduce their security operations costs need to invest in AI for cyber defense. Using AI for risk reduction is another successful byproduct that organizations will bear witness to.

Moving your organization to a proactive approach toward its security model requires the adoption of AI and ML. As AI-enabled attacks become more common, your AI defensive strategy is ideally positioned to stay ahead of the hackers.

Rohan is a security operations engineer based in the New York City area. He holds a master’s in computer science from Rochester Institute of Technology and an undergraduate degree from Thadomal Shahani Engineering College in Mumbai, India.

Rohan’s experience in security operations automation extends well into the enablement of artificial intelligence machine learning and developing next-generation security orchestration automation and response (SOAR) functions. Along with mastering SecOps automation, Rohan mentors many first-year engineers interested in learning more about modern security engineering, including deploying Cisco/Splunk for observability and better-automated notifications.

Rohan can be reached at (email protected) and on LinkedIn at https://www.linkedin.com/in/rohan-bafna-0911807b/.

#SecOps #engineering #cybersecurity #AI #ML #compliance #adversarialAI #governance #SOAR #automation #CISO #CIO #CDO #CFO