AI has been shaking up the cybersecurity industry for years, but the human role remains crucial, says Harri Sylvander, who leads Google Cloud’s Mandiant incident management team in Europe.
There is no reason to downplay the importance of rapidly developing technology and its role in aiding defenders. The barrier to entry for cybercrime has been lowered, as even demanding operations can be carried out with the help of AI without in-depth technical expertise. For example, AI can be used to produce malware that can independently modify its code to make it more difficult to detect.
“AI is also being used to create more and better deep fake content. We have been involved in several cases where organisations have been close to losing large sums of money. In one case, attackers had modelled the CEO and CFO so well that the attacker was able to participate in an online meeting as their virtual avatars,” says Sylvander.
Effective cyber defence is a close collaboration between humans and technology
For cybersecurity professionals responsible for online safety, AI is at least as important a tool as it is for those who design attacks. AI speeds up the ability to react and improves the efficiency of incident management. It can be used to automate repetitive tasks so that the people analysing the incidents can have a greater impact, focusing their efforts on interpreting the findings and preventing problems.
Sylvander and his team constantly produce up-to-date situational information on the online threat landscape, organised groups and the forces behind them.
“Many online groups can be identified by their tools and operating models. Our job is to profile and monitor them so that we can anticipate potential threats. For example, monitoring the dark web and Telegram channels is essential, as they are where you can see what kind of information is being traded,” says Sylvander.
One example of the human role is the risks associated with international recruitment. Particularly well-resourced state actors seek to spy on interesting parties through high-level experts seeking employment with them. When top experts serving state interests gain access to the target organisations' systems, the consequences can be very serious if operational anomalies are not detected in time.
The golden rule of up-to-date cybersecurity: don't assume
“The idea that cybersecurity is in good shape is dangerous from the outset. It is human and very common to assume that the online environment remains constant, even though in reality the situation may have already changed significantly. People think they know what is happening online, but far too commonly in our investigations you find something completely different is revealed,” says Sylvander.
For the experts in real-time SOC services, it is essential to understand what threats exist and what is happening online. AI is an important aid here and an essential part of a modern cybersecurity organisation's operations.
“Monitoring attackers' methods and motivations partly explains why the use of AI is necessary for effective protection. In the past, it was common to hide in a target network for a long time and steal data stealthily, and many state actors still operate this way. Now, more and more actors want money immediately by blackmailing the target organisation or offering data for sale,” says Sylvander.
Sylvander quotes statistics according to which the median time from gaining access to a network to the intruder's detection has fallen from 416 days in 2011 to the current 11 days. The time from the disclosure of a new vulnerability to its first exploitation is less than one week.
The acceleration of the cycle pushes the limits of human detection and reaction capacity: effective reaction requires advanced technology. Thanks to AI, the processing of data and the analysis of the overall picture are radically accelerated.
Attackers' methods are changing – and the fault is often in basic security
Mandiant collects statistical data on how attackers have gained access to the target network. Of the incidents handled in the Europe, Middle East and Africa region, 39% exploited various vulnerabilities, 16% used stolen username-password combinations and 14% used phishing messages.
“The most important lesson from these statistics is that a remarkably large proportion of attacks could have been prevented by implementing basic security best practices and regular updates. The implementation of two-factor authentication alone could have prevented a quarter of all attacks. It is alarming that almost one in 10 attacks exploited a known problem that had not been fixed,” Sylvander emphasises.
Sylvander stresses that an essential part of cybersecurity is preparation: not so much a ready-made plan, but continuous planning and the validation of realities. Organisations that take cybersecurity seriously need ways to constantly monitor whether things are really as they are assumed to be. Only in this way can they effectively detect if something has changed, and AI is doing a great deal to change this process for defenders.
Read more about the next-generation, AI-assisted DNA Security Operations Centre!
