I’ve recently been interested in Artificial Intelligence technologies and how they could be used to improve the cybersecurity capabilities for both individuals and organizations. This prompted me to build PhishText.Ai, which I showcased in my previous blog post. I wanted to expand on this topic and write down some broader thoughts I’ve had, while brainstorming a few ideas for other tools I could build to further explore this new technology.
The Problem Space
The cybersecurity landscape is constantly changing and evolving, with new threats, tools, techniques and tactics being introduced on a near daily basis. Not only are the threats increasing in complexity and sophistication, but so too is the volume of threats an organization needs to contend with. This poses a real challenge to organizations and individuals globally who are tasked with staying one step ahead at all times, and relying solely on ‘traditional’ methods of ensuring security are proving to be inadequate. AI and automation have emerged as promising solutions that can improve efficiency and effectiveness of cybersecurity processes, transforming the way we protect our assets, our information, our customers and ourselves.
The Power of AI and Automation in Cybersecurity
While cybersecurity vendors have been pushing the ideas of AI, Machine Learning and Automation for a years now, it’s only recently that the wider public has started to actually see the practical appliations through the introduction of generative AI tools such as ChatGPT. Through the use of AI tools such as ChatGPT or Microsoft’s Security Copilot, it is now possible for AI to start being integrated into existing processes rather than being a ‘feature’ of an expensive vendor product.
AI and Large Language Model technologies provide ways for large volumes of data to be analyzed, identifying any patterns or abnormalities. Through this data analysis, it’s also able to make predictions or provide recommendations based on an understanding of historical data and emerging threat patterns. AI technology can therefore be used to process and analyze security related data, with the outcomes AI provides being another tool to augment already existing processes. Frameworks around how AI can be integrated into organizations are already being created, with the SPQA model by Daniel Miessler being an example.
Automation can be used to perform tasks that were traditionally handled manually, primarily through writing lines of code to perform these actions for you. This allows for greater speed and scale to be achieved than is possible for humans. Automation can used in cybersecurity to reduce response time or improve efficiency in a range of processes. When coupled with AI, it’s easy to see a world where the output and recommendations from AI could be automatically used in follow-up response procedures through automated actions that will ultimately allow for a faster, more sophisticated and hands-off security capability.
This doesn’t have to just be limited to response actions though, as there are many processes that exist outside of incident response that could benefit from integration with AI or automation. Below are a few examples of ideas where basic AI and automation could be used in processes that already exist for many organizations or individuals. Below are some ideas for how AI and automation could be implemented without the use of any extra expensive tooling.
Practical Examples and Ideas
Automated Phishing Analysis – PhishText.Ai is a proof-of-concept tool to to identify potential phishing attempts in SMS messages. It uses a combination of AI language evaluation and web security checks to evaluate the contents and URLs in a SMS message to determine if the SMS is a phishing attempt.
Automated News Summary Generator – An application could be built that scrapes news articles from a range of news sources, analyzes the content with AI and generates summaries or reports. This would provide a quick overview of top news stories with links for further reading to save on time and focus on specific areas of interest. The tool could be given directions based on industry, role, tech stack, etc. to tailor the news reporting into the most relevant pieces of news for each individual.
Automated Indicator of Compromise Standardization – Threat intelligence often includes numerous IOCs, typically gleaned from a variety of sources and presented in a range of formats. A tool could be built to automatically parse through diverse threat intelligence feeds, extracting and standardizing IOCs in a consistent and actionable format. This threat information could eventually be used directly in existing tooling and processes for enhanced threat hunting or preventative action.
SIEM Query Language Converter – Different SIEM platforms often use different query languages for data retrieval and analysis. An AI-powered SIEM query language converter could address this problem – building a converter tool that could interpret queries written in one language and translate them into another saving time and reducing errors that might occur from manual translation.
AI Patch and Vulnerability Management – AI could be used to identify, prioritise and report on vulnerabilities within an organizations infrastructure. Automation could be used to apply patch updates as soon as they are available or during periods of low system usage.
Challenges, Considerations and Risks
The most obvious concern around AI technology currently is around data privacy. AI systems require a significant amount of data to function, and it’s not entirely clear how the submitted data is used by the companies that produce this technology. This raises questions of how to ensure these AI systems respect user privacy and maintain compliance with data protection laws and regulations. AI systems are currently seen as ‘black box’ technology that lack transparency into how they operate and make decisions. This results in a lack of trust, which is a crucial element in sensitive industries such as cybersecurity.
It’s worth noting that the industry has already recongnised the need for standards and frameworks to be set for the adoption and use of AI. NIST recently released their AI Risk Management Framework to “improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems”. The New Zealand Government has also recently published their Interim Generative AI guidance for the public service as they work on formalizing their approach to this technology. As the industry develops their standards, and companies begin to adopt and introduce corporate offerings, this issue should start to become more clear.
Finally, both AI and automation are not infallible, and over-reliance on their effectiveness and accuracy could lead to complacency – resulting in missed threats or overreactions to false positives. I firmly believe that AI and automation should be treated as tools that enhance human capabilities and not as outright replacements.
Conclusion
The integration of AI and automation has a lot of potential to make a positive impact on cybersecurity capabilities, lowering the bar to entry for many individuals and organizations while simultaneously raising the collective level of capability. If integrated and used in a cautious, balanced approach, these tools could offer practical ways to identify and respond to threats with increased speed and accuracy, or to streamline and improve routine processes that currently exist. As these technologies continue to improve and develop, it’s crucial that they are approached in a way that leverages their strengths while still being mindful and aware of their limitations and risks.
KentoSec 