Chief solutions officer at Cyberfort Rob Vann shows how artificial intelligence is drastically altering the threat scene for cloud settings.
In what ways is artificial intelligence fundamentally altering the danger scene for cloud environments?
This is a fascinating issue as, naturally, artificial intelligence is a weapon available to both good and bad actors. Assume for now that we are mostly focused on the negative.
Mass attacks have always been less successful (and more costly) than targeted threats. AI helps to combine the magnitude and cost of a mass attack with success more in line with the planned strategy. Particularly in the realm of clouds, there are several methods whereby artificial intelligence might “add value, complexity, and finally a more successful outcome to an attack.”
These include simple techniques (such as AI used to populate brute force attacks, or Generative AI used to support targeted access requests) through adaptive malware, with AI asked to rewrite code to bypass any or other detections, the more direct use of AI to detect and leverage vulnerable systems, or identify and exploit organisation level misconfigurations through scanning, probing and researching at speed (though perhaps more concerningly it can also apply the same speed and techniques to shared cloud or multi use APIs for example, compromising large scale one to many systems.
AI can also be used to support more targeted approaches, its speed and ability to process data compressing attacks, and their outcomes, for example automating lateral movement, persistence and privilege escalation techniques, enabling attackers to quickly identify and acquire high value data in large cloud storage environments, or editing log files/manipulating other data to hide the breach and obstruct its investigation.
Given AI-powered threats, to what degree do you believe conventional cloud security solutions are becoming outdated?
Cybersecurity has always been a playing field skewed in the attacker’s favor, with the attacker only needing to succeed once and the defender needing to succeed every time. The past response goes some way in supporting this.
Many of the conventional methods of cloud security are not in line with the scale, speed of execution, and complexity of artificial intelligence led or backed attacks. Perhaps more importantly, “good enough” security mechanisms help to support most of the advantage that people experience from Cloud settings; point-of-time security follows deployments and a great reliance on human factors still remains.
Conventional methods can depend mostly on static defenses, like specified access restrictions, fixed rule sets, and perimeter-based edge protection. These methods presume a very consistent threat environment and are meant to prevent recognized attack routes. Coupled with reactive expert resources needing the timing of a human contact to react to the dangers, our AI colleagues’ eyes are beginning to “light up” at the opportunities for causing havoc.
Attacks that used to take days of meticulous planning and organization today happen in a few seconds. Legacy defenses “could” in principle handle this — if everything was patched and setup correctly all the time, and all resources behaved perfectly all the time, and nothing was dependant on a third party or supply chain ever, then there could be a chance for example. The actual universe of security is quite different from this nirvana.
“You don’t have to be the fastest to get away from the bear, you just have to not be the slowest,” advises a heritage piece of wisdom. Perhaps 1000 faster, stronger, more aggressive cockroach sized bears are following every consumer at once in an artificial intelligence attacker driven environment. You most likely won’t even see them until they bring you down.
How can businesses implement sensible plans to keep ahead of new cloud-based risks?
Like the bad guys, you can strengthen your defenses with AI capability as well.
Let’s start with the basics, then move what you can to automation (for example using infrastructure as code, pipelines with automated testing to remove human configuration errors or complexity, automating the execution, validation and segregation of backups, and constantly testing for exploitability of core systems). Then let’s turn to a focus on the surrounding elements (like identification) that are typically needed to infiltrate your systems and become more active in isolating and controlling suspected activities. Work under the “assume breach” concept, separating and closely monitoring and reacting to central systems to remove suspected access therefore allowing time for investigation and then, if benign, restoration. Plan and consider how you maintain important systems running during these times so that your services remain even if a key person or system access is momentarily turned off.
Given all the artificial intelligence rhetoric, it’s crucial not to entirely discount the human element in this process. Establishing thorough, ongoing education initiatives to provide your security staff the information and skills required to grasp and fight AI-powered threats should be a top priority. Organizations can guarantee that their teams remain ahead of the changing threat environment and are ready to fight sophisticated assaults that utilize artificial intelligence and machine learning technologies by encouraging a culture of continuous learning.
Let us then begin to incorporate some of those AI level defenses.
First, use artificial intelligence (please avoid using public systems; you would be training them on how to attack you) or find an evidenced safe partner who can train and align a private generative AI to support you and simply ask it how it would attack you, then plan your defences accordingly. Before distributing data, remember to evaluate the security of the partners system and document the deletion of your data. In a digital twin situation, this will provide value in matching your defenses and verifying your controls.
Second, use constant cloud posture management to identify any mistakes or misconfigurations in almost real time and leverage artificial intelligence to drive your detections. A rich source of “things that could be bad but are definitely different” to sort through the noise of millions of occurrences to discover the 10 that are relevant is machine learning to generate anomaly information.
Thirdly, use AI to drive response actions; this is the final state and should be planned and approached carefully as active automated response can affect business and continuity; nevertheless, assuming breach, remove misconfigurations, contain (and release) assets to provide time to investigate, validate and release benign activities.
As always, security is a two-edged sword; the best approach to make things most secure is to turn off and decommission them, but this clearly results in no financial benefit from the asset. If done properly, these kinds of attack require a different approach of implementing zero trust and continuous CSPM with automated responses; if done incorrectly, it will give you the best of both worlds, response to AI driven attacks at AI scale and speed, but if done without thought, planning and expert, experienced support and knowledge will perhaps create significant business issues.
Could you perhaps provide any actual case studies of companies effectively adjusting?
I lately dealt with a customer who had experienced an issue. They asked us to review developing their defenses following the DFIR engagement; we guided them in securely implementing the following actions:
Through a PAM solution, migrate identity controls for cloud platforms to their corporate IAM system. This meant that, across the company, the policies, monitoring, and (after planning and testing) automated responses were consistent.
(2) Include testing and remedial action into their build pipelines to reduce the possibility of using exploitable code.
(3) Except for some essential systems serving consumers, their production environment’s integration into the SOAR (security orchestration automation and response) and the creation of suitable playbooks to contain and release suspected assets and resources is underlined.
(4) Using later automated continuous CSPM (cloud security posture management), which eventually corrected >90% of problems automatically in real time
(5) Their EDR tooling’s spread throughout the manufacturing sector
(6) Additional training for their resources, including sessions especially targeted at developers, architects, and real world deep fake video examples for the whole company.
Photo on Unsplash taken by Growtika
