Cybersecurity's Cold War

The modern war game - at the iron curtain, AI powered threat actors battle AI bolstered cybersecurity defenses.

It’s 1983. Peak cold war. Ronald Reagan is at the helm of the 1st world, escalating tensions with the “evil empire”. The US invades Grenada to stop a Marxist coup and the Soviets shoot down a Korean passenger plane. The on-the-nose cold war drama WarGames starring a young Matthew Broderick hits theaters.

Without spoiling too many details, WarGames features a teenager hacker who inadvertently accesses a military supercomputer designed to run simulations of global thermonuclear war. As the system learns, it threatens to actually launch a strike. Matthew Broderick races to stop it.

Little did moviegoers know - they were watching the future of AI in Cybersecurity accurately predicted on screen! Mathew Broderick discovers how AI is being applied to cybersecurity left of boom over 40 years later - how machine generated simulations of potential threats could help identify & prioritize vulnerabilities and suggest ways to remediate them. As the system turns to real world action, he also discovers one potential type of AI threat (a countdown to launch a preemptive nuclear strike and kick off WWIII) right of boom, and acts as the response team. More on this later…

Who knew pop culture was such a strong leading indicator of future cybersecurity trends? Maybe venture investors should pay more attention.

Jokes aside, the landscape of threats and how we handle them is changing rapidly. The ominous sci-fi predictions of yesteryear are coming true. In order to understand the ongoing shift, let’s map existing and potential new cybersecurity threats & tools to Sounil Yu’s cyber defense matrix.

Starting with the traditional cybersecurity tool stack:

Apologies in advance to the cybersecurity layman - the above is an alphabet soup of acronyms. Most importantly, Identify, Protect, Detect, Respond, and Recover are the five core functions to achieve cybersecurity goals. In more detail:

1. Identify: Managing cybersecurity risks

2. Protect: Implementing safeguards to minimize the potential and impact of attack.

3. Detect: Monitoring and discovering ongoing threats by malicious actors

4. Respond: Responding to detected threats in realtime and remediating the incident

5. Recover: Restoring capabilities and functions after the incident

Devices, Networks, Applications, Data, and Users are the asset types where each function is performed.

Anything in the Identify or Protect categories are left of boom - before a threat occurs. Anything in the Detect, Respond, or Recover categories are right of boom - after a threat occurs. Each box contains various cybersecurity tools (the acronyms) that perform a respective function on a respective asset.

Going back to our movie analogy - the AI simulations of thermonuclear war are left of boom and Matthew Broderick responding to said simulations as they go awry is right of boom.

AI has the potential to change how we think about some of these boxes. As WarGames taught us, AI will likely substantially expand the cybersecurity threat surface. Rather than a human adversary - like the Soviet General Secretary - triggering an attack, it could very well be an AI agent. Threat actors are blurring the lines between human and machine. Notably:

1. AI is a master mimic

   1. AI will pretend to be human

      1. Deepfake agents can masquerade as specific individuals to phish and social engineer. This poses a real challenge for auth.

      2. Agents can emulate human behavior, thwarting UEBA and anti-bot tools while conducting malicious activities. AI can already solve 100% of captchas!

   2. AI will pretend to be other machines

      1. Agents will emulate network traffic, file structures, etc. evading detection and response

2. AI is smarter than most

   1. AI will lower the barriers of entry of attack by automating work that used to be manual and required technical expertise. Just as Github copilot is making everyone a software engineer, new illicit tools may make all criminals cybercriminals. “Script kiddies”, i.e. unsophisticated hackers, will exploit vulnerabilities without in-depth technical know how.

   2. Agents can analyze data from breached sources or social media to craft highly personalized attacks at scale.

3. AI likes to learn and doesn’t get tired

   1. AI can help malware be polymorphic - changing code continuously - making it difficult for traditional signature-based detection systems to identify it.

   2. Agents can find and take advantage of vulnerabilities in real time - much faster and more opportunistically than any human hacker.

4. Benevolent AI can be swayed to the dark side

   1. AI tools used for things like network monitoring or predictive analytics could be hijacked and used to undermine an organization’s defenses or gather intelligence for more advanced attacks.

   2. Techniques like prompt injection and jailbreaking may trick benevolent AI into acting in unintended ways and/or revealing confidential information.

Mapping the changes to the cyber threat surface due to AI to the cyber defense matrix’s asset types:

On the flip side, AI has the potential to substantially improve the sophistication and efficacy of cyber defenses. WarGames taught us this too - where simulations of nuclear war helped teach how to defend against adversaries. 1 through 4 above can be re-mapped to how:

1. AI is a master mimic

   1. Agents will simulate real-world threat actors - helping to identify vulnerabilities before they’re exploited.

      1. Enterprises typically have a dedicated team or hire external consultants to simulate cybersecurity threats. Techniques include penetration (pen) testing - where various tools continuously scan for vulnerabilities and skilled analysts intervene to validate results and red teaming - where sophisticated white hackers attempt to creatively exploit systems. This can be labor intensive and expensive. For instance, large enterprises typically spend upwards of $1m per year on their 1-2 red team engagements. Agents may be used to automate and scale penetration testing and red teaming.

   2. AI can automate repetitive tasks performed by security analysts

      1. Within the enterprise, the security operations center (SOC) is responsible for monitoring various cybersecurity tools and responding to threats and vulnerabilities in real time. The SOC receives tens of thousands of alerts per day, of which only 1-2% are critical and require immediate attention. Traditionally, sorting through all of these alerts is time and labor intensive. Agents are helping prioritize these alerts and eliminate false positives, making the SOC more efficient and improving response time.

      2. AI may also automate other tasks for the SOC and IT - like patch management, vulnerability scanning, and system monitoring.

2. AI is smarter than most

   1. Traditionally, malware is detected by comparing programs to a database of known malware signatures. More contemporary approaches combine this with behavioral analytics of how programs behave when executed and network traffic analysis of suspicious activity or malware communication. These detection methods often fail to recognize new or polymorphic malware. Agents can detect previously unknown malware by more effectively analyzing behavior, patterns, and structures. It can even spot emerging threats, including zero-day attacks.

3. AI likes to learn and doesn’t get tired

   1. Agents can learn from attacks and adapt defense mechanisms in real time. Rather than wait for patches or new cybersecurity tools, soon defenses may evolve based on new attack patterns, vulnerabilities, or changes in the environment via a reinforcement learning mechanism. For example, agents may segment networks or change firewall rules automatically to minimize the damage from breaches.

4. Malicious AI can be swayed away from the dark side

   1. Malicious AI that adapts to real world data may be neutralized using honey pots and adversarial benevolent AI that trick it into behaving unexpectedly. For instance - fictitious files and network traffic may fool a ransomware agent into revealing its encryption keys.

Mapping AI disruptions to the cybersecurity tool stack to the cyber defense matrix’s functions:

The race between the emerging AI threat surface and improved cybersecurity stack will be a continued war game. Increasingly powerful AI adversaries will lead to more sophisticated AI defenses.

Unlike 1983, 2024’s Cold War is between AI driven threats and AI bolstered defenses.

If you’re a startup building next generation cybersecurity defenses using AI, I’d love to chat. If you’re a cybercriminal leveraging AI, please steer clear.