AI is changing everything about the threat landscape. But how fast it upskills our threat intelligence is up to us.
Artificial intelligence is making exploits faster and smarter. It’s reducing dwell time. And it’s bringing script kiddies back with a vengeance.
But mostly, it’s accelerating attackers’ ability to customize attacks.
If we’re smart, we’ll take a page out of their books and fight back with highly customized threat intelligence of our own. Generic threat feeds are not going to cut it against sniper-like precision.
We’ll need AI to do that.
AI-Powered Attacks: A New Era of Sophistication
AI is giving cybercriminals and casual hackers alike near-unlimited potential to customize their attacks.
AI-Powered Voice Spoofing
Before the AI boom, many high security cases used voice authentication as the ultimate security measure. Your voice could authorize the transfer of funds or the execution of a remote command.
Thanks to the sophistication of AI voice-cloning scams, a lot of professionals have removed this feature. Myself included.
Our voices are “out there” in webinars, TED talks, and video conferencing calls. AI crawlers regularly scrape the internet for this kind of data, and more. Relying on voice activation can unfortunately no longer be trusted.
Biometric Hacking
Remember the old days, when stealing someone’s fingerprint meant sliding a piece of Scotch tape under it? Not anymore.
Hacking tools and trojans are being used to spoof biometric banking locks and steal facial recognition data. It won’t be long until AI’s ability to deepfake fingerprints moves out of the realm of theory and into the real world.
We have to be increasingly wary of where and how we use biometrics, backing them up with cryptographic authentication methods where possible.
Lighting Fast Dwell Times
At the height of the “ransomware era” 3-5 years ago, the primary focus was on reducing dwell times. If an attacker could successfully infect the network, move laterally to maximize damage, then get out before getting caught? That was a win for threat actors.
LockBit is probably the prime example of this. Between 2022-2023, LockBit was one of the largest, most prolific RaaS groups in the field, known for its “business-like” efficiency and speed, having one of the fastest encryption times on the market. LockBit’s 2.0 and 3.0 iterations (“LockBit Black”) could encrypt 100,000 files in under 45 minutes, outpacing the speed of most incident response teams.
It still is. AI is only going to make this process faster and more reliable. By automating reconnaissance, autonomously exploiting vulnerabilities, and pre-programming security tool evasion into their exploits, AI contributes to breakout times of under 30 minutes.
Once, ransomware success was dependent upon the speed and expertise of a human operator negotiating the attack. They may have been good, but defenders had a chance of chasing them down with the right skills and incident response systems in place.
Now, it is the work of an agentic AI agent. And only AI-powered defense will have the firepower to stop it.
AI-Powered Remote Operators
Remote access attacks are another place where AI is having an impact. Before, it used to be solo attackers in the criminal underground sitting behind multiple dashboards and moving at human speed.
In the near future, I predict agentic AI agents will be the ones manning the controls behind these attacks.
The Rise of Script Kiddies
AI is rewarding a generation of low-level technical hackers, or “vibe coders.” Once referred to as script kiddies, this new generation may be even less skilled and even more dangerous.
AI makes complex, multi-stage attacks possible for novices and those with little to no technical background. This leads to the production and dissemination of AI malware at scale, and a record low barrier to entry for cybercrime.
The only way forward is to route AI-driven threats before they become an issue. But generalized threat intelligence is not going to do that.
The Imperative for Personalized Threat Intelligence
The industry has always given defenders very generic information. These are the vulnerabilities being exploited across the board. These are the IPs that should be dangerous to everyone.
But context is key, and sometimes a threatening IP is one that our systems might need.
This contributes to the firehose of information being shot at SOC analysts, drowning them in alerts and threat feeds that aren’t relevant to their sector.
Industry-Relevant Is Not Enough
Organizations can turn to ISACs and ISAOs for slightly more relevant threat data, but even those don’t take into account the granular difference between each ecosystem.
Importantly, these are granularities attackers do not miss.
This is why it is essential to realize that the threat intel you receive must be as tailored to your environment as the attacks that target it.
Even Within Your Sector, Your Environment Is Unique
If you have two cloud-native startups both running AWS, they are going to do it differently. One is going to have its own set of SaaS apps. The other will have different requirements for how users can access its services. Even AWS can be used dozens of different ways within very similar architectures.
One company’s environment is not the same as anybody else’s. Which means that their threat intelligence cannot be either.
Defining Priority Intelligence Requirements (PIRs)
In Forrester’s recent report on the State of Threat Intelligence, analyst Jitin Shabadu highlighted the importance of establishing your Priority Intelligence Requirements (PIRs), or top-line questions designed to get to the heart of what really matters when collecting threat intel.
PIRs vet all aspects of business and security, so defenders know what threat intel to intake: customization. Aspects of scrutiny include company-specific:
- Threat actors
- Malware campaigns
- Industry trends
- Geopolitical risks
- Stakeholder needs
The bottom line is that threat intelligence must be tailored to an organization’s unique threat landscape. This means its unique architecture, attack surface, policies, risk appetites, industry (highly regulated bank vs. SaaS startup), and business profile.
Reducing Workloads and Accelerating Response
A company operating only with highly curated threat intelligence wastes less time sifting through alerts and missing potential threats. It devotes less time to ingestion, sterilization, and validation.
It has only what it needs, when it needs it, in time to make a difference. This is the future of threat intelligence, and why Forrester is trying to move the needle.
Bridging the Threat Intelligence Adoption Gap
Understanding you need customized threat intel and getting board-level buy-in are two different things.
The Challenge of Proving ROI
What the C-suite wants to see is ROI. But the challenge is that without undergoing an attack, there will be no immediate ROI to prove.
All too often, key stakeholders only see the value of a $2M security investment after getting hit with a $23M ransomware attack. By then you’ve paid for the investment more than ten times over, when those costs could have been avoided with preventative care.
ISACs and the Skills Gap
As mentioned earlier, ISACs and ISAOs provide valuable threat data within their respective industries. Besides not being entirely curated to the organization, there is nothing wrong with the information itself.
The only problem is that many organizations lack the security maturity to use it effectively.
In smaller entities, fully developed cybersecurity programs are hard to come by. Sometimes, there may be no threat intelligence specialist at all. So, the information might be coming from the ISAC, but it may go unused due to the cyber skills gap.
This is a gap that AI has the power to bridge.
Using AI to Extract More Value from Threat Intelligence
This is where the story comes full circle. When applied to threat intelligence, AI will do what it does best: customize.
AI-driven threat intelligence platforms will be able to sift through threat feeds at scale, eliminating ones that don’t have anything to do with the particular shape of the company and favoring ones that do.
They can bridge the talent gap by allowing even junior-level analysts to leverage ISAC/ISAO feeds and more and use natural language to explain what to do with them.
AI can crawl your organization’s unique architecture and assess its unique risks. Then, it can apply its machine-learning capabilities to build over time a threat intelligence program that customizes what you ingest to exactly what you need.
The results are lower dwell times, less analyst burden, greater ROI, and less business risk. In other words, fewer breaches because of better information.
Conclusion
What’s important to remember is that the AI-driven landscape is here. Attackers are finding success in using AI to personalize attacks. We can keep pace by using AI to personalize defense. And we can do that by customizing threat intelligence.
Security teams looking to level up their threat intelligence capabilities can align with the new industry consensus:
It’s not about how many feeds you’re subscribed to. It’s about the quality of threat data you’re getting and how you can use that to defend.
____
Author:
Rohit Dhamankar, VP, Product Strategy, Fortra
Join our LinkedIn group Information Security Community!
