By Min Pyo Hong, CEO, and Founder, SEWORKS
What just happened? Unfortunately, many organizations may find themselves asking that question as they review their network security after suffering a breach.
There’s no question that serious cybersecurity attacks are occurring more frequently, across sectors. Adding to an extensive list of hacking attacks that took place during 2019, the United States National Aeronautics and Space Administration (NASA) confirmed in a memo, first published by Spaceref.com, that the personal information of some of its current and former employees may have been compromised after at least one of the agency’s servers was hacked.
And while bad actors have uncovered vulnerabilities using tactics such as spray-and-pray and distributed denial of service (DDoS) attacks that flood a targeted system, these tactics won’t go away. In the coming year, expect to see new threat approaches using artificial intelligence. For example, the spray-and-pray approach is commonly employed in AI hacking.
What will be different? Automated smart attacks
Significant advancements are happening in the field of artificial intelligence, whether it’s to identify cancer in tissue slides, play Go better than humans, or create a portrait that recently sold for more than $400,000 at Christie’s. What’s the next thing that AI can do better than humans?
AI’s capabilities, along with the associated rich data, will shift AI products and services into the spotlight of cybercriminals – whether it’s to access the data or manipulate the AI system itself.
We believe the new trends in hacking will deploy methods that will be almost 99% automated, detailed and will target both known and unknown security vulnerabilities. Most likely we’ll see one-day or zero-day vulnerabilities that can be used to compromise a system’s authority by attacking different networks. The consequences could range from hijacking confidential information, bypassing existing security measures and taking control of the system to much more. What differs from traditional hacking is that AI hacking is more efficient in terms of time and resources.
Unfortunately, artificial intelligence is teaching bots to be more human-like and it’s becoming more difficult to distinguish between real human users and sophisticated systems powered by AI. We’re also becoming comfortable with the concept of AI in our everyday lives. After all, many of us think nothing of starting the day by asking our omniscient digital friend (who lives with us), “Alexa, what’s new?”
The advent of automated hacking carried out by artificial intelligence means the volume of attacks that can be conducted is much bigger than attacks carried out by humans.
The internet of things and a growing ecosystem of always-connected devices — that may or may not be secure and may or may not control critical infrastructure – also presents more hacking opportunities.
Cyber attacks using machine learning continuously and simultaneously probe wider areas for weaknesses, and insert malware almost instantaneously. The ability to quickly scale these attacks poses yet another threat.
The showdown: AI hacking vs. AI penetration testing
Security experts strongly recommend ongoing cybersecurity vigilance, such as regular penetration testing, to ward off these upcoming smart attacks. After all, AI cyberattacks and penetration testing using artificial intelligence are fundamentally similar. The main difference is intention.
When attackers utilize AI-powered attack tools more and more, it will be difficult to take appropriate action in terms of time and resources when employing first-generation security practices because AI tools can execute a larger scale of attacks, faster than human attackers. The consequence? Insufficient time and resources to respond to attacks when they happen.
The bottom line is that enterprises and InfoSec professionals must prepare for advanced and automated cyber-attack programs. We highly recommended conducting security tests on a regular basis to discover security vulnerabilities before AI tools compromise them.
About the Author
Min Pyo Hong, CEO, and founder of SEWORKS, advises corporations, NGOs, and governments on digital and cybersecurity issues. Min led a team of five-time finalists at the annual DEF CON conference in Las Vegas and is a Ph.D. candidate at Korea University in SANE-LAB Information Security. A serial entrepreneur, his previous company, SHIFTWORKS, was sold to InfraWare. Min also founded the WOWHACKER Collective, a non-profit security research group in Korea.