Rob Vann, chief solutions officer at Cyberfort, explains how AI is fundamentally changing the threat landscape for cloud environments.
How is AI fundamentally changing the threat landscape for cloud environments?
This is an interesting question as, of course, AI is a tool that is useful to both good and bad actors. For now, let’s assume we’re focussing on the bad.
Targeted threats have always been more successful (and more expensive) than mass attacks. AI contributes to combining the scale and cost of a mass attack with success more aligned to the targeted approach. Specifically in the cloud world, there are multiple techniques where AI can ‘add value, complexity, and ultimately a more successful outcome to an attack.
These include simple techniques (such as AI used to populate brute force attacks, or Generative AI used to support targeted access requests) through adaptive malware, with AI asked to rewrite code to bypass any or other detections, the more direct use of AI to detect and leverage vulnerable systems, or identify and exploit organisation level misconfigurations through scanning, probing and researching at speed (though perhaps more concerningly it can also apply the same speed and techniques to shared cloud or multi use APIs for example, compromising large scale one to many systems.
AI can also be used to support more targeted approaches, its speed and ability to process data compressing attacks, and their outcomes, for example automating lateral movement, persistence and privilege escalation techniques, enabling attackers to quickly identify and acquire high value data in large cloud storage environments, or editing log files/manipulating other data to hide the breach and hinder its investigation.
To what extent do you think traditional cloud security approaches are becoming obsolete in the face of AI-powered attacks?
The previous answer goes some way to support this, Cyber Security has always been a playing field biased in the attacker’s favour, with the attacker only needing to succeed once, and the defender needing to succeed every time.
Much of the traditional cloud security approaches are not aligned to the scale, speed of execution, and complexity of AI driven or supported attacks. Perhaps more importantly much of the benefit that people gain from Cloud environments is supported by “good enough” security measures, with point in time security coming after deployments – and a high dependence still maintained on human factors.
Traditional approaches often rely heavily on static defences, such as perimeter-based edge protection, fixed rule sets, and predefined access controls. These approaches are designed to guard against known attack vectors and assume a relatively predictable threat landscape. Coupled with reactive specialist resources that need the timeframe of a human interaction to respond to the threats, our AI compatriots’ eyes are starting to ‘light up’ at the possibilities for causing mayhem.
Attacks that previously took days of careful structure and planning are now executed in seconds. While legacy defences “could” in theory address this – if everything was patched and configured correctly all the time, and all resources acted perfectly all the time, and nothing was dependent on a third party or supply chain ever, then there might be a chance for example. The real world of security is very different to this nirvana.
To update a legacy piece of advice “you don’t have to be the fastest to get away from the bear, you just have to not be the slowest” in an AI attacker fuelled world, potentially there are 1000 faster, stronger, more aggressive cockroach sized bears chasing every customer at the same time. You probably won’t even see them before they take you down.
What practical strategies do companies need to adopt to stay ahead of emerging threats in the cloud?
Just like the bad guys, you can augment your defences with AI power as well.
But let’s start by doing the basics well, move what you can to automation (for example utilising infrastructure as code, and pipelines with automated testing to remove human configuration errors or complexities, automating the execution, validation and segregation of backups, and continuously testing for exploitability of core systems). Then let’s move to a focus on the surrounding factors (such as identity) that are often required to breach your systems and become more aggressive in containing and isolating suspect engagements. Work to the principle of “assume breach” segregate and aggressively monitor and respond to core systems, removing suspect access to enable time to investigate and then restoring it if benign. Plan and think of how you keep critical systems operating during these periods, so your services continue even if a key person or systems access is temporarily revoked.
With all this AI talk it’s important to not totally discard the human factor here. A key emphasis should be establishing comprehensive, continuous learning programs to equip your security teams with the knowledge and expertise needed to understand and combat AI-powered threats. By fostering a culture of ongoing education, organisations can ensure their teams stay ahead of the evolving threat landscape and are prepared to counter sophisticated attacks that exploit AI and machine learning technologies.
Then let’s start to add in some of those AI level defences
Firstly, use AI to build proactive defences, building a generative AI (please don’t use public systems, you’d be training them on how to attack you) or find an evidenced secure partner who can train and align a private generative AI to support you and simply ask it how it would attack you, and plan your defences accordingly. Remember to evidence the removal of your data and learning from the partners system and validate their security before sharing data. This will deliver value in aligning your defences and validating your controls in a digital twin environment.
Secondly, implement continuous cloud posture management to flag any errors or misconfigurations in near real time drive take advantage of AI to drive your detections. Machine learning to generate anomaly information provides a rich source of ‘things that could be bad but are definitely different” to sort through the noise of millions of events to find the 10 that are useful.
Thirdly, use AI to drive response actions, this is the final state, and should be planned and approached with care, as active automated response can impact business and continuity, however assuming breach, removing misconfigurations, containing (and releasing) assets to provide time to investigate, validate and release benign activities.
As always security is a double-edged sword, the way to make things most secure is to switch them off and decommission them, however this obviously means you can’t realise any business value from the asset. These types of attack require a different approach of implementing zero trust and continuous CSPM with automated responses, if done properly, it will give you the best of both worlds, response to AI driven attacks at AI scale and speed, but if done without thought, planning and expert, experienced support and knowledge it will potentially create significant business issues.
Are there any real-world examples you could share of how organisations are successfully adapting?
Recently I worked with a customer who had undergone an incident. After the DFIR engagement, they asked us to look at maturing their defences, we helped them to safely take the following actions:
(1) Migrate identity controls for cloud platforms to their corporate IAM system through the use of a PAM solution. This meant that the policies, monitoring and (after planning and testing) were consistent across the organisation) automated responses were consistent across all environments
(2) Integrate testing and remediation into their build pipelines (mitigating the risk of deploying exploitable code).
(3) The integration of their production environment, with the exception of some critical systems that served customers, into the SOAR (security orchestration automation and response) and the building of appropriate playbooks to contain (and release) suspect assets and resources.
(4) The deployment of continuous CSPM (cloud security posture management) which was later automated to remediate >90% of issues automatically in real time
(5) The extension of their EDR tooling into the production environment
(6) Further training for their resources, including sessions specifically focussed on developers, architects and real life deep fake video examples for the entire business.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
