Is AI making cyber-hacking easier?

AI has changed the landscape of cyber-hacking forever. This tech can be weaponised with relative ease now, meaning people don’t need expert knowledge to attack a business. ThreatLocker CEO Danny Jenkins examines how we should be responding in a dangerous age where cyber-breaches are coming from more angles than ever before. 

 

To enjoy a prosperous career as a cyber-hacker, you have to be cunning, smart and daring. 

 

At least, that’s what we’ve always been told. 

 

These shadowy, hooded figures have been given famous faces in media - see Hugh Jackman in Swordfish, Rami Malek in Mr Robot, and Hugo Weaving in V for Vendetta - and hackers have always enjoyed a devilish, fascinating reputation for their ability to pickpocket a business and vanish without a trace, all by rattling a keyboard. 

 

But hackers won’t have this rep for much longer. The day of the mysterious cyber-criminal is over. And it’s all thanks to Artificial Intelligence (AI). 

 

Now, using AI technology, almost anyone can launch an attack - using existing software so that knowledge of coding, mainframes and systems is strictly optional. The evolution of AI has seen thousands of attacks carried out by amateur hackers with alarming ease and success - with the technology doing all the hard work and cloaking for them. 

 

The 2023 Global Chief Information Security Officer (CISO) Survey from Heidrick & Struggles has revealed AI as being the most frequently recognized ‘significant threat’ of the next five years and this is already emerging as an accurate prediction - with a UK government report showing that 84% of businesses and 83% of charities have experienced a phishing attack over a 12-month period. 

 

AI can be - and has been - weaponised easily for cyber-attacks. And not just by cyber-criminals - but by your average Joe. 

 

Hacking just got easier…

Even people with the most limited programming skills can gain access to companies’ software thanks to AI. It’s easy. And it’s also harder for victims to spot. 

 

The old hallmark of a cyber-scam was a bizarre demand typed with bad spelling. Many were obvious and could be spotted a mile away. You’re probably still getting some of these in your email inbox today - ransom demands so puzzlingly crafted that they are more amusing than dangerous. 

 

AI, however, can whip up a legitimate-looking spam email in seconds. It can tidy the grammar and remove any language barriers - producing clearer, cleaner phishing messages that may be misconstrued as authentic. And more people are falling victim as a result. 

 

The human-like qualities of AI and the accessibility of these tools to anyone with a smart device is enabling bad actors to write unique, malicious code that can successfully infiltrate business systems. AI has ethics built in to try and prevent malicious activity - but there are ways around it. 

 

At ThreatLocker, we conducted a test phase to compare a piece of malware found online against one created in ChatGPT - both pieces were functional and looked almost identical. When ran through the system, the code found online was instantly blocked, however, the code generated by ChatGPT infiltrated the system.

 

It’s a dangerous new world we’re living in. 

 

Fighting the dangers of AI

A Deloitte Insight survey found that 91% of business leaders had an enterprise-wide AI strategy in place in 2022. But much focus so far has been using this tech to generate insights, lower costs, improve collaboration and optimise processes. 

 

Whilst there has been a visible push from companies to drive awareness of AI and its capabilities as a tool - most of this has been dedicated towards its benefits rather than its drawbacks. 

 

More attention needs to be paid towards AI and security - educating employees about what an AI attack looks like. It is only by taking time to learn about this technology that anyone will stand a chance. 

 

AI is accessible and powerful enough now to be weaponised by anyone with access to the internet - creating a whole new generation of cyber-hackers who barely need to lift a finger to get their hands on valuable data. So, cautiousness doesn’t cut it now.

 

Companies need to step up and act on cyber-security to protect themselves. With AI, you never know what an attacker might look like anymore. 

 

Protecting against attacks involves least privilege  

Antivirus software and cyber-security toolkits have traditionally been implemented to detect and block threats that might threaten a business system - but in the current climate these solutions are proving much less effective against hidden threats. 

 

Even the most innocent-looking applications - such as PowerShell - can now be hijacked to perform malicious activities and go completely unnoticed. Hackers can use AI to create code that uses “safe” software to get into systems and conduct malicious activity. 

 

The most effective way in which to safeguard against the threats that AI poses is by adopting the method of least privilege - meaning every user has access only to the applications and software they require to do their job, and nothing more. 

 

Software that does not need to interact with folders/files/the internet should be ringfenced appropriately so it cannot do so. Adopting this Zero Trust approach - assuming a breach is already in the system - is a crucial footing on which to build a cyber-security system that is fit for purpose in 2024 and beyond. 

 

AI Is making cyber-defence a bigger, more unpredictable and more complex challenge than ever before - creating a whole new type of cyber-criminal that can access systems with bad code and enter systems via friendly and familiar applications. 

 

The implementation of least privilege and Zero Trust provides the greatest level of protection. Trust nothing and verify everything: And even the smartest AI will have a tough time working its way around that. 

 

---

 

Danny Jenkins is CEO and Co-Founder of ThreatLocker, a leader in endpoint protection technologies

 

Main image courtesy of iStockPhoto.com