Achieving “pre-Zero Day” security

Andreas Kroier at Dynatrace describes how AI is rewriting the application security playbook and explains why security teams need to identify future threats

 

Last July, security researchers revealed BlackMamba: a malware proof of concept that uses AI to rewrite its own code in real-time, enabling it to bypass best-in-class security and endpoint detection systems.

 

BlackMamba was an ominous sign of things to come in cyber-security, but only the most dangerous tip of a deep iceberg. In practice, AI is both giving cyber-criminals the tools to attack at record speed, while potentially introducing more software vulnerabilities than ever before.

 

The sheer number of novel threats being ushered in by AI is forcing teams to rethink their approach to application security. They increasingly need to identify and counter vulnerabilities and exploits well before they’ve been defined.

 

As organisations move towards this ‘pre-zero day’ mindset, it is no longer enough to monitor applications from the outside using traditional measures such as a web application firewall (WAF), or conduct periodic vulnerability scans. Security needs to be continuous, and maintained from both inside and outside the application.

 

“Zero-day” is too late

Beyond exotic BlackMamba-style malware, AI is helping cyber-criminals to create new exploits faster. For example, generative AI can help hackers write low-level code for attacks in the order of minutes rather than hours. Along with improving the productivity of cyber-criminals, AI is also democratising the profession. Since generative AI models like GPT or Claude need only simple natural language prompts, much of the knowledge barrier for attackers is eliminated.

 

Since new attack vectors can now arise so quickly, organisations increasingly need to respond in real-time to unidentified and unknown threats. This is driving a shift towards “pre-zero-day” security, with an emphasis on detecting and stopping attacks before the threat itself has been identified.

 

Under this mindset, security teams don’t just anticipate and respond to documented vulnerabilities. Instead, they monitor their applications in real-time, and shut down suspicious activity before it does any damage.

 

As modern technology stacks are so complex, it can be difficult to achieve this pre-zero-day security capability. Today’s organisations have thousands of services and applications running across dozens of public and private infrastructure environments. This makes it difficult to baseline what ‘normal’ behaviour looks like and identify suspicious activity in real time.

 

To overcome this, organisations need to bring together their security and observability data in a single view, to allow them to contextualise their entire environment and understand the way that data and digital transactions flow within it.

 

Levelling up security automation

By combining a unified source of observability and security data with AI-powered analytics, teams can assess anomalies to identify active threats faster, whilst eliminating false positives that could distract them from more urgent priorities. Organisations can also extend these capabilities to non-security specialists using generative AI-based solutions.

 

This can enable other teams in the business to use natural language queries to assess a potential threat, understand if it poses a true risk, and then escalate it to the security team to resolve if it proves to be significant.

 

These capabilities will be increasingly important to getting ahead in the new era of AI-generated threats by making security a shared responsibility, not just that of the IT department.

 

Organisations’ ultimate goal should be to remove the need for human intervention in as much of the security process as possible. As a first step, they need to move away from lengthy investigations and manual log analytics processes supported by traditional SIEM solutions.

 

Instead, they need to use AI that can instantly assess and understand anomalous behaviour to identify threats and put them into context based on their severity. This will enable security teams to prioritise their efforts to resolve vulnerabilities and respond to incidents faster to better protect the organisation.

 

Looking further ahead, organisations will integrate AI-driven auto-remediation workflows into security processes, so suspicious activity can be blocked in real time, without the need for human intervention.

 

Adapting to the age of unknown-unknowns

AI has shifted security into the land of the unknown-unknowns. For many organisations, security can no longer just be about keeping ahead of documented vulnerabilities and exploits. Instead, AI is ushering in a generation of personalised, exotic, and rapidly evolving threats.

 

Since cyber-criminals aren’t going to wait to let victims identify the attack vectors they’re adopting, the onus must be on security teams to respond quickly when anything that looks like an attack rears its head.

 

To enable this, security teams need to fight fire with fire. They need to be armed with AI capabilities to baseline what “normal” looks like for their environments, and enable them to respond quickly, decisively, and effectively in the face of a threat.

 

---

 

Andreas Kroier is Senior Principal and Solution Lead of Application Security at Dynatrace

 

Main image courtesy of iStockPhoto.com and Orhan Turan