Recent reports about the appearance of a new generative AI tool point to the levels of maturity that hackers have attained as far as leveraging AI is concerned. In the latest edition of our IoT and OT threat landscape report, we had predicted this trend with supporting data. Our prediction on the use of AI covered these points:
Hackers had already built models for leveraging AI
These models were being used with basic tools to test these models
At least one variant of Lockbit 3 showed signs of AI tampering
If you wish to read more and understand how things got this far, I would encourage you to check out the AI section in this report available for free download. Now that that is out of the way, let’s focus on why we should look beyond just the tools to understand how hackers are preparing themselves for launching new waves of AI-powered cyberattacks. We will also look into ways to prepare our infrastructure to withstand these waves and continue operations without disruption.
Not merely a tool for script kiddies and lazy hackers
AI-based tools, while lowering the entry barriers for hackers, are also enabling them to reuse data that they used to sell or simply discard earlier. This data includes network access credentials, traffic baselines, packet composition, asset vulnerabilities, bandwidth usage patterns, and more. Such data can now be used to derive the best windows for a cyberattack or even figure out how to confuse security mechanisms by generating lots of false positives.
SOC operations and data on incident response frameworks can also be derived from the stolen data using AI. Generative AI can place these predictions in buckets and then craft a cyberattack tool armed with the relevant know-how to conduct another attack on the same victim in case they have not changed their processes and tools much (which is often the case).
Here are a few more ways in which hackers will leverage AI-based tools to further their disruptive agenda:
AI tools can also be used to run reconnaissance campaigns more effectively. A typical AI campaign could involve guised packets that could hide modular reconnaissance malware that could assemble itself within the network of the victim or on a device running on their network. The net result will be a clearer view of the victim’s network including weak points and unguarded threat surfaces. This also increases the level of situational awareness for the hacker or the group.
Supply chain manipulation
AI-based tools can also be used to carve a path for adding embedded malware at various points in the supply chain. Using such tactics, the hackers can open up multiple points for embedding malware or snooping payload in the supply chain and enable it to travel upstream or downstream.
New models and frameworks for hacking
With AI-based tools, hackers are also able to try out new breach tactics faster and eliminate tactics that do not work or work partially or may take much longer to succeed. Successful tactics can be further refined and fine-tuned.
Co-opting insiders through campaigns
Hackers can run large-scale campaigns to target susceptible insiders across channels, platforms, and apps. This could lead to more such campaigns turning successful and providing hackers with a new avenue for high-quality data exfiltration. AI can also be used to identify susceptible profiles that can be targeted through persistent campaigns.
AI-driven bot farms
AI can also be used to manage bot farms that can run large-scale targeting across geographies. AI can also be used to minimize the footprint and signatures of individual bot farms to obscure them. Such bot farms can also be turned on and off sequentially to minimize the load on individual bots. This can have significant implications for projects and businesses that use the Internet of Things (IoT) in their infrastructure.
Asset profiles, vulnerabilities, and Zero Days
AI can profile OEMs and their components to discover Zero Days through a systemic study of design principles and production processes to determine flaws and unpatched vulnerabilities. This can make a big difference to Operational Technology security measures implemented at a plant/unit level.
These are just a few use cases related to the use of AI by hackers. What we are seeing now is just a preview of how things will evolve in the days to come. With greater attention and resource involvement, hackers will be able to gain a clear upper hand when it comes to breaching targets with ease.
How to defend your IoT and OT infrastructure against AI-powered cyberattacks
The following steps can be taken to secure against AI-powered cyberattacks:
Strengthen the ability to detect anomalies of interest quicker. Restrict devices from indulging in behaviors that can cause anomalies to reduce false positives
Prevent system/plant/infrastructure profiling: a majority of the attacks can be prevented if hackers are prevented from scanning the networks and devices. Invest in building capabilities to detect and prevent reconnaissance by hackers
Never run devices using their default settings. Change settings often to change your device and infrastructure profile digitally
Use decoy and deception. Using a decoy and deception solution, you can deflect attacks and use AI to confuse hackers and their AI tools while studying their TTPs
Increase employee sensitization and train employees to detect and report the behavior of interest