Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Artificial Intelligence for Cyber Resilience

by Tiffany Saade , Data & Risk
Published

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s risk posture. It quickly identifies and predicts potential risks, ensuring timely and efficient management of security measures. By classifying vulnerabilities based on severity, these tools can support an organization in prioritizing critical issues and allocating their resources accordingly. AI tools could improve the speed and accuracy of breach detection, identifying deviations from the baseline network environment and processing a high volume of threat data. Regarding incidence response, AI tools could facilitate information sharing within an organization by streamlining communication and documenting past incidents to improve future strategies; this multi-stakeholder integration with various security systems would likely make for a more efficient defense. Finally, AI tools are also transforming the operational readiness of organizations by automating penetration testing, among other strategies; models can support organizations in simulating real-world attack scenarios and iteratively adapting systems to potential emerging threats.

Innovating Cyber-Defense: Integrating AI as a Pillar of Cyber-Resilience

Using AI for vulnerability mapping
Organizations can use AI models to understand the types of vulnerabilities and the scale of severity their system is carrying [1]. Organizations can train these models on an openly available repository of high and critical vulnerabilities and past exploited vulnerabilities, and they can conduct a complete scanning of the organization’s infrastructure for these vulnerabilities. Potentially, these models could find new patterns of vulnerabilities that adversaries could exploit that the organization was unaware of before. Below are a few use cases in which AI models could be beneficial as it relates to vulnerability scanning:

  • Automated discovery of organization’s risk posture: AI models can automate the discovery of assets across an organization’s network (e.g. servers, endpoints, cloud instances, and connected devices). It can then catalog these assets and continuously monitor them for new vulnerabilities as they connect to the network [2]. The real-time update of these outputs is crucial for an organization’s awareness of its risk posture. Adversaries could identify various entry points, such as network vulnerabilities, and develop targeted exploits for these weaknesses.
  • Vulnerability detection: AI models can accelerate the detection of vulnerabilities, including zero-days, and predict potential vulnerabilities based on similarities to previously identified risks [3]. AI models can also help an organization keep track of End-of-Life software before their due date, thus allowing them to mitigate the risks from unsupported hardware and software use[4].
  • Classification of risk: Since vulnerabilities vary in severity level and urgency, AI models can help classify discovered vulnerabilities in an organization’s system based on several factors, such as the level of severity, the likelihood of exploitation based on an organization’s risk posture, the sensitivity of affected assets and the potential resulting impact of exploitation of the vulnerability [5]. By aggregating threat intelligence data and historical data of an organization’s past intrusions (among others), AI models can score and rank vulnerabilities to help security teams focus on patching the most critical ones first [6].
  • Vulnerability contextual analysis: AI models can provide context to vulnerabilities by understanding the organization’s business and operational environment [7]. This includes analyzing how different vulnerabilities interact and assessing the cumulative risk they could result in based on the sector.
  • AI-supported patch management: Following the vulnerability identification stage, AI models can support organizations in the patch management process by automating the deployment of patches in stages, first to the most critical systems and then to less critical systems [8].

Using AI for automated breach detection
AI can significantly enhance breach detection capabilities by improving the speed, accuracy, and scalability that traditional manual processes often do not match [9]. By assisting organizations in efficiently detecting a breach, AI tools contribute to a faster incident response from the organization — containing the damage faster. Below are a few use cases in which AI systems could aid organizations in breach detection:

  • AI-supported anomaly detection: AI models can help organizations understand their normal environment baseline. Once the “normal” baseline is established and learned by the model, it could iteratively monitor for deviations from this regular pattern [10]. The model could detect anomalies such as unusual login times, high data transfer rates, unusual email addresses, or unexpected access to sensitive areas of the network and trigger an alert [11, 12, 13]. These AI models could iteratively ameliorate the classification of anomalies — known or new ones — that could pose a security threat to the organization.
  • AI-supported Threat Intelligence Analysis: By maintaining a repository of threat actor profiles and learning from current and past notable cyber-attacks per geographic locations and sectors, security teams can train AI models to automate threat intelligence, which also involves the processing vast amounts of data to identify indicators of compromise (IOCs) or common tactics, techniques, and procedures (TTPs) used by attackers [14, 15]. By using AI to integrate and analyze this data, organizations can detect breaches earlier and potentially support streamlining parts of the attribution process.
  • AI-supported incident response: As soon as a potential breach is flagged, AI models can support organizations in segmenting parts of their network that could be potentially affected, blocking suspicious IP addresses (by training the model on a repository of past suspicious or malicious addresses)[17]. This immediate response can help contain the breach and limit damage while human analysts continue investigating the incident.

Using AI for Internal Incident Response Coordination
As organizations leverage the silver-linings of AI for cyber-resilience, effective communication in the preparation of and response to a cyber-attack takes a front seat. In that lens, an organization should ensure it contains any resulting risks from potential attacks as efficiently as possible [18]. It is often challenging to streamline information sharing within different teams of an organization due to the differences in technical expertise and formats of the data. Below are some use cases in which AI can support organizations in coordination:

  • Streamlining the understanding of risk: AI models can allow for better communication of cyber risk within an organization (between the incident response team and other teams, whether to communicate updates or simplify some of the technical content and make it accessible to employees). For example, workflow automation could allow different teams with different expertise to cooperate in specific situations. AI-driven chatbots—while bringing a slew of risks in some instances— could also be used to provide real-time updates and answer queries from team members [19].
  • Learning from the past through AI-enabled Incident Management: AI models can aggregate information data about past incident responses based on the type of the attack and its severity (i.e., tracking the response timeline, maintaining audit trails) [20]. Post-exploitation, this documentation would help an organization pinpoint flaws in their incidence response strategy and help them prepare to better coordinate for the next one. AI models could also output past incidents to identify trends and patterns that can improve future responses [21].
  • Integration with other in-house security systems for optimization: AI integration across various cybersecurity tools, such as vulnerability mapping with Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM) systems, threat intelligence platforms, and endpoint protection platforms, can streamline defense strategies [22]. By integrating AI models, vulnerabilities identified through mapping could be matched with active threats detected by different systems, contributing to a robust and holistic response strategy.

Using AI for red-teaming and penetration testing
Unlike traditional methods, which are often periodic and static, AI models unlock a continuous and adaptive penetration testing strategy by probing defenses with little to no human in the loop, and adapt their strategies real-time, based on new data learned from each iteration[23]. Security teams could constantly validate defenses against the latest emerging threats. Below are a few use cases in which AI systems can support red-teaming and penetration testing, with the ultimate end goal of reinforcing cyber-resilience:

  • AI-enabled attack simulation: AI models can simulate advanced attack scenarios that mimic the Tactics, Techniques, and Procedures (TTPs) used by real-world attackers. By using AI, red teams can execute a series of offensive vectors to more effectively challenge the resilience of the organization’s cybersecurity posture [24].
  • AI-enabled dynamic testing environments: AI modes can modify testing environments in response to the actions of the tested defense mechanisms. This would bring the penetration testing process closer to reality and make it more challenging. For instance, AI models can assist in changing payloads and modifying tactics to ensure that target systems’ security protocols are robust enough [25].

Citations

[1] https://www.advantage.tech/role-ai-next-gen-vulnerability-scanning/
[2] https://www.centraleyes.com/cybersecurity-risk-posture/
[3] https://www.helpnetsecurity.com/2024/06/10/ai-vulnerability-management-role/
[4] https://www.ncbi.nlm.nih.gov/books/NBK599854/
[5] https://legal.thomsonreuters.com/blog/how-ai-can-help-you-manage-risks/
[6]https://www.secopsolution.com/blog/the-role-of-ai-and-machine-learning-in-enhancing-vulnerability-management#:~:text=Prioritization%20with%20Intelligence%3A%20AI%20analyzes,effectiveness%20of%20their%20remediation%20work.
[7]https://www.rstreet.org/commentary/the-transformative-role-of-ai-in-cybersecurity-understanding-current-applications-and-benefits/
[8] https://www.algomox.com/solutions/patch-automation/
[9] https://www.paloaltonetworks.com/cyberpedia/ai-in-threat-detection#:~:text=Using%20machine%20learning%20and%20data,targeted%20incident%20response%20tactics%20quickly.
[10] https://www.paloaltonetworks.com/cyberpedia/generative-ai-in-cybersecurity
[11] https://www.acronis.com/en-us/blog/posts/ai-email-security/
[12] https://nilesecure.com/ai-networking/anomaly-detection-ai
[13] https://www.logicloop.com/posts/use-ai-to-help-with-anomaly-detection-in-data
[14]https://www.ibm.com/products/xforce-threat-intelligence?utm_content=SRCWW&p1=Search&p4=43700080189516361&p5=p&p9=58700008719629202&gclid=Cj0KCQjws560BhCuARIsAHMqE0G1q4j2UfBUqVsE5xMjV_YVlN62Shd5gDqieAxW7zTTxPd45Er8yr0aAszgEALw_wcB&gclsrc=aw.ds
[15] https://cloud.google.com/blog/products/identity-security/rsa-introducing-ai-powered-insights-threat-intelligence
[16] https://www.crowdstrike.com/cybersecurity-101/secops/ai-powered-behavioral-analysis/
[17] https://www.sisainfosec.com/blogs/ai-in-cybersecurity-incident-response-automation-opportunities/

[18]https://atos.net/en/lp/detect-early-respond-swiftly/ai-powered-incident-response-harnessing-the-potential-of-self-healing-endpoints
[19] https://www.atera.com/blog/ai-in-workflow-automation/
[20] https://www.ibm.com/blog/announcement/the-impact-of-ai-on-proactive-incident-management/
[21] https://devops.com/unleashing-ai-in-sre-a-new-dawn-for-incident-management/
[22] https://www.splunk.com/en_us/blog/learn/siem-security-information-event-management.html
[23]https://cset.georgetown.edu/article/what-does-ai-red-teaming-actually-mean/
[24] https://www.axios.com/2024/06/17/cisa-tech-companies-ai-cyberattack-simulation
[25] https://testgrid.io/blog/ai-in-software-testing

You might also like

How does Resilience establish the probabilities presented in my LEC?

Managing risk successfully at any level requires an understanding of a concept called “probability.” As both an insurance company (risk transfer) and a cyber risk management company, Resilience relies on understanding probabilities to price our services and to guide our clients to greater levels of cyber resilience. As we often receive questions from our clients […]

Moving beyond heat maps for better risk management

Heat maps are among the most widely used—and debated—tools for risk managers worldwide to communicate risks in their registries or project portfolios. Despite their popularity, we advise leaders seeking transparency in discussing risk and value to avoid relying on them. What are heat maps? Risk managers often use heat maps (or risk matrices) to represent […]

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

cyber resilience framework

AI and Misuse

Welcome to part two in our series on AI and cyber risk. Be sure to read the first installment “What you need to know: Artificial Intelligence at the Heart of Cyber,” here. Key takeaways Background In February 2024, OpenAI – in collaboration with Microsoft— tracked adversaries from Russia, North Korea, Iran, and China, leveraging their […]

cyber resilience framework

Cybersecurity Incidents & Trends in Canada

Executive Summary Emerging cyber threats increasingly target Canadian organizations, government agencies, and individuals, with recent attacks revealing sophisticated tactics by threat actors. Threat actors delivered the Formbook infostealer to companies via emails that posed as job candidates. Meanwhile, the Chameleon Trojan attacked Canadian financial institutions and a restaurant chain by masquerading as legitimate apps. Cybercriminals […]