Elon Musk recently made headlines for suggesting we should be more worried about AI than North Korea, reinforcing fears that the human brain simply can’t outperform or keep pace with certain kinds of automation. No one yet knows exactly what AI can do for humankind nor what happens if AI falls into the wrong hands.
But there is evidence that 2018 could be the year that it happens in earnest as the black market for off-the-shelf attacks is starting to mature. We are already facing a barrage of bad bots fighting good ones.
The only hope will be to fight AI with AI. Already most cyber-security applications use some form of AI to detect attack patterns and other anomalies.
And white and black hats are continually hunting for vulnerabilities and zero-day attack concepts. Both can use machine learning/deep learning to collect information and either fix the problem or, in the case of unethical hackers, create one. These are activities that can be easily automated and it has become a race to find the vulnerabilities first - WannaCry being a prime example of why organisations need to win the race to find and fix.
Other hackers, particularly those tasked with state-sponsored attacks, are more ambitious. For them, research is paramount. Consider that Vladimir Putin is on record stating that World War III will be fought over global AI dominance, with nations fighting over access to these new, powerful resources as they battled for fertile land or precious minerals.
Will AI be used to jam communication links, plunge cities into darkness, set oil rigs on fire or destroy emergency services? Those may be worst-case scenarios, but they point to the need for every enterprise to consider how AI could both damage and protect it.
Prediction 2: APIs Come Under Attack
APIs are a double-edged sword for modern applications such as mobile apps, IoT apps and third-party services embedded into existing applications. On one hand, they simplify architecture and delivery. On the other, they introduce a wide range of risks and vulnerabilities. Unfortunately, API vulnerabilities still do not get the required visibility. All of the risks that affect web applications also affect web services.
And yet, traditional application security assessment tools such as Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) either don’t work well with APIs or are simply irrelevant to them.
Prediction 3: Social Engineering Gets Automated
Social engineering is not a new problem. What has changed is the risk of automation transforming human behavior into vulnerabilities. Automated social engineering makes it possible to do two things:
- Exploit human inputs into automated processes and cause them to make automated processes to work against us or on behalf of the perpetrator.
- Accelerate the speed and effectiveness of longstanding social engineering methods such as phone calls, emails, texts and even conversations.
These issues have already emerged as extremely large automation issues. Dropbox, Amazon Web Services and Google have all announced huge outages caused by human interaction errors with automated processes with either networking or application changes.
Striving for Cyber Serenity: Is the Best Behind Us?
2017 was a monumental year. The discovery of BrickerBot marked the first time a software-based botnet would render a physical (IoT) device permanently unusable. It also foreshadowed a new genre of botnets and attack techniques that automate dastardly deeds. The WannaCry and NotPetya ransom attacks that followed each demonstrated crude forms of automation.
The conclusion we can draw is this: If growth of attack surface, techniques and means continues into 2018 through various attacks on automated technologies, the best years of security of our systems may be behind us.
Internet-connected devices are being deployed in virtually every aspect of our lives. Yet they are largely implemented in an insecure manner, often prompting decay to insecure architectures or configurations. The result is an environment in which automated attacks can and will thrive. Let us hope that 2018 will be the year when our collective societies learn how to transform the threat.