1 big thing: Malware’s AI time bomb

source: axios.com (contributed by Bill Amshey)  | image: pexels.com

Hackers already have the AI tools needed to create the adaptable, destructive malware that security experts fear. But as long as their basic tactics — phishing, scams and ransomware — continue to work, they have little reason to use them.

Why it matters: Adversaries can flip that switch anytime, and companies need to prepare now.

Driving the news: The looming threat of autonomous cyberattacks was a top talking point at the inaugural HumanX conference in Las Vegas this week.

• “You know that phrase, ‘Keep your powder dry’? That’s what attackers are doing right now,” James White, chief technology officer at AI security startup CalypsoAI, told Axios, implying that bad actors are ready for battle.

The big picture: Cyber leaders have long feared generative AI would enable autonomous cyberattacks, making current security tools ineffective.

• These attacks could involve AI agents carrying out hackers’ bidding or malware that adapts in real time as it spreads.

Between the lines: A few years into the generative AI revolution, experts are split on how imminent these threats are.

• Some say we’re less than two years away from seeing agentic malware in nation-state cyber warfare.
• Others argue hackers have little incentive to change tactics as they continue to profit from simple scams, phishing and ransomware.

Threat level: Even though AI-powered malware has yet to flood the zone, companies can’t rest easy.

• “The rate of acceleration is insane,” Evan Reiser, CEO of email security company Abnormal Security, told Axios. “You don’t have to be a total science fiction nerd, like me, to imagine where this can go in one year, two years.”
• AI will speed up attacks, leaving defenders with little time to react.
• Meanwhile, most organizations are still behind on basic security measures, Reiser said, noting that the typical company is focused on setting up two-factor authentication. Abnormal Security works with about 20% of the Fortune 500.

Reality check: Startups selling AI security tools have an interest in hyping potential threats.

• Mandiant says it has yet to respond to an attack involving truly autonomous AI or adaptable malware.
• “I’m actually not worried about any of that right now,” Charles Carmakal, CTO at Mandiant, told Axios.
• Mandiant has mostly seen adversaries using AI for basic tasks like crafting phishing emails or researching targets.

The intrigue: Companies hiring cybersecurity vendors are beginning to understand that the best way to fight AI attacks is with AI security tools, said Itai Tevet, CEO of Intezer, a startup that offers an autonomous security operation center.

• “It’s dramatically different between 2023 and today,” Tevet told Axios. “In the past, we needed to evangelize on why technology can do the same job. Today, all CISOs are getting asked by their board, ‘How do you leverage AI?'”

Zoom in: AI agents can also help threat intelligence teams review the pile of notifications they receive about new vulnerabilities, phishing emails and other malicious activity, Steve Schmidt, chief security officer at Amazon, said in a fireside chat with Axios.

• Amazon currently doesn’t let agents make decisions or act on their own, but they can review the threat intelligence coming in to determine what needs to be prioritized.
• “We’ve ended up significantly improving the lives of the security engineers, making them more efficient at what they have to do,” Schmidt said.