A examine from the Department for Science, Innovation and Technology has discovered that safety professionals centered on assault simulations are, for numerous causes, taking a circumspect strategy to new instruments
Cyber red teams that emulate the strategies of attackers are “deeply sceptical” of the potential affect of synthetic intelligence in enhancing organisations’ cyber defences, government-commissioned research has discovered.
In December of final yr, the Department for Science, Innovation and Technology retained cyber consultancy Prism Infosec to undertake a research train meant to discover “how the commercial offensive cyber sector is integrating emerging technologies into their commercial offerings and what the implications are of this integration”.
The examine discovered that essentially the most high-profile of all such applied sciences is anticipated to have solely restricted affect on the flexibility of red teams – which exist to duplicate and simulate attackers’ strategies – to probe organisations’ safety set-ups.
“Overwhelmingly, our interviews demonstrated the sector remains deeply sceptical of the promises of AI, considering many of its capabilities overstated and overused in products, creating a confused environment as to its true potential and capabilities,” says the newly revealed research report. “It was perceived that the most common use by threat actors for AI at this time was to deliver more sophisticated social engineering attacks. Aside from the ethical issues of such use, interviewees highlighted risks of data privacy, large costs, and the security of public models as reasons for hampering widescale adoption of the technology in their current offerings.”
However, red teams additionally reported expectations that AI might, sooner or later, turn out to be a device of their arsenal. But, within the meantime, offensive cyber ops will depend on skilled experience, relatively than automation.
“There was optimism that, in time, these factors would be addressed by more accessible models which can be hosted and tuned privately by cybersecurity firms and then used for a variety of commercial offerings from attack surface monitoring through to vulnerability research and prioritisation. Until the technology reaches this level of maturity however, the red team element of the sector will continue to focus on the manual specialised human efforts for the delivery of commercial offensive cyber services.”
The examine additionally stories that different “surprising results [included] the lack of discussion around technologies such as blockchain or cryptocurrencies.”
Respondents have, as a substitute, discovered that “adoption and migration into cloud-based architecture has had a larger impact to services being offered by the commercial red teams”.
The report provides: “It has provided changes to traditional infrastructure, enforcing development of new tooling and practices as the sector has adapted to how client organisations have migrated into the cloud following the global coronavirus epidemic Covid-19, advancements in detection and response capabilities, changes in real-world threat actor behaviours.”
Related content material
Offensive cyber professionals additionally famous that their sector has not stored tempo with threats which may face organisation’s working with non-Windows computing environments. This has additionally been a consider stymieing the use of AI, in line with survey contributors.
“It was felt that investment into developing offensive cyber tools and capabilities for MacOS, Linux, Unix, Android, iOS, etc. had lagged significantly behind Microsoft Windows estates,” the research says. “[This was], in part, due to the prevalence of that operating system in wider society. As a result, the lack of published research and tools into these was seen as having a hampering effect for using technologies like AI to be used to help develop new capabilities.”
The examine concluded with a discovering that red teams really feel that – following a tip within the scales in direction of the work of their colleagues in blue teams, centered on cyberdefence – the IT safety area is presently pretty “balanced”. The elevated deal with defensive posture has led to a better diploma of circumspection amongst cyber professionals – which, in flip, can also be presenting a barrier to the use of new and modern tech.
“This perceived increased speed of defensive adaptation was ultimately leading to a more cautious approach to knowledge sharing among offensive security practitioners so as to avoid techniques being burned prematurely and inhibiting operations,” the report says. “Analysis of this topic from the interviews revealed that the effective capability bar for offensive security professionals was rising requiring deeper coding knowledge, automation expertise, and adaptability. Traditional offensive techniques were becoming less effective, which was forcing red teams to find short-term gaps in defences rather than relying on old exploits.”
It provides: “Interviewees expressed the conclusion that offensive cyber operators were needing to constantly evolve as security solutions are becoming more sophisticated and harder to bypass. This means knowledge of innovative tools and techniques may become more restricted, and only become public once they have been effectively neutralised by defences.”
The civil service operates its personal Government Security Red Team – also referred to as OPEN WATER – which exams the defences of departments by mimicking the work of cyberattackers. In late 2022, PublicTechnology solely reported on the staff leading a campaign of hostile digital and in-person reconnaissance destined to establish vulnerabilities.
Numerous businesses throughout government – together with the Ministry of Defence and the Government Digital Service – have additionally employed the companies of exterior cyber corporations to carry out assault simulations or different red-team workouts.