AI Is Killing This Business, And It's Glorious
Security is about to lose a service line to a mix of AI functions, and it's a good thing.
“AI is coming for jobs” seems to be a common theme in the news these days. I’ve even been playing with ChatGPT to augment my report writing and documentation. I firmly believe that ChatGPT will diligently review and potentially revise specific sections of this writing to enhance its clarity and cohesiveness. But let’s talk about things it’s doing, which are genuinely changing and improving security.
Preventing Spam And Phishing
Just 15 years ago, Social Engineering was in its infancy as a penetration testing service and anti-spam measures were primarily based on simple blacklisting and spam list services. The concept of authenticated domain and cryptographic filtering had yet to enter the picture. Recently, with the rapid advancements in AI technology, we are on the verge of transforming the landscape, prompting enterprise mail service providers to adopt and implement the next generation of mail filtering solutions.
These cutting-edge mail filtering systems are game changers for clients not using SaaS mail services or those who desire additional security. Companies such as Checkpoint have been leading this revolution, pioneering the development of AI-driven mail-filtering appliances to bolster email security.
While it remains possible to circumvent authenticated sender technical controls, the continuous advancements in AI technology will make e-mail-based Social Engineering efforts increasingly futile. As a result, today's penetration testers are conducting Social Engineering assessments that, in many ways, lag nearly a generation behind. The introduction and widespread adoption of these innovative technologies threaten to push the industry back even further.
In light of these developments, it's becoming increasingly crucial for companies to adapt their methodologies to stay ahead of the curve. In some cases, this may include considering the sunset process as the dynamic cybersecurity landscape demands constant evolution and vigilance.
Training And Testing Staff
Addressing the threat of social engineering from an alternative perspective, companies such as KnowBe4, ThriveDX, and other specialized training services have begun to focus on providing comprehensive phishing training programs, which include realistic simulations. These programs equip employees with the knowledge and skills to identify and respond to phishing attempts effectively.
In addition to offering in-depth education, these training services incorporate periodic testing as a crucial element of their approach. The tests are intentionally configured to bypass technical controls, ensuring that all targeted staff members are thoroughly assessed and observed in real-world scenarios. This hands-on methodology helps reinforce the training content. It allows organizations to identify potential gaps in their staff training, empowering them to take proactive steps to strengthen their overall security posture.
The Problem For Professional Services Providers
The common use and need for modern Social Engineering services play a vital role in uncovering weaknesses in employee training programs and enhancing staff preparedness for real-world attacks. Combined with well-implemented technical controls, these services contribute to a robust security posture.
However, once an organization successfully integrates employee readiness with next-generation technical safeguards, the ability to perform realistic Social Engineering simulations decreases. In this case, allocating resources to these engagements becomes less efficient, as the organization has already laid a solid foundation for addressing potential threats.
From the perspective of a professional services consultancy, projects are inherently constrained by the amount of effort the client purchases. Services are typically scoped with the understanding that an attacker possessing unlimited resources and time could potentially identify novel techniques or bypass technical controls. In the context of Social Engineering, this could involve adopting a more targeted approach or employing social engineering tactics to escalate privileges rather than establishing an initial foothold.
As technology advances, it is increasingly likely that Social Engineering tactics will shift away from email and explore other avenues, such as vishing. The rapid improvement of AI-driven deep fake audio technology further reinforces this possibility. Consequently, organizations must remain vigilant and adaptive to address the evolving landscape of cybersecurity threats.
Where Do We Go From Here
Security is just as much about allocating resources appropriately as preventing active breaches. Continued testing using "realistic" scenarios described by many consultancies, similar to how Optiv describes their process here, will become less of an option.
As mass phishing campaigns lose effectiveness due to AI-driven security measures and advanced spam filters, businesses must reassess their security budgets and allocate resources to alternative services that offer better value and efficacy. Likewise, consultancies need to modify their offerings to reflect these changes, ensuring that they provide services that make financial sense for their businesses.
Investing in targeted employee training and threat intelligence services, alongside Red Team spear phishing engagements, can bolster an organization's defenses against increasingly sophisticated cybercriminals. These training programs and Red Team services work together to ensure end-to-end testing coverage and identify any gaps in training where mass email testing in the older style, similar to how Optiv describes its process here, is no longer feasible. By engaging in low and slow testing methods and leveraging their expertise in crafting personalized attacks, Red Teams can better understand vulnerabilities and strengthen defenses accordingly.
Integrated training and testing programs, which combine education and assessment, are an effective way to identify users who require additional training and support. By creating a more comprehensive and targeted approach to enhancing their cybersecurity posture, organizations can foster a culture of security awareness while ensuring that employees have the skills and knowledge necessary to protect their digital assets from ever-evolving threats.
Technical controls testing is another critical component of an organization's cybersecurity strategy. By assessing the effectiveness of older protocols (such as SPF, DKIM, and DMARC) and newer security measures (like Darktrace's AI filtering or advanced mail flow filtering offered by service providers like Microsoft), consultants can help organizations identify vulnerabilities, prioritize improvements, and allocate resources efficiently. Regularly conducting technical controls testing enables organizations to proactively identify and address potential issues, staying ahead of the curve and maintaining a strong security posture.
All these changes require a change to a multi-faceted approach to testing a robust security posture. As traditional mass phishing campaigns lose effectiveness due to AI-driven measures and advanced spam filters, organizations must reassess their security budgets and adapt their methodologies. Investing in targeted employee training, Red Team spear phishing engagements, integrated training and testing programs, and technical controls testing allows organizations to stay ahead of emerging threats and optimize their security spending. Equally important, organizations seeking these services should recognize that traditional methods are becoming less effective. Adopting new methodologies is essential for maintaining robust security as the landscape shifts.
Consultancies must adapt service offerings to provide better value and efficacy in this dynamic environment. The security industry needs to engage in ongoing conversations about the evolution of technology and how to effectively adapt and maintain intended security coverage. By embracing these changes, fostering a culture of security awareness, and actively participating in dialogues about the future of cybersecurity, organizations can proactively defend their digital assets and mitigate the impact of ever-evolving cyber threats. This collaborative mindset will help businesses and consultancies thrive in a rapidly changing industry and maintain a strong security posture.