Security

The Best Way to Prepare for an AI-Fueled Cyberattack? Practice

IT leaders use secure access service edge to stop the next generation of cyber intrusions.

Mike Gruss has more than a decade of experience reporting on local, state and federal governments, including national security space programs.

When more than 50 IT leaders gathered at Microsoft’s office in Reston, Va., to discuss a series of cybersecurity threats in June, the meeting came against a backdrop of rising concerns about attacks generated with the aid of artificial intelligence.

The officials weren’t strangers. Many of them had met on an ad hoc basis in recent years, including Saturday mornings, following actual cyberattacks that worried government leaders.

But on this day, to boost familiarity and muscle memory and to better prepare for the future, they took on an imagined cybersecurity scenario.

“Members of your communications department noticed on a social media platform that user DarkWebKnight087 tagged one of your company social media accounts in a series of messages,” the group was told, according to a document from the Cybersecurity and Infrastructure Security Agency. “The posts include screenshots from a darknet forum where a member is bragging about a huge phishing attack they are planning against your organization.”

Click the banner below to see how identity access management can improve the user experience.

The event was a four-hour tabletop exercise organized by CISA and the FBI. The goal was to focus on effective, coordinated responses to AI security incidents.

“Holding an exercise with other government agencies and private sector partners allows us to develop these responses together and not in isolation,” said a senior cybersecurity official for the FBI. “It’s a really good opportunity for the agencies to get an understanding and to baseline everyone’s level of knowledge so that we can respond effectively to the threats we face.”

Fighting AI with AI in the Modern Cybersecurity Landscape

With the planned phishing attack exercise, ideally, the organizers wanted participants to understand the processes and trip wires agencies have in place to detect AI security incidents and how these incidents are similar to or differ from traditional cybersecurity threats.

But more broadly, they also wanted the group to concentrate on a less-tangible outcome: collaboration and coordination at a time when the government is shifting to zero trust and secure access service edge technology as a way to boost safety.

SASE follows many of the tenets of the federal government’s broader zero-trust philosophy, which calls for prompting users regularly for authentication and limiting access based on unusual logins to shrink the attack surface.

If these approaches work, users such as DarkWebKnight087 — whether they’re real or imaginary, malicious actors or the handiwork of AI — could be deterred or rendered useless.

SASE is already an emerging reality in the federal government, accelerated by the adoption of hybrid work and cloud computing. Industry analyst Gartner noted in an October report that the market for technology is expected to grow at a compound annual rate of 29% and reach a market size of $25 billion by 2027. And agencies across the government are signing on: The Department of the Interior, for example, requested roughly $5 million in its fiscal 2025 budget for SASE technology, and IT leaders from the Department of Education adopted it in 2023.

“The bottom line is that AI and the capabilities that come with AI will likely be seen as necessary to compete in these environments,” the FBI official says. “So, we understand that entities will be adopting this technology, but the technology will also allow these actors to develop increasingly powerful and sophisticated capabilities in less time.”

And that makes collaboration and new levels of security paramount.

≈700M

The number of connection attempts from federal agencies to malicious domains blocked by the Protective DNS program

Source: cisa.gov, “Piloting New Ground: Expanding Scalable Cybersecurity Services to Protect the Broader Critical Infrastructure Community,” Nov. 17, 2023

Enhanced Intruder Detection Through Protective DNS

A good example of security collaboration across government is the Protective Domain Name System Resolver, a CISA service launched in September 2022. Protective DNS allows federal agencies to safeguard government devices from cyberattacks — especially outside the office environment — through enhanced intrusion detection and prevention. Using cloud technology, the devices are configured to resolve DNS requests through CISA. SASE allows the agency to intercept all DNS queries on the device and route them to Protective DNS for inspection.

As a complement to zero trust, SASE protects data and users based on identity, context and compliance policies rather than through a firewall.

Branko Bokan, CISA’s chief of the Architecture and Engineering Center of Excellence, points to Cyber Monday, the popular holiday shopping day, as an example. Years ago, many federal workers came to the office, logged in to a desktop and ordered their holiday gifts instead of shopping at home, where internet speeds were often slower. In such a scenario, they were protected by an on-premises firewall. But in 2023, they could do their shopping from any device, anywhere.

It’s a trade-off for convenience with a hybrid workplace but one that requires new levels of security.

“We were not only losing visibility into what was happening on the network — and into devices that were on-premises — because our workforce had become nomadic, we also started to lose our ability to protect that workforce, to protect those nomadic, roaming devices,” Bokan says.

DISCOVER: Next-gen SIEM improves cyber visibility.

Now, SASE plays a key role, and CISA relies on vendors such as Palo Alto Networks, Cisco, Infoblox, Microsoft and Zscaler for the technology.

This protection extends to AI threats as well. Bokan says CISA’s role in working across government allows it to “create resources that are required not just by federal agencies but by all of our constituents, to help them better understand, better protect themselves against new AI-enhanced threats.”

Leaders Explore Security Incident Collaboration

After the June tabletop exercise, the goal was for representatives to return to their agencies with a better understanding of how they would respond.

“What we’re looking for is, how are those actors going to utilize these technologies, and what are the things that we need to be aware of from a planning perspective and from a protective standpoint?” the FBI official says. “How do we understand adversaries’ use of this technology against infrastructure? Then, we use that information and share that back with those who are responsible for focusing on that zero-trust network.”

Exercises such as these also align with CISA’s roadmap for AI. The agency plans to use partnerships and working groups to share information on AI-driven threats and to work with industry, federal and international partners to better understand those threats.

LEARN MORE: Ransomware attacks require improved information sharing.

CISA also plans to raise awareness of emerging risks as adversaries adopt AI-enabled software systems and as AI expands the cyberthreat landscape, especially for critical infrastructure.

At the same time, the agency is working on an AI playbook that will not only teach users how to respond but also help them identify how and when AI is being used to attack their networks. That effort, known as the AI Security Incident Collaboration Playbook, is expected to be released near the end of 2024.

A second exercise, to validate the lessons learned in the playbook, will be held with critical infrastructure entities that are integrating AI into their workspaces.

After the first event, industry officials espoused the value of teamwork and said that a shared response to an attack is an enhanced response. But perhaps more important, having a collective to work with means that, while it may be someone’s first time dealing with a particular kind of attack, it’s likely that a colleague has seen something similar, and that will translate to a faster, more effective response.

Zero-Trust Traits

In collaboration with the National Cybersecurity Center of Excellence and 24 commercial partners, the National Institute of Standards and Technology released the results of its Implementing a Zero Trust Architecture Project in July, which details 17 examples of zero-trust models that federal agencies can emulate.

Project organizers worked together in a lab environment to build and test zero-trust models that would “better position” agencies for success, including plans that:

Support user access to resources regardless of the user’s location or device
Protect sensitive information and other business assets and processes regardless of their location
Limit breaches by making it harder for attackers to move through an environment
Perform continuous, real-time monitoring, logging and risk-based assessment and policy enforcement

Photography by Jonathan Thorpe