Cybersecurity: Good vs. Bad AI Tools for Defense and Attack

Very convincing phishing messages powered by artificial intelligence (AI) are causing headaches for experts, companies, and their employees. How to recognize them and what to do to avoid data theft and extortion by malicious cyber attackers? AI can also help in this, especially if other usual precautions and protections are included. However, some things remain the same: the human factor is the weakest link, so precautionary measures and continuous training of employees on cybersecurity are never enough.

Phishing, smishing, vishing…

In recent years, phishing attacks have become increasingly sophisticated, agrees SysKit co-founder and CEO Toni Frankola, but artificial intelligence has introduced a new layer of complexity with its message personalization and mass capabilities. There are different types of phishing, he noted. The most common is email phishing, where attackers use fraudulent emails to impersonate legitimate organizations to steal personal data. He explains that spear phishing and whaling target individuals and companies using social engineering techniques to prompt recipients to grant access to company systems, while smishing and vishing involve text messages and phone calls that lure victims into revealing sensitive data or downloading malware.

– The tips and techniques for phishing protection are almost the same as before the application of AI. The first is employee education and raising awareness about cybersecurity to recognize signs of phishing emails such as suspicious sender email addresses, spelling mistakes, requests for password submissions, or requests for approval to access IT resources. Attackers often send messages that prompt employees to react quickly, such as ‘you must urgently change your password.’ This reduces the time victims have to notice signs of phishing. Warn employees not to click on links or download attachments from unverified sources and teach them how to report and block such emails. Internal control is also necessary, especially for payments, investing in quality IT tools, multi-factor authentication, advanced email filtering, regular system updates, and phishing tests. And a threat protection policy and zero-trust approach to the network. In case of a breach, steps must be determined to prevent further damage, Frankola warned.

Phishing is the first method of delivering ransomware, he continued, aimed at getting the victim to download a file that hides in the background of the user’s device and soon blocks access to their own files. The attacker then extorts the victim to pay for ‘unlocking’ access to their own data or they will lose it. Frankola is confident that the rise in phishing will impact the rise in ransomware.

– It is impossible to reduce attacks to zero. However, AI tools can also be used to identify potential cyber attacks using AI email filtering tools, and AI algorithms can analyze URLs in emails or messages to identify anomalies in domain names. Some AI tools can be integrated with threat databases to help companies quickly automate the recognition of new phishing tactics, Frankola said.

Combination of multiple measures

Cybersecurity architect at Hrvatski Telekom Mladen Prekrat also emphasizes that alongside continuous employee education and upgrades, advanced security tools and artificial intelligence, multi-factor authentication, security policies and procedures, data backup, behavior analysis, and recovery plans must be applied. The use of artificial intelligence, according to Prekrat, includes developing algorithms that can recognize and block phishing messages before they reach the end user and assist in analyzing large amounts of data and patterns. AI can also be part of an anomaly detection system in network traffic, which can help in early detection of attacks, but no measure is 100% effective on its own, and different approaches must be included, Prekrat argues. Raising awareness among people about the threats posed by generative artificial intelligence, especially with convincing phishing messages, requires a strategic approach, so Prekrat states that it is necessary to understand the threat, create the right mindset, and a culture of security.

– AI can play a key role in defending against cyber attacks and recognizing dangers as it can be used in advanced threat detection, pattern analysis, and faster response times. The application of AI can significantly improve an organization’s defense against attacks and actions against potential threats. However, AI is not perfect and should be used alongside other security measures and protocols.

Involving ethical hackers can help test and strengthen an organization’s security measures, and it is necessary to comply with national and international laws. It is also important to ensure the physical security of infrastructure and devices, Prekrat noted.

CARNET, Sector – The National CERT reminds that before the emergence of increasingly intelligent language-based artificial intelligence models, the complexity of the Croatian language was a significant barrier for cybercriminals in creating convincing fake messages and diminished the success of their attacks. Now, they said, convincing grammatically correct phishing messages are being created that are harder to recognize by grammar.

Do not pay ransoms

In addition to the sender, language, urgency, signature, and suspicious links, they emphasized that it is also necessary to consider whether the message is expected, suspicious, and evokes emotion in the recipient.

– Employees must know the basics of cybersecurity hygiene, take care of their business devices and access to company resources, respect the rules of using IT equipment, networks, and other computer resources, but also be aware of their own responsibility. They should verify and report any suspicious actions. Depending on the assessment of the reported threat or incident, it is necessary to inform the relevant CSIRT team, and in Croatia, the National CERT is responsible for all incidents in small and medium-sized enterprises and for citizens. Ransomware can cause business interruptions, data loss, financial and reputational damage, and generative artificial intelligence enables even less skilled criminals to carry out cyber attacks. The National CERT advises not to pay ransoms for ransomware as it is uncertain whether attackers will return the data and that they will not extort again. By paying the ransom, one may become a target for other attackers, and the funds obtained are invested by attackers in infrastructure and personnel. There are ongoing discussions about making ransom payments illegal, but it is certainly not ethical. Artificial intelligence can be used for automated threat and vulnerability detection, improving security by analyzing traffic, accelerating development and security testing, for education, and testing the resilience of employees and the company, the National CERT emphasized.

Security culture

It is important to use advanced security technologies that include anomaly detection, which also includes improving email filters and using verification tools that can help confirm the identity of message senders, said Marko Jertec, head of the Information Security Consulting Department at Setcor. Regular training and workshops for employees can help raise awareness of the methods used by attackers, including AI phishing campaigns, but he believes that strengthening the legal framework regulating the use of AI technologies will be necessary.

– For educational purposes, AI can be applied to examples of creating convincing fake messages and simulating phishing attacks. It is necessary to promote a culture of security, regular checks, and upgrades of security policies, cooperation with security experts, industries, and government agencies. Although there is no one-size-fits-all solution for ransomware, protection still includes firewalls, antivirus programs, and constant software upgrades of the company, including operating systems and applications. In addition to data backups, network segmentation is important to limit access between its different parts. Parts of artificial intelligence are used for example for anomaly detection and behavior, learning from historical data, and recognizing normal behavior within the network. Whenever there is a deviation from usual patterns, such as an unexpected transfer of a large amount of data or accessing sensitive resources at unusual times, AI can alert security teams to a potential threat. It can also simulate attacks and automatically respond and integrate with existing security solutions, Jertec describes.

In addition to education, for ICT presales expert at A1 Hrvatska Tina Herljević, technological measures are a key component in defense, using advanced systems for filtering and identifying suspicious messages, and two-factor authentication or biometric authentication further complicates attackers’ access to accounts, even if they manage to obtain user data. He advises monitoring network activity and data analysis, upgrading software and operating systems, using reliable antivirus and antimalware tools that can scan the system to detect suspicious files and actions and respond before the entire system is corrupted. Regularly creating backups, he continued, allows for faster data recovery in the event of a ransomware attack, thereby reducing losses and business interruptions. Security solutions such as firewalls or IDS/IPS systems can, in Herljević’s opinion, monitor network traffic and identify suspicious actions and automatically protect the system.