If you’ve read any of our reports – and there’s quite a collection of them across a wide range of topics – you’ll notice that [1] they aren’t short, and [2] we try to dig into the details. Our latest report is no exception … with a hype-busting and bluster-disabusing examination into the role of AI in enhancing defensive cybersecurity. You can get a copy from our portfolio.

To gather the data, we surveyed organizations in the United States on the front lines of cybersecurity attacks. To take the survey, the respondent had to work at an organization with at least 500 employees and/or at least 50 people on their security team. We wanted to get a sense of what they were seeing in terms of changing dynamics with cybersecurity attacks, particularly the impact of offensive AI. And equally, we wanted to get a read on how they were responding to these changing attack dynamics.

We reached four key conclusions in the research:

• Attackers have the early advantage in generative AI and GANs
  Generative AI and GANs are tipping the scales in favor of attackers, but defensive AI tools are catching up, especially in behavioral AI and supervised machine learning.
• Integrate AI strategically into cybersecurity frameworks. Strategic integration of AI into cybersecurity frameworks is essential to fully
  leverage the technology’s potential. Organizations should focus on aligning AI investments with core business objectives and risk management practices.
• AI is a force multiplier for cybersecurity teams. AI enables cybersecurity teams to focus on high-impact activities. However, this requires appropriate training, organizational alignment, and investment in the right tools.
• The time for embracing AI in defensive cybersecurity is now. As AI reshapes both offensive and defensive cybersecurity, organizations must act swiftly to secure their infrastructures, adopt AI-powered defenses, and prepare their teams for the next generation of AI-enabled threats.

Do these conclusions echo what you’re seeing at your organization? Get your copy of the report if so.

This research was sponsored by Abnormal Security, IRONSCALES, and OpenText.

If your firm provides AI-powered cybersecurity solutions to offer protections against AI-enabled attacks AND you would like to spread this research to your customers and prospects, please get in contact to talk about licensing options.

Key findings:

• Ransomware (as a category of malware) tops the nastiest list in 2023, driven by ransomware-as-a-service (RaaS) business models. This aligns with our 2022 report on ransomware, in which we profiled the growing prevalence of RaaS as driving increases in ransomware attackers, attacks, and variants. In 2023, Cl0p has been particularly active.
• Double / triple extortion designs are highly devastating to organizations, because even if there is a backup to restore data, the threat of the ransomware gang publishing stolen data forces many organizations to pay the ransom.
• The press release says that “only 34% of businesses pay ransom, an all-time low.” In light of the double / triple extortion comment above, we had to think this one through. For it to be so low, the 71% of organizations that are not paying the ransom must do two things very well – firstly, have data backups to enable rapid and error-free restoration, and secondly, use strong data protection methods such as encryption so that any exfiltrated data is unreadable and won’t trigger “crisis communications and data compliance fines” (see the report for that line). With the way ransomware is going, organizations not doing both are asking for trouble.
• The average ransom payment, when one is made, skyrocketed to $740K (in Q2 2023). In late 2021, the average was $167K. That’s a big change, and one that OpenText attributes to the wild success of Cl0p’s exploitation of customers using MOVEit Transfer.

One of the more perplexing data points from the survey underlying the white paper is this one, on the threats that the respondents were looking to AI to address in their email security posture (see Figure 6 on page 11):

What’s perplexing is why the importance of using AI to protect against threats in inbound email (26.6% extremely important) is rated so much less than protecting against threats or risks in outbound email (46.9%) and internal email (46.5%). I wrote this in the white paper (emphasis in the original):

Protecting against threats in inbound email was rated in third place, behind the two types of threats above. This is a strange prioritization because organizations cannot ignore the threat conveyed by inbound email, as this is where many multi-stage attacks begin—and where employees are most likely to succumb. Early detection of inbound threats cancels the whole chain of subsequent malicious activity that would happen otherwise, including threats in internal email.

Osterman Research, The Role of AI in Email Security (2023)

After writing about the human element as explored in Verizon’s DBIR earlier this week, I started mulling over whether my calculation of the differential breach rate helps to explain it. Here’s the numbers again:

• When external actors (cybercriminals) seek to compromise internal actors (employees), the breach rate for 2023 was 54.5% – meaning that 45.5% of breach attempts did not become incidents. This threat case from the VDBIR essentially maps to the “threats in inbound email” threat type above.
• When internal actors (employees) make a mistake and send email to the wrong person, or otherwise accidentally expose data, the breach rate is 85.0% – meaning that only 15% of mistakes were caught and did not become incidents. This threat case is the top one in the figure above – threats in outbound email.

And hence the differential prioritization in the Figure above – current controls for the outbound threat type are significantly weaker than for the inbound threat type, and organizations are looking to AI to make a much more significant and immediate impact on reducing the breach rate for the outbound type.

In all fairness, neither breach rate / non-breach rate is wonderful. But the outbound one is much worse than the inbound one.