Podcasts
AI Security Brief
Ep 1
AI Security Brief 4.23.26
Ep 1 | 4.23.26

How does AI change the economics of cybercrime?

Show Notes
Transcript

Robert (Bob) McArdle: So I think actually agentic AI is genuinely the real game changer here. Right? If you look at the cyber crime industry for the last 10/15 years it's arguably the best example of a service industry in the world. Even more so than cloud computing and so on because you just replace all of those services or APIs with an agent and then you just pull agents together. They converse among themselves effectively and you have this like cyber crime automated ecosystem that can run itself. [ Music ]

Dustin Childs: Welcome to the "AI Security Brief" where we're unpacking emerging AI threats, vulnerability research, and the strategic decisions security leaders are making right now to get ahead of the next wave of cyber threats. I'm Dustin Childs.

Johnny Hand: And I'm Johnny Hand and today's episode surfaces a critical point for me. Not only is AI making existing attacks faster, but the entire structure of how cyber crime operates is being rebuilt around it.

Dustin Childs: And it is quite a profitable industry too.

Johnny Hand: Yeah. Definitely is. And to explore the evolution of cyber crime we sat down with Bob McArdle, the director of cyber crime research at Trend AI. Now Bob has spent two decades tracking cyber criminals so he has a front row seat on how agentic AI is reshaping cyber crime.

Dustin Childs: Yeah. What really struck me in this conversation is how Bob frames what's happening. I mean this isn't just AI makes phishing emails better, which it does, but this is about an entire criminal service economy, one that is already more sophisticated than most people realize, and how agentic AI is giving it a new engine.

Johnny Hand: Yeah. We talked about the three rules of cyber crime adoption also and why agentic AI hits differently than generative AI. Also what defenders can actually do to get ahead of the cyber criminals.

Dustin Childs: Bob does not disappoint. If you're a security or technology leader looking to understand where the threat landscape is evolving, this conversation is for you. Let's dive in. Yeah. So, Bob, I mean your work from what I understand is in a lot of crime, take downs, working with LEOs. And your talk is about fighting crime. But before we get in to that explain to me what vibe coding is because some people think it's like a really bad thing. Some people think it's a good thing, neutral, whatever. What is vibe coding to you?

Robert (Bob) McArdle: So vibe coding I think gets a bit of a bad rep because in some situations it's people who are not traditional coders suddenly being able to develop things. But essentially it's just coding changing from a language you have to learn, be it Python or something like that, to effectively being able to code in your language of choice whether that's French, German, English, whatever it is. You just simply describe the problem you're trying to solve and work back and forth with an AI to actually solve it. So it's an interesting like new development.

Johnny Hand: That must make it easier because as a defender I know one of the big things that I did was I tried to make it so expensive because given enough time and resources anything can be breached. Right? So I tried to make it so expensive that the attacker would essentially ignore me and move on. But it sounds like with vibe coding you can take a pretty generic person and get them to a point where they can be a criminal without having a lot of skills. Is that correct?

Robert (Bob) McArdle: So I think there's two parts to being a criminal. All right? One is the technical skills you're going to need. And yes it absolutely lowers the barrier for entry for that type of thing. Right? Because anybody can get a set of tools or build them themselves or the actual tool prices will drop because anybody can build them. The second side to being a criminal, however, is the actual ethics and morals and so on. Right? So if you, for example, are, you know, a hacker, a teenage hacker, and you break in to a server somewhere and you're poking around then you might get that joy out of like, "Hey, I've actually been able to technically accomplish this." But if you didn't go to the level of installing ransomware and inflicting misery and so on on somebody that's a completely different moral compass than the person who's just doing it for, you know, creativity and things like that. So that's the bit that AI doesn't affect. Right? That moral compass part.

Dustin Childs: I do want to dig in a little bit on the momentum that's happening right now and just the language and the speed of which agentic AI is taking off. And how is that translating with cyber crime? Like what are some of those like second and third effects that are having? Are you seeing that in your research with cyber criminals at the pace that we're doing it from a defensive perspective or even just like automation and using agentic tools to take those task actions?

Robert (Bob) McArdle: Yeah. So I think actually agentic AI is genuinely the real game changer here. Right? For cyber criminals in particular. So if you just look at pure generative AI or people who'd be listening in and are familiar with, you know, your Chat GPTs or Claudes or whatever, that's very good at answering questions. Right? You ask a question. You get an answer back or it writes a whole paper for you. Whatever. But it doesn't really do something on your behalf. And that doing someone on your behalf that agentic gives us is the real game changer because if you look at the cyber crime industry for the last 10/15 years it's arguably the best example of the service industry in the world. Even more so than cloud computing and so on. And that gives it incredible flexibility where you can just stitch together these different APIs and services from criminals. But that is perfectly then set up for agentic because you just replace all of those services or APIs with an agent and then you just pull agents together. They converse among themselves effectively and you have this like cyber crime automated ecosystem that can run itself.

Johnny Hand: It's an interesting perspective because I think for many people when they're looking in to, you know, maybe they're -- the lens that they view cyber criminals or even criminals in general, they're not often thinking about how sophisticated they can be. And I love the fact that you just hit on how they're even better in many cases than we are at like building out these services and providing them. So let's take a step back for a second because you've been doing threat research in to cyber criminals for many years. I'd love to hear kind of that journey over the last maybe decade in to the last few years as you've kind of waded in to the water at the pace we have in research with AI, agentic AI, and these capabilities around cyber crime.

Robert (Bob) McArdle: So I've been kind of working in cyber crime research and also like APT nation state research and things for about two decades now. And you see over that time like these major waves coming along. And the longer you're doing this you realize some of these waves are essentially cyclical. They're kind of happening over and over again. The technology's different, but the core scam, the core tech, the business, is effectively the same thing. It's just the new technology gets laid on top. So you had, you know, for a long time you had quite a lot of innovation in cyber crime. Then we came to a kind of ransomware era that we've all kind of lived through over the last while which arguably actually killed innovation in the cyber crime space.

Dustin Childs: Interesting.

Robert (Bob) McArdle: Because it suddenly went from, you know, before now we had things like banking attacks and phishing and so on, but ransomware made so much money that it was very hard for any new ideas to take off because if you're making a million a month from doing ransomware and some new technically more interesting attack comes along, but it's untried, it's not tested, and so on, why would you even bother in it? Just keep getting the million dollar, you know, check every single month. So it actually stifled creativity. And now we're at the point where there's this kind of perfect storm happening. Industry generally knows how to solve the ransomware problem at this point. Right? Or if you don't at this stage in your industry you're in trouble. Right? There's bold solutions out there. So they're struggling with that. Like payment rates of ransomware are the lowest they've ever been. At the same time you've got this rising technology in AI which I said is like perfectly set up with agentic AI for cyber crime. And cyber criminals by their nature tend to be technical and interested in new technology. Right? From a pure just like, "Oh, that's cool." Right? So this perfect storm is happening where on one side they have to change because their industry is slowing down, and then there's this new transform of technology coming along and they're like, "Let's jump on this and see what happens."

Johnny Hand: I know at RSA you presented on vibe crime, and I think it's an interesting title. And you talk about these three core principles or laws of cyber crime adoption. Can you just expand that a little bit for us and get us to understand what you're presenting there?

Robert (Bob) McArdle: Sure. So when we see -- often in our industry we see, you know, researchers like myself or colleagues and their companies, and they will come up with new attacks and criminals could work like this, but what they're actually doing is they're thinking like hackers, not like criminals. Right? So they're thinking like there's a technical way you can break in to this, you know, or like -- you probably see this in the vulnerability world as well. Right? But then when it comes to the criminals you have to think like what's the business here. Can I make more money than I used to make? And so on. And we've over time we've found that criminals evolve a little bit slower than people think they do because you only evolve when you have to or when there's a really good opportunity out there to make even more money than you're currently making. So we've kind of got three rules that we call internally the three rules of being a cyber criminal. And I think we published them in a paper recently. So the first one is very simple. Criminals want an easy life. Right? That's the entire point of being a criminal. Otherwise you would be working in a real job doing real things.

Dustin Childs: The movie Good Fellas explains that too.

Robert (Bob) McArdle: Yes. Exactly. Right? The second thing is if there's any new technology out there whether that's agentic AI or whatever it is that you want to adopt the return of investment from it has to be better than everything else on the market. Otherwise again what's the point. Why would you adopt it? And the third rule we see them do is cyber criminal -- if cyber criminal change is very much evolution it's not revolution. So they just take what was working and it's like, "Oh. This isn't working quite as well as it used to. Can we tweak this a little bit? Okay. We're back on track again." Right? So only the very largest criminal organizations have really ever had like R and D teams where they just sink costs in the hope that it pays off in the future. Like what we do in our industry. Right? So it doesn't happen that often. So those three together help you understand a lot about how cyber criminals will adopt certain new technologies [inaudible 00:10:01].

Dustin Childs: What should defenders do to understand barrier to entry has been brought down for these criminals? What is some real advice that we could take away to know that the cost of cyber crime is plummeting?

Robert (Bob) McArdle: Yeah. So if you think about so the cost of cyber crime is plummeting so what's that going to do? Right? First of all because we said like they don't adapt to brand new schemes unless they really have to so the first thing they're going to do is just crank the volume up to 11 on everything that they're currently doing. So more phishing, more ransomware, more malware, more everything else, which is a little bit boring to see. Right? But that's what they will do first. And then things like deep fakes and so on. So the first thing you have to do as the defender is you know how to defend against these things. Right? At least hopefully you know how to defend against these things at this point. But what you're going to be doing is if you were struggling with the volume before you haven't seen anything yet. It could be a 100X. Right? In terms of the volume coming at you. So if your old model was, "We look at, you know, 1 in 10 of the alerts on our network, and our soft processes and so on," that's just not going to scale. Right? Unless you hire a whole bunch of extra people. So what you're going to honestly have to have is you need agents to fight the agents for -- at least at the bottom there. Right? Let's just remove the layer one, layer two, of attacks out of the picture, and then you have your senior humans who go in. Okay. Right. I know what's going on here. I'm triaging and so on. So I would advise anyone genuinely like, you know, every single product in the entire security space at this point has got AI something inside it. Right? It's kind of almost a joke at this point. Look at the ones who genuinely are talking about agentic workflows and things like agentic seams and SOCs and so on. And they get it. They get the actual issue. Quiz them on that. Right? Ask them about it. What are you honestly doing? And if they can't answer those questions beyond like AI is magic and it's a black box and it's awesome then stay away. Right? Because you need that to remove that first, that wave of information coming at you.

Johnny Hand: Well, help me, especially as a former security leader, you know, as a CISA that worked in organizations, I always like look at threat research and different reports that are published and I often walk away saying, "Okay. What can I do with this?" So for me when you talk about the cyber criminals really getting ready to really ramp that up the challenge that I see is that we have so much AI hype going on. So for those security leaders that are listening that are going, "Okay. Well, how do I break through that noise? How do I understand as an example like what AI based security tools really are agentic, really will help me navigate the coming wave of cyber crime?"

Robert (Bob) McArdle: So I have a couple tips in that area. The first thing is for anyone listening you have to realize that this kind of AI revolution, and it genuinely is a revolution, is exponential in its kind of scale. Right? And luckily everybody listening in, unless we have a bunch of three-year-olds on here, have lived through COVID. Right? So they know what something exponential feels like. Right? I'll just give an example. Right? The number one way that you navigate something like that is understanding the information and understanding the trend that's happening, not just the individual day's data points. So you can go, "Okay. I think I know where this is going next week." You know where it's going in six month's time. And you can react accordingly. Right? So like if you imagine back just for play out the analogy and then I'll get back to the answer, it's March 2020. First of March. I think there's like 1,000 cases around the world or something. Right? And if that's where you freeze your knowledge and you're like, "Okay. That's how the world is," 15 days later 8 times as many cases. 30 days later 50 times as many cases. And that's how AI works so that when we are at the bleeding edge of AI and we're testing out things and so on, and when we talk to people who are maybe a month behind in their knowledge, what we're talking about sounds like science fiction to them. They're like, "We don't want any of that future stuff that you're talking about. Tell me what's happening now." It's like this is happening now. You just haven't read this yet. Right? This is actually yesterday's news I'm telling you. So when we bring that then in to advice it's read the more strategic publications from the research community, not so much the, you know, threat of the day. We found this. It's super cool. And so on. The security industry will always publish each day the corner case because it's interesting. And same way that nobody publishes anymore it's like, "Ransomware affected people today." It's like we know. Of course it did. Right? It's only the anomalies that people are going to report on. So if you can read the more strategic reports and at least maybe two per month at this stage just to keep up with it you'll be able to see through these, the hype of the day, and see the actual trend that you need to care about.

Dustin Childs: Got you. And are there any recommendations that you love?

Robert (Bob) McArdle: Yeah. So genuinely actually I have two that I'll give you. One honestly the reports coming out of Trend AI and our team. So the vibe crime report that we put out is still a very -- still very, very relevant. It's a few months old now, but we built it to be strategic. Right? That you can learn from. There's also actually a site that I use every single day. It came from an internal team actually at Trend AI, but we published it external for anybody to use. It's a news.aatf.ai. And it just does a round up of all the AI news of the day in to an RSS feed that you subscribe to. And it gives you that daily dose of this is what happened in the world today. I think that's already critical for keeping up to date with what's going on because a single day's news is like weeks of news in the past.

Johnny Hand: Yeah. Absolutely. That's great advice. I appreciate that. And thank you so much for sharing your research with us today. I was actually talking at RSA. It was a really great presentation. It's very important and very eye opening work and we can't wait to have you back on the show again to terrify us with your latest research in to the criminal organizations and the criminal mind.

Robert (Bob) McArdle: Any time. [ Music ]

Dustin Childs: Okay. The three rules Bob shared stuck with me. Criminals want an easy life. New technology only gets adopted if the ROI beats what they were already doing. And change in cyber crime world is evolutionary and not revolutionary.

Johnny Hand: Yeah. And here comes real agentic AI which is almost purpose built for the way criminal operations are already structured. It offers that repeatable framework for a quick return.

Dustin Childs: Yeah. The service economy point is the one I keep coming back to. These groups have operated like a dark web version of cloud infrastructure for years. They're modular and specialized. Agentic AI doesn't just disrupt that. It accelerates it.

Johnny Hand: Yeah. And I think that really is the key take away of the day.

Dustin Childs: Go ahead.

Johnny Hand: Well, the volume of attacks is about to increase in a way that breaks the current model for most security teams. So if you're triaging 1 in 10 alerts today and that feels hard, Bob's point is you haven't seen anything yet. The only real answer is using AI on the defensive side to absorb that first wave so your experienced folks can focus on what really matters.

Dustin Childs: And that means being deliberate about which tools you're betting on. Not does this vendor have AI, because every vendor's claiming that they have AI right now. But do they genuinely understand agentic workflows? Can they operate at the volume of what's coming? Those are the questions worth asking.

Johnny Hand: I totally agree. A huge thank you to Bob McArdle for his time and for sharing his insights on the evolving nature of cyber crime. Links to the vibe crime report and the AATF daily news feed are in the show notes. Both are very much worth adding to your reading list.

Dustin Childs: Couldn't agree more. And that does it for our first episode at the "AI Security Brief". We want to thank you for joining us and we hope this conversation has you thinking a little bit differently about security. If it does, please consider subscribing and leaving us a review. Let us know what you thought so you don't miss what's next.

Johnny Hand: The "AI Security Brief" is mixed and produced by Elliott Peltzman with original music by Omnia Jinx [assumed spelling]. Our executive producer is Jennifer Eiben with content strategy by Ma'ayan Plaut, Shannon Murphy, and Melanie Gallant. Additional production help by Liz Stokes. Video editing by Bridget Criqui Wild and Sarelle Joppy. Thanks so much for listening.

Dustin Childs: Thanks and we'll see you next time on the "AI Security Brief". [ Music ]

AI Security Brief
Podcast Info
HOST(S):
Dustin Childs
Johnny Hand
Dustin C. Childs is a part of TrendAI's Zero Day Initiative (ZDI), which is the world's largest vendor-agnostic bug bounty program. Dustin began his infosec journey in the late 1990s at the Air Force Information Warfare Center. Following his time working for the government, Mr. Childs worked in the Microsoft Trustworthy Computing group, where he served as a case manager in the Microsoft Security Response Center (MSRC) with a focus on addressing vulnerabilities in the Windows operating system and in Microsoft's developer tools. In his current role, Mr. Childs gathers and analyzes threat intelligence from various TrendAI and open-source resources to understand and communicate risk to enterprises. He also creates, implements, and oversees internal and external communications programs that promote the work of the ZDI and its researchers. He has spoken at multiple conferences including Black Hat USA, ThotCon, BlueHat, B-Sides, and multiple ISSA events.
Johnny Hand is a seasoned cybersecurity leader with over 20 years of experience translating intricate technical concepts into business-critical operations. He is the VP, for AI Operational Excellence at TrendAI, where he spearheads the integration of artificial intelligence for enhanced security and operational efficiency. His background in securing critical infrastructure includes leading information security and technology operations for an international academic institution and overseeing communication and defensive cyber operations for specialized units within the U.S. Navy. His focus remains on building resilient security strategies that adapt to the evolving technology landscape.
Schedule: Biweekly
AI Security Brief