From Nation States to Cybercriminals: AI's Influence on Attacks with Wendi Whitmore

Wendi Whitmore: AI is game-changing in terms of the impact it's going to have on attacks, and then in particular, attackers' ability to move faster.

David Moulton: Welcome to Threat Vector, a segment where Unit 42 shares unique threat intelligence insights, new threat actor TTPs and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm going to talk with Wendi Whitmore, SVP of Unit 42. Her career is full of highlights, including being an inaugural member, the first ever Cyber Safety Review Board, launched by the United States Department of Homeland Security. She's serves on the Industry Advisory Board for Duke University's Master of Engineering in Cyber Security and is a member of the World Economic Forum's Global Future Councils on cybersecurity. At Unit 42, we're thrilled to have Wendi leading our team, and today, she's here to share her thoughts on the current threat landscape. Let's get right into it. Wendi, give us some insight into the current state of the threat landscape.

Wendi Whitmore: Hey, David. Thanks for having me today. So I think what's going on is that attacks are happening at a scale, a sophistication, and a speed that we really haven't seen before all together. And the reality is, that makes the work we do even more valuable than it's been before. So when we talk about scale, the reality is that businesses rely on more applications and third-party software than they ever have before, and vulnerabilities in that same software are increasing in scope to a massive degree. That's resulting in organizations being compromised, oftentimes within hours of public disclosure of a vulnerability. One of the most recent examples is the MOVEit case, where the clOp ransomware group exploited over 600 organizations starting in May of 2023, and this number continues to grow. When we look at sophistication, though, and you couple this in particular with scale, you're seeing that nation-state actors in particular -- groups like Russian APT eartha [phonetic], who's famous for the SolarWinds attack -- we're seeing them really demonstrate in-depth knowledge of business processes. And especially today if you move into cybercriminal landscape -- what's in the news right now with Muddled Libra or Scattered Spider -- you see those organizations really have a strong understanding of business processes and how IT departments work in particular. And then lastly what they're doing is leveraging so many apps, trusted applications -- like Office 365, Google Drive, for example, Dropbox -- that we use and really trust and then using those to get information out of the environment. Lastly, when we talk about speed, you know, as if sophistication and scale weren't enough, right, the reality is it used to take these attackers days, weeks, and even months in some cases to carry out an attack. And today we're seeing them do that same attack in a span of hours. I think the biggest concern there is that the attackers are operating by and large faster than organizations are able to respond, especially when we look at the mean time to respond being six days, which it is today, it's absolutely critical that the mean time to respond decreases and becomes faster than the time it actually takes for the attacker to carry out that same attack.

David Moulton: Wendi, how is AI coming into play here?

Wendi Whitmore: So AI is, in particular, generative AI, is really increasing the speed with which attackers are able to operate. So if you think about the work that they do today, there's the human component of it with social engineering, and generative AI, in particular, enables them to move faster, reduces language barriers, and increases their effectiveness of social engineering tactics used by these same threat actors. And then when we look at new tools coming into play -- like WormGPT and FraudGPT -- we're going to see that enabling them to be able to move more effectively going forward.

David Moulton: What do businesses need to consider when looking to protect themselves against quicker, more creative, and large-scale threat actors?

Wendi Whitmore: First and foremost, speed. So what I mean by that is businesses need to be able to respond at machine speed or the speed of the attack, right. So they need to be able to implement detections at the speed of the attacker, and they're going to have to leverage technology to do that. The second challenge I see relates to integration. So there's too many tools today that organizations are using that require manual integration, there are different screens and different panes of glass. And having a platform approach to detection really helps organizations prevent -- so, one, detect, prevent, and respond at every stage of the attack, which includes network endpoint and cloud. And then lastly, we really need these operationalized capabilities and processes. So we can't stop at just having speed to detect and then integration of tooling, but it really has to be operationalized with strong repeatable processes in order for it to be consistently effective, but also continually matured within an organization.

David Moulton: Wendi, thanks for joining me on Threat Vector today. It's great to hear directly from you. For our listeners that want to learn more about the threat actor groups Muddled Libra or clop that Wendi mentioned today, or to go deeper on many more threat actors, visit the Unit 42 Threat Research Center. And if you think that you may be under attack, contact the experts at Unit 42 to help assess your risk and exposure. We'll be back on the CyberWire Daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]