Why AI-Driven Tools Will Fail Cyber Defenders

AI cybersecurity, AI-driven cybersecurity, AI-powered tools, SOAR, UEBA, XDR, ChatGPT, ChatGPT and cybersecurity
AI cybersecurity, AI-driven cybersecurity, AI-powered tools, SOAR, UEBA, XDR, ChatGPT, ChatGPT and cybersecurity

Every few decades, the world goes through an “AI spring,” and we are in the middle of one right now. With accelerating progress in AI research and the arrival of emerging capabilities exemplified by tools like ChatGPT, hopes are surging that AI applications will soon help organizations to detect threats in their IT environment, prevent data breaches, and block incoming attacks with a much higher success rate.

But nothing is ever that simple. First, AI tools are part of the future for cyber defenders and malicious actors alike. As long as that is true, human expertise will always be the deciding factor in who wins and loses. Second, with IT environments increasing in complexity, expertise is needed to determine where AI can make a real difference, and where it is more of a liability than an asset.

In a previous article, we explained how VPNs can give organizations a false sense of security – not because they are not useful, but because their role in a larger perimeter security strategy is misunderstood. In this article, we will explain why the same is true for nearly any tool or set of tools, however “smart” they may be. But first let us set the scene.

Why AI-Driven Security is Desirable

In today’s cyber landscape, the allure of AI-powered tools is not hard to understand. In Q1 of 2023, cyberattacks rose by 7% over Q1 2022, with organizations facing an average of 2,057 attacks per week. At the same time, organizations are struggling to find help: today, the global cybersecurity workforce gap stands at 3.4 million, with nearly 700,000 unfilled cyber positions in the U.S. alone.

Worst of all, global cyber actors – who are always opportunistic in their pursuit of new vulnerabilities and attack vectors – are already leveraging AI for social engineering and targeted attacks. According to a study by the Cloud Security Alliance, free tools like ChatGPT can be used to find attack points, gain unauthorized access to target networks, conduct reconnaissance and develop malicious code. That does not even count specialized AI-powered toolkits passing around on the Dark Web.

AI-Driven Cybersecurity is Already Here

Clearly, organizations need all the help they can get. But none of these issues are entirely new, and AI-powered solutions are already being employed across many organizations to address them. These include:

  • Security Orchestration, Automation and Response (SOAR) –  SOAR platforms bring together data about security threats from multiple systems, offering automation for repetitive security operations center (SOC) processes, including vulnerability scanning, auditing and log analysis. SOAR platforms increasingly offer AI features to analyze information, prioritize threats, and suggest – or even execute – remedial actions.
  • User and Entity Behavior Analytics (UEBA) – UEBA tools focus on user and entity behavior, using algorithms to establish a baseline for normal activities and identify anomalous ones. Like SOAR, UEBA is often augmented with AI to generate better risk scores and flag potential threats more reliably.
  • Extended Detection and Response (XDR) – as an evolution of endpoint detection and response (EDR) systems, XDR brings threat detection and response functions to systems throughout your organization, providing a clearer picture of your IT environment and developing attacks. Like SOAR and UEBA, XDR tools are increasingly integrating AI-driven functionality.

But despite widespread deployment of SOAR, UEBA, XDR and other emerging cybersecurity products, cyber incidents have not decreased, and the need for human talent has not diminished. This picture is unlikely to change any time soon for many reasons. Here are just a few:

1. Much Assembly Required 

It is often taken for granted that AI will reduce the need for reliance on human talent – but the contrary is just as likely. The more tools organizations introduce, the more talent is needed to configure them safely, monitor their performance, and delineate their role in the midst of changing trends and priorities.

Cyber defenders already rely on a plethora of tools – but just as often as they solve problems, they cause more when they are deployed improperly. This is true in the context of cloud, endpoint detection, VPNs, IoT, and more. There is every reason to believe the same will be true for AI-driven tools, however smart they may be. At a minimum, the wrong rules will lead to overfitting (too many false flags) or underfitting (too many threats ignored).

2. AI Has Limitations 

Recent progress in AI has given many the impression that there’s no upper limit on what AI applications can achieve. But until the arrival of artificial general intelligence (AGI) (at which point organizations will have bigger problems on their hand than cyber actors) AI solutions are necessarily narrow in scope, which limits their effectiveness against human targets.

For now, any AI-driven solution can only integrate with software if the proper APIs are in place. It can only detect and respond to threats it has been trained to anticipate. It can only navigate within a realm of generally defined problems and responses.

With cyber actors innovating new attack strategies around the clock and adopting AI as rapidly as cyber defenders, the measure of a cybersecurity program will never be technology alone: it will be creativity, expertise, and an understanding of factors ranging from organization-specific issues to the way hackers think.

3. Cybersecurity is a Human Issue 

While cyber actors often aim at system intrusion and penetration of network defenses, digital exploits are nearly always downstream from human exploits. According to Deloitte, more than 90% of attacks begin with a phishing email. This is just one of many ways that malicious actors manipulate and deceive your employees into providing them with a foothold – whether that takes the form of credentials, malicious downloads, or sensitive data.

Even now, AI’s role as a hacking tool is primarily confined to the creation of personalized phishing campaigns and social media messages. While AI can potentially help organizations to identify and flag malicious messages, it will not replace cyber training and awareness to help your employees avoid the mistakes that imperil your sensitive data and assets.

Beware of False Promises

As with every new trend, vendors have been quick to jump on the AI bandwagon, offering AI features and promising the moon with it. Often, they exploit the ambiguity of the term “AI”, with products that do not leverage ML models, or any other breakthrough technologies associated with the current AI spring.

But even when they do, organizations must be wary of believing these tools provide a level of unsupervised protection beyond what their existing toolsets provide. They must resist complacency and situate any new acquisitions within a larger strategy guided by human expertise, and an awareness of their unique needs.

Securicon provides tailored cybersecurity assessments with planning and implementation for secure AI-driven capabilities. We are comprised of veterans from the U.S. security community, including DoD, DHS and the U.S. Cyber Command. In addition to providing gap analysis, compliance consulting, assessment support and more, we have the expertise to evaluate emerging cybersecurity solutions and apply them within your IT environment. To learn how we can help you, contact us today.


How Regular Risk Assessment Prevents and Stabilizes Threats

Risk assessments

Data breaches, foreign hackers and corporate espionage: today, it seems that phrases like these are on the tips of every tongue, and not without good reason. As digital literacy, Internet access and affordable technology scale with global penetration, the knowledge and skill of attackers is increasing as well. Organizations both public and private are right to be concerned about these risks.

At the same time, “risk” is a broad domain, and while it might seem that we are facing more of them today than ever before, it remains true that the greatest risks to an organization originate from the inside. From mundane eventualities like power surges, to human error or malicious sabotage, any and every vulnerability within an organization constitutes a “risk”.

While individually a single risk may not amount to much, collectively risks represent a danger that can seriously obstruct – if not destroy – an organization and its mission. But with so many to worry about, how can they be anticipated and successfully prevented?

How to Define Risk

“Risk” is a measure of likeliness that a vulnerability in a system or asset will be exploited leading to adverse effects, and the probable impact of those effects. Impact may be measured in financial loss, operational obstruction or human capital.

The existence of vulnerabilities in any given system or asset can be taken for granted. All technology is flawed in some way, or risk would not exist. While most vulnerabilities are benign, obscure or inert, some are always serious enough to be targeted by threats.

Today, companies face many threats from the outside, including attackers, malware, foreign governments and APT groups. But they face many more from the inside, from malicious employees, to deprecated equipment, human error, poor coding and mishandling of data.

Fortunately, there are many methods to prevent threats from succeeding, and respond when they do. But organizations focused on prevention or remediation cannot skip the discovery process. Before risks can be dealt with, they must first be identified, measured and assessed.

The Role of Risk Assessment

A risk assessment is the controlled, systematic identification and documentation of existing risks, likeliness of occurrence and probable impact. A professional risk assessment will follow careful methodology to ensure that nothing is overlooked, and that remediation is prioritized according to severity.

The purpose of a risk assessment is not merely to prevent risks from occurring, but also to establish a suitable response that will mitigate damages if they do occur. Risk assessments therefore inform organizational policies, providing an objective, quantifiable basis for regulation and best practice.

IT infrastructure and assets change with time as old equipment is discarded, new equipment is acquired, and configuration changes are made on a regular basis. Moreover, the availability of knowledgeable and skilled personnel may change with new hires, transfers or retirement.

For these reasons and many others, risk assessment should be repeated on a regular basis as part of an organization’s overall security and auditing cycle. What held true yesterday will not necessarily hold true tomorrow.

The NIST Framework

The National Institute of Standards and Technology (NIST) publishes a risk management framework for federal agencies, partners and contractors, and maintains the Framework for Improving Critical Infrastructure Cybersecurity (SP 800-30).

NIST’s guidelines for conducting a risk assessment establish six broad steps:

  1. Identify Threat Sources
  2. Identify Threat Events
  3. Identify Vulnerabilities
  4. Determine the Likelihood of Exploitation
  5. Determine probable impact
  6. Calculate Risk as Combination of Likelihood and Impact

Other standards bodies follow NIST’s framework closely in their own publications, making it a de facto industry standard for conducting regular, thorough risk assessments as part of an overall risk management program.

Simplified, Productive Assessments

Risk is inevitable. It is a consequence of using technology and systems built by people in a world populated by people, some of them good, some bad, and none perfect. But being caught off guard is not inevitable. And when a breach, attack or system failure hits, those who are prepared will suffer the least and recover fastest.

Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on our Risk Assessment framework.

Threat Prevention with the MITRE ATT&CK Matrix

At Securicon, we take an OT-centered approach to asset owners. With the aid of the MITRE ATT&CK Framework (ATT&CK), we design tailor-made scenarios to test OT defenses and detection. By outlining methods for infiltrating a network, maintaining persistence and exfiltrating data, ATT&CK is a tool that can assist asset owners in building a cybersecurity program for industrial control systems (ICS).

Why Should Asset Owners Care?

Today, asset owners have begun to monitor information technology (IT) and operational technology (OT) events with a single security operation center (SOC). This allows them to receive security alerts from the enterprise level of the Purdue Model down to the process control layer from one location. With so much information, the ATT&CK Matrix helps us to identify what asset owners should be watching for in their environments.

Our Approach


At Securicon, we approach the ATT&CK framework as a punch list of events that asset owners should monitor carefully. We utilize these methods in our ICS threat simulation (Threat Prevention Team) to test the asset owners’ defensive analysts (Blue Team). Through these methods, we are able to identify the respective strengths and weaknesses of their security program. In the following sections, we will outline the steps a typical adversarial simulation.

Scoping & Initial Engagement

Securicon and trusted individuals working for the asset owner monitor the Threat Prevention Team’s activities to determine mission success. We start by developing scenarios of initial access for the asset owner to approve; a common arrangement includes a combination of vulnerability exploitation and social engineering used to gain unauthorized network access.

During the scoping process, asset owners are given the opportunity to select events from the ATT&CK framework for Securicon’s Threat Prevention Team to simulate. Otherwise, the Threat Prevention Team acts on its own discretion and expertise to accomplish the simulation’s objective.

During the Engagement

After scoping and initial contact are concluded, the Blue Team receives regular updates allowing them to observe simulation progress. Securicon uses numerous methods to move laterally through the asset owner’s network until we reach the OT layer. Using internal reconnaissance, exploitation and post-exploitation techniques, the Threat Prevention Team will continue until its mission is completed.


After the mission is complete, the Threat Prevention Team compiles their findings into a report for the asset owner’s trusted individuals. Additionally, asset owners will often request a presentation for their executive team. Using the ATT&CK Framework for reference, the Threat Prevention Team will explain their progression through the asset owner’s network with maps and other visual aids.

As OT malware like Triton/Trisis, Industroyer, BlackEnergy, and Stuxnet continue to propagate, asset owners need to be prepared for threat events. Asset owners in the process of building an ICS Security Program should utilize adversarial threat simulation services to discover security gaps.

While malware rarely conforms to the MITRE ATT&CK Framework point-by-point, Securicon’s senior consultants are prepared for any eventuality. We combine individual research and experience to assess defenses rigorously, leaving no stone unturned. Real life scenarios like Triton/Trisis can be perfectly simulated using custom-built ICS modules to imitate valid communication within the OT network.

Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.

Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!