This is the summary post of our Use Case Spotlight session, which was conducted on 28 February 2025 and featured Generative AI use cases in cyber security defense.
More...
Gen AI In Cyber Security Defense
The scope of Gen AI in cyber security extends across several areas, including phishing prevention, managing red teaming campaigns, and securing organizational IT resources. This session also covers a unique approach to building dynamic attack simulations to counter hackers' use of AI to perpetrate regenerative attacks.
Key Takeaways and Webinar Recording
Check out the session recording and the key takeaways (along with timestamps in the recorded video).
The Problem Patterns in Cyber Security
Let's begin with some problem patterns. A problem pattern helps us identify a common challenge that manifests as different variants. For example, in the case of cyber security, phishing is a common challenge. But phishing itself has many variants, like smishing, vishing, spear phishing, and so on.
The three problem patterns are represented as three mythical creatures. Let's understand the symbolism behind this representation and unearth the possibilities of Gen AI.
The Ouroboros Effect of Self Destruction
Ouroboros represents a mythical Greek serpent usually depicted in a circular shape with its mouth eating into its tail. With the advent of AI, scammers have a way to perpetrate large-scale phishing attacks with personalized messages leveraging Gen AI. This approach bypasses the email spam filters which have relied on the traditional NLP-based detection mechanism. This is the Ouroboros effect of AI (Gen AI in this case) eating into itself (traditional NLP-based spam detection).
This problem manifests in the form of different phishing campaigns to target a premiere organization and bombard employees and senior executives with fake messages to deceive them into revealing sensitive information. This is also applicable to online users, celebrities, and well-known persons.
Gen AI can help manage this menace in a few ways.
Gen AI Use Cases for Phishing Prevention
Incoming Email Monitoring and Previews
Gen AI can modify and annotate emails to warn recipients of impending phishing attacks. This is achieved through a sandboxed environment for testing incoming email messages for malicious links and scripts, to generate additional previews in the email message.
Sublime Security is an AI-powered email security platform that tackles different types of phishing attacks, enabling inbound email protection and offering support for rapid phishing investigation.
Egress offers an intelligent email security suite with many features, including defending against phishing attacks, supported by behavioral AI detection and visual indicators.
Slashnext is a comprehensive platform for managing BEC (Business Email Compromise) through its cloud messaging security solution, capable of preventing attacks perpetrated through Gen AI.
Account Takeover Detection
Email account takeover is a cyberattack where an adversary gains unauthorized access to a user’s email account, typically through stolen credentials or social engineering. It is a silent killer since the attacker may lurk within the user's inbox and monitor conversations silently, exfiltrate sensitive data, or even spread malware through trusted contacts.
Gen AI helps in account takeover detection by analyzing emails sent from the compromised account for abnormalities in message content, and user behavior.
Abnormal Security offers complete email account takeover protection through auto-discovery of abnormalities in locations, devices, email content, and mail rules to lock the users out of the affected mailboxes.
Darktrace’s AI learns every account user's normal “pattern of life", gathering a picture of their everyday activity to generate insights and provide preemptive visibility into the security posture of the inboxes.
Proofpoint is a leader in email security platforms with a multi-layered security mechanism for integrated defense for enterprise email infrastructure.
Mimecast offers AI-powered email security for human risk management that offers integrated protection across all communication channels including email, and ensures comprehensive threat detection and mitigation.
Phishing Detection and Response
Beyond active detection of email messages and inbox activities, Gen AI has a significant role in passive detection and response handling. Just like hackers and adversaries leverage Gen AI to craft phishing campaigns at scale, red teams can also use the same approach to craft phishing simulations and exercises to assess the organization's readiness and employee awareness.
Ironscales empowers organizations with realistic phishing simulations with smart targeting to send phishing emails to employees based on their role and risk profile, providing instant feedback to stay ahead of evolving threats.
Cofense offers a phishing security awareness training platform to train employees via real-world phishing scenario simulations to recognize sophisticated attacks that evade filters and land in their inboxes.
CybeReady offers an automated, continuous cyber readiness training program to conduct data-driven phishing simulation campaigns and provide adaptive training.
The Hydra Dilemma of Regenerative Threat
The Hydra represents a mythical monster with multiple heads. It can regenerate two heads after every one of its heads is chopped off. With Gen AI at their disposal, adversaries have multiple tactics (or TTPs) to launch and scale attacks, based on the resistance offered by the blue teams. This tussle represents another problem pattern experienced by organizations today where attack modeling and remediation is a continuous activity. It is a Hydra-like ominous attack, where each head represents a specific TTP, and it can regenerate itself based on the defender's ability to ward off the specific TTP.
To guard against these risks, organizations rely on various threat modeling frameworks, like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of privileges), PASTA (Process for Attack Simulation & Threat Analysis), or the popular MITRE ATT&CK framework. However, these frameworks take a top-down approach to designing red teaming exercises.
With Gen AI, it is now possible to take a bottoms-up approach by considering the various tiers of attack surfaces within any typical organization. This is demonstrated via the LADDER (Layered Attack Discovery & Dynamic Exploit Routing) model that represents a gamified environment for red and blue teams to collaborate.
Gen AI Use Cases in Attack Modelling and Remediation
Considering Gen AI's capabilities, broadly you can envisage three use cases in this problem pattern.
Attack Path Generation, Simulation and Emulation
Gen AI can translate standard models like MITRE, or custom models like LADDER to map out an organization's network topology and build red teaming exercises. This can be a gamified, simulated, or real-world red/purple team exercise.
ThreatGen is a cyber security platform offering a simulation engine that combines the power of an actual computer gaming engine to build and execute red vs blue team scenarios for cybersecurity education and training.
Immersive Labs is an enterprise-grade cyber resilience platform unifying cyber drills, labs, and simulations into a single system, thereby offering an integrated technology and training solution with Gen AI-powered scenario generation capabilities.
Cymulate offers continuous automated red teaming (CART) capabilities with attack path mapping, repeatable advanced offensive testing, and real-world attack simulations.
Incident Response / Exploit Code Generation
Gen AI has a significant role in orchestrating incident response workflows. It automates the creation of incident response playbooks based on known threat patterns, self-assessment of incident severity, and classification. This also expedites security testing through automated exploit code generation based on the known attack vectors of the threats.
CrowdStrike is an extensive cybersecurity platform with Gen AI capabilities to accelerate security operations, helping security analysts prioritize incidents, and expedite decision triage, thereby enabling advanced SOC automation with responsible guardrails.
CyberSixGIll offers real-time threat intelligence with Gen AI-driven vulnerability intelligence that turns raw threat intelligence and information on exploited vulnerabilities into human-readable, contextual summaries and finished reporting.
Flashpoint offers a vulnerable intelligence database (VulnDB) to rapidly assess and manage vulnerability exposure with support for exploit prediction models that prioritize vulnerabilities based on the activity of past TTPs and the likelihood of future attacks.
Adversary Analysis and Profiling
Along similar lines of incident response automation, Gen AI also has a role in threat intelligence by gathering all sources of threat intelligence data and distilling that into high-fidelity, actionable intelligence.
ThreatConnect supercharges threat intelligence workflows with AI-powered solutions to operationalize high-fidelity threat and risk insights that enhance security teams’ decision-making capabilities and reduce false positives.
Recorded Future offers an AI-driven intelligence cloud that leverages intelligence graphs for collecting, structuring, analyzing, and turning large volumes of threat data into actionable insights.
The Expanding Kraken
The Kraken represents yet another mythical monster that supposedly lurked in the Scandinavian seas and had massive tentacles that could easily capture and drag the ships down. In today's context, when organizations build their IT infrastructure to support remote working, geographically distributed workforce and locations, external integrations, and supplier/vendor access, they are invariably harboring a hidden Kraken that can unleash any time with cyber attacks and drag down the entire infrastructure.
Although securing the infrastructure does not directly fall under cyber security, it still plays a role due to the vulnerabilities surrounding users (employees, contractors, customers). Through harmonization with network and cloud security, Gen AI plays an important role in handling the following scenarios:
Supply Chain Attacks / Insecurity Software Updates
Supply chain attacks create a lateral security breach during infrastructure provisioning, upgrades, or migration activities. With standardized IaC (Infrastructure as Code) definitions, Gen AI can generate, update, and remediate security policies and access permissions for securely orchestrating any supply chain activities. This approach can be extended for other forms of optimizations such as cost and performance. Additionally, it can track lapses in software libraries and flag updates involving insecure versions.
IAM Misconfiguration
Identity and Access Management is the bedrock of an organization's access and permission control mechanism. Misconfiguration of IAM policies can be perpetrated by insiders or due to human error. Gen AI has the ability to orchestrate IAM configurations to ascertain, audit, and remediate faulty IAM policies that expose the privileges granted to various users beyond their authorized roles.
Sedai is an autonomous cloud optimization platform that streamlines budget and performance parameters with AI-powered tuning while maintaining stringent security compliance requirements.
Scribe offers an AI-powered ASPM (Application Security Posture Management) chatbot for securing the software supply chain that strengthens security through real-time insights and vulnerability prioritization.
OpsMx secures and intelligently automates software delivery from developer to deployment, building on an Open Software Delivery architecture and AI/ML-powered DevSecOps.
Pulumi helps automate cloud applications through a co-pilot that combines the power of large language models with a semantic understanding of the cloud to unlock greater insights into securing cloud infrastructure.
CloudEagle offers management and optimization for multi-SaaS deployment environments through automated and secured software asset management leveraging AI to reduce security gaps.
Snyk is a developer-centric security platform to deliver end-to-end applications, and track open source vulnerabilities. It has Gen AI capable tools for generation, review and testing of source code.
Explore Our Use Case Spotlight Sessions
23 JULY | 1700 Hrs (IST) , 1230 Hrs (BST)
23 JULY | 1700 Hrs (IST) , 1230 Hrs (BST)
13th June 2025 | 1930 Hrs (IST)
11th April 2025 | 1930 Hrs IST
