Offensive AI: The Essential Element of Cybersecurity

“Peace represents the ideal of civilization, while war embodies its failings. However, it is frequently through the trials of war that the most effective tools for achieving peace are created.” – Victor Hugo

In 1971, an unsettling message began to appear on several computers connected to ARPANET, the precursor to today’s Internet. The message, “I’m the Creeper: catch me if you can,” was generated by a program called Creeper, created by the well-known programmer Bob Thomas at BBN Technologies. Although Thomas’s intentions were not malicious, the Creeper program is considered the earliest example of what we now know as a computer virus.

The emergence of Creeper on ARPANET laid the groundwork for the creation of the first antivirus software. Although unconfirmed, it is believed that Ray Tomlinson, renowned for inventing email, developed Reaper, a program designed to remove Creeper from infected machines. The creation of this tool to defensively track down and eliminate a malicious program is often seen as the beginning of the cybersecurity field. It underscores an early recognition of the potential power of cyberattacks and the necessity for defensive measures.

The need for cybersecurity might seem unsurprising, given that the digital domain is a reflection of the physical world. Just as we have evolved from using sticks and stones to modern weaponry, the cyber realm has similarly progressed. Initially, it began with a basic Creeper virus, which represented a nascent form of digital threat. The discovery of weaponized electronic systems led to the development of antivirus solutions like Reaper, and as attacks became more sophisticated, so did the defensive strategies. Today, network-based attacks have shaped the digital battlefield, with firewalls replacing city walls, load balancers acting as generals managing resources, and Intrusion Detection and Prevention systems serving as modern-day sentries. While these systems are not infallible, and the possibility of vulnerabilities like a problematic EDR solution exists, they represent significant advancements in cybersecurity.

Looking ahead, the emergence of Offensive AI poses one of the most significant threats to date. In 2023, Foster Nethercott published a whitepaper at SANS Technology Institute discussing how threat actors could exploit ChatGPT with minimal technical expertise to create innovative malware that can bypass traditional security measures. Other articles have also explored the use of generative AI to develop advanced worms like Morris II and polymorphic malware such as Black Mamba.

The seemingly paradoxical solution to these escalating threats is the continued development and research into more advanced Offensive AI. Plato’s saying, “Necessity is the mother of invention,” aptly describes the current state of cybersecurity, where the rise of AI-driven threats fuels the creation of more sophisticated security measures. Although developing advanced offensive AI tools and techniques may not be morally ideal, it has become an unavoidable necessity. To effectively combat these threats, a deep understanding is required, which can only be achieved through their development and study.

The rationale for this approach is straightforward: one cannot defend against a threat that is not fully understood. Without ongoing research into these emerging threats, effective defense remains out of reach. Since malicious actors are already using Offensive AI to create new threats, it is both misguided and naïve to ignore this reality. Consequently, the future of cybersecurity lies in advancing Offensive AI.

For those interested in learning more about Offensive AI and its application in penetration testing, I invite you to join my upcoming workshop at SANS Network Security 2024: Offensive AI for Social Engineering and Deep Fake Development on September 7th in Las Vegas. This workshop will serve as an introduction to my forthcoming course, SEC535: Offensive AI – Attack Tools and Techniques, set to launch in early 2025. The event will also be an excellent opportunity to connect with leading AI experts and explore how AI is shaping the future of cybersecurity. You can find event details and a full list of bonus activities here.

Note: This article is authored by Foster Nethercott, a U.S. Marine Corps and Afghanistan veteran with nearly a decade of experience in cybersecurity. Foster runs the security consulting firm Fortisec and is an author for SANS Technology Institute, currently developing the new course SEC 535 Offensive Artificial Intelligence.