人工智能攻势：如何优化在网络安全的投资，利用人工智能技术预防和检测攻击

What are the common usages of offensive AI? 进攻型 AI 的常见用途有哪些？

Attackers commonly employ AI for more tailored impersonations, and quicker intrusions with more sophistication and automation. 攻击者通常会利用人工智能进行更个性化的模仿，以及更快、更复杂、更自动化的入侵。

Impersonations 模仿

Offensive AI via impersonation increases the effectiveness of exploiting human behavior, commonly the weakest link in cyber security. 通过冒充进行的攻击性人工智能提高了利用人类行为的效率，而人类行为通常是网络安全中最薄弱的环节。

• AI-generated phishing emails. Researchers found that AI could write better phishing emails than humans. Deep learning language models like GPT-3, along with other AI-as-a-service platforms significantly lower the barrier to craft effective and targeted phishing message. AI 生成的钓鱼邮件。 研究人员发现，人工智能能比人类更擅长写钓鱼邮件。像 GPT-3 这样的深度学习语言模型，以及其他 AI 即服务平台，大大降低了制作有效且有针对性的钓鱼信息的门槛。
• AI voice impersonation. With deep learning, criminal can perform highly effective spear phishing attacks by impersonating a superior's voice to convince the company employees to carry out malicious activities. AI 语音模仿。 借助深度学习，犯罪分子可以通过冒充上级的声音，诱使公司员工实施恶意活动，从而实施高效的鱼叉式钓鱼攻击。
• Deepfake personas. Attackers leverage deepfakes to dupe biometric authentication while verifying a human identity, and to compromise business email and business communication platforms (like MS Teams, Zoom). 深度伪造角色。 攻击者利用深度伪造来欺骗生物识别认证，同时验证人类身份，并攻破商业电子邮件和商务通信平台（如 MS Teams、Zoom）。

Intrusions 入侵

Besides, criminals use offensive AI to exploit and penetrate into company systems and evade security intrusion detection. 此外，犯罪分子利用攻击性人工智能入侵公司系统，规避安全入侵检测。

• AI captcha bypass. CAPTCHAs were designed to prevent computers from automatically filling out forms by verifying that you are a real person. But with the rise of deep learning and computer vision, machines are trained to defeat CAPTCHAs automatically to enable credential stuffing attacks and brute force attempts. AI 验证码绕过。 验证码的设计目的是防止电脑通过验证你是真实人物来自动填写表格。但随着深度学习和计算机视觉的兴起，机器被训练能自动破解验证码，从而实现凭证填充攻击和暴力破解尝试。
• AI fuzzing. AI can be leveraged to speed up the discovery of zero-day vulnerabilities, automated reverse engineering and exploitation of side channels. AI 模糊检测。 人工智能可用于加速零日漏洞的发现、自动化逆向工程以及侧通道的利用。
• AI-controlled bot. AI can help criminals to improve stealth capabilities by using automation to perform lateral movement across networks to infect more machines. AI 控制的机器人。 人工智能可以通过自动化实现横向网络移动，帮助犯罪分子提升隐身能力，从而感染更多机器。

common AI-powered attacks types

Figure 1: common AI-powered attacks types 图 1：常见的 AI 驱动攻击类型

Are organizations ready for that? 组织准备好了吗？

In 2021, MIT Technology Review Insights and Darktrace conducted a survey with 300+ C-level executives, directors, and managers worldwide to understand how they are addressing the cyber threats they are up against [Note 1]. It is noted that 60% of respondents reporting human-driven responses to cyberattacks are failing to keep up with automated attacks. When survey respondents were asked how worried they are that future cyberattacks against their companies will use AI, 97% cited future AI-enhanced attacks as troubling, with 58% of respondents saying such cyberattacks are very concerning. 2021 年，MIT Technology Review Insights 和 Darktrace 对全球 300+位高管、董事和管理者进行了调查，了解他们如何应对所面临的网络威胁 [注 1]。 值得注意的是，报告人为驱动网络攻击的受访者中有 60%未能跟上自动化攻击的进度。当被问及对未来针对其公司将遭受人工智能的网络攻击有多担忧时，97%的人表示未来 AI 增强攻击令人担忧，其中 58%的受访者表示此类网络攻击非常令人担忧。

Mainstreaming AI-driven attacks is just a matter of time. In addition, the trend of digitalization and COVID-19 pandemic have significantly increased the complexity of cyber battlefield. It is not uncommon to see organizations invest millions to buy various tools and hire security professionals to protect against cyber attacks. However, it remains a traditional and reactive approach that does not prevent AI-driven attacks. It is time to start adopting AI technologies to help effectively and efficiently prevent and detect attacks. 将 AI 驱动的攻击主流化只是时间问题。此外，数字化趋势和新冠疫情显著增加了网络战场的复杂性。常见组织投入数百万购买各种工具，并聘请安全专业人员来防御网络攻击。然而，它仍是一种传统且被动的方式，无法防止 AI 驱动的攻击。是时候开始采用人工智能技术，以有效且高效地预防和检测攻击了。

Where can we start? 我们从哪里开始？

Your organization is a treasure trove full of data and information collected from various systems you may have already installed to prevent cyber attacks. Based on your current capabilities, you can identify specific areas where AI technologies and cyber analytics can be applied. The framework is depicted as a table that spans all phases of cybersecurity. 你的组织是一座宝藏，汇集了来自你可能已经安装的各种系统的数据和信息，以防止网络攻击。根据您当前的能力，您可以识别人工智能技术和网络分析可以应用的具体领域。该框架被描绘为涵盖网络安全各个阶段的表格。

Where to apply AI technologies to improve your cybersecurity posture?

Figure 2: Where to apply AI technologies to improve your cybersecurity posture? 图2：在哪里应用人工智能技术以提升您的网络安全态势？ (Source: Deloitte – "Smart cyber: How AI can help manage cyber risk" [Note 2]) （来源：德勤——《智能网络：人工智能如何帮助管理网络风险》[注 2]）

There are many compelling use cases where robotic automation (commonly known as Robotic Process Automation, or RPA), AI and other data analytics technologies help you prioritize your cybersecurity investment against AI-driven attacks. 机器人自动化（通常称为机器人流程自动化，RPA）、人工智能及其他数据分析技术，在许多引人注目的应用场景中，帮助您优先处理网络安全投资，抵御人工智能驱动的攻击。

Here we list some of the ways AI technologies can improve your security posture and enable earlier detection and response to any potential attacks. 这里我们列出了一些人工智能技术可以提升安全态势、实现潜在攻击的早期检测和响应的方式。

With the help of automation, you can: 借助自动化，你可以：

1. Governance, risk and compliance (GRC) 治理、风险与合规（GRC）
   • Governance and risk management. Inform overall strategy and improve reporting capabilities by using large volumes of contextual data and decision points to help with strategic decision making that aligns with your organization’s risk appetite. 治理与风险管理。 通过利用大量上下文数据和决策点 ，帮助制定符合组织风险偏好的战略决策，指导整体战略并提升报告能力。
   • Regulation synthesis and mapping. Develop and maintain the organization's integrated security controls framework, extracting information from multiple regulatory sources and guidelines. 调控综合与映射。 开发并维护组织的综合安全控制框架，从多个监管来源和指南中提取信息。
   • Assessment triggering. Conduct automated assessments periodically, or by changes to applications and/or business processes. 评估触发。 定期进行自动化评估 ，或通过对应用程序和/或业务流程的变更进行。
   • Key Risk Indicator (KRI) automation. Automate the collection and visualization of KRI metrics to enable the organization to assess and address risk exposure. 关键风险指标（KRI）自动化。 自动化收集和可视化 KRI 指标 ，使组织能够评估并应对风险暴露。
   • Responsibility allocation. Use self-service processes to allocate cybersecurity responsibilities across teams, improving efficiency and enabling closer alignment with risk owners. 责任分配。 利用自助流程在各团队间分配网络安全职责，提高效率，并与风险负责人建立更紧密的对齐。
   • Control testing. Automate control testing so that it continually assesses control effectiveness and provides near real-time updates about the organization's security posture. 对照测试。 自动化控制测试，使其持续评估控制有效性，并提供组织安全态势的近实时更新 。
2. Identity and access management (IAM) 身份与访问管理（IAM）
   • Role maintenance. Use an AI engine to provide recommendations on role maintenance, helping organizations streamline the difficult, costly, and time-consuming task of keeping role definitions up-to-date. 角色维护。 使用人工智能引擎提供角色维护建议 ，帮助组织简化保持角色定义更新这一艰难、昂贵且耗时的任务。
   • Role mining engine. Extend the AI role maintenance engine to mine roles from multiple data sources, recommending new roles and entitlements. 角色采矿引擎。 扩展 AI 角色维护引擎，从多个数据源挖掘角色 ，推荐新的角色和权限。
   • Access request recommendation engine. Simplify the access request process by analyzing various data sources, such as peer group access and historical access requests, and then recommending the level of access required for a user. 访问请求推荐引擎。 通过分析各种数据源 ，如对等组访问和历史访问请求，并推荐用户所需的访问权限等级，简化访问请求流程。
   • Access certification analytics. Analyze different data sets and apply analytics to improve the certification process by pre-approving certification items based on access request data, detecting anomalies in the attestation cycle, and using peer group data to calculate a confidence score that helps reviewers make informed decisions. 访问认证分析。 分析不同数据集并应用分析，通过基于访问请求数据预先批准认证项目、检测认证周期中的异常，以及利用同行组数据计算信心评分，帮助评审人员做出明智决策，从而改进认证流程 。
   • Access usage data for analytics engine. Incorporate access usage data into the analytics engine to generate more informed and efficient insights. 访问分析引擎的使用数据。 将访问使用数据整合进分析引擎， 以生成更有根据且高效的洞察 。

With the help of AI and analytics technology, you can: 借助人工智能和分析技术，您可以：

1. System security 系统安全
   • Control effectiveness. Augment and assess the effectiveness of tried and tested tools such as firewalls, proxies, and data loss prevention solutions by monitoring the available log data, then identifying and remediating misconfigurations. 控制效率。 通过监控可用日志数据，增强并评估防火墙、代理和数据丢失防护解决方案等经过验证的工具的有效性， 然后识别和修复错误配置。
2. Cyber threat intelligence (CTI) 网络威胁情报（CTI）
   • Cyber risk sensing. Follow the thought process of threat actors and discover the first sign of cyber attacks targeted at your organization before it happens by monitoring a wide range of public and closed intelligence sources such as hacker forums and private chat groups. 网络风险感知。 通过监控各种公开和封闭情报来源 ，如黑客论坛和私人聊天群组，跟踪威胁行为者的思维过程，提前发现针对你组织的网络攻击的第一个迹象。
3. Threat detection 威胁检测
   • Anomalous behavior detection. Help identify anomalous data access activity and malicious application activity by putting analytic focus on user logins, changes in user behavior, and unapproved changes. 异常行为检测。 通过分析关注用户登录、用户行为变化和未经批准的更改，帮助识别异常数据访问活动和恶意应用活动。
   • Threat discovery. Monitor activities and entities to establish normal behavior. The normal behavior pattern will then be used to detect sources of anomalies that could create potential risks such as fraud, money laundering, and insider threats. 威胁发现。 监控活动和实体，以建立正常行为。随后，将利用正常行为模式检测可能带来欺诈、洗钱和内部威胁等潜在风险的异常来源 。
   • Alert cleansing and prioritization. Use machine learning to significantly automate the first level of triage based on factors such as type of attack, frequency, and previous experience. 警觉、净化和优先排序。 利用机器学习大幅自动化第一级分诊 ，基于攻击类型、频率和以往经验等因素。
   • Targeted investigation and support. Use a big data platform to drive new insights through historical analysis, allowing investigations into incidents based on current and historical data to be done quickly and efficiently. 有针对性的调查和支持。 利用大数据平台通过历史分析推动新洞察 ，使基于当前和历史数据的事件调查能够快速高效地完成。
4. Threat hunting and vulnerability management 威胁狩猎与漏洞管理
   • Threat hunting. Quickly search for new threats by importing known tactics, techniques, procedures, and attack patterns, along with vulnerability details and remediation information, to help neutralize threats early in the attack cycle. This process must be continuous, integrated, and optimized to align with your organization's goals. Once a new threat is identified by CTI giving insight into the tactics, techniques, and procedures (TTP) utilized, threat hunters will then search for the identified behaviors in your environment with the help of defense analytics technology. 威胁猎杀。 通过导入已知的战术、技术、程序和攻击模式，以及漏洞详情和修复信息，快速搜索新威胁 ，帮助在攻击周期早期消除威胁。这一过程必须持续、整合并优化 ，以符合贵组织的目标。一旦 CTI 识别出新威胁，提供对所采用战术、技术和程序（TTP）的洞察，威胁猎人便会借助防御分析技术在环境中搜索已识别的行为 。
   • Vulnerability scanning. Use bots to initiate and scan applications, systems, and other assets for vulnerabilities, assessing risk and prioritizing the patch schedule. 漏洞扫描。 利用机器人启动并扫描应用程序、系统及其他资产的漏洞，评估风险并优先安排补丁计划。
   • Configuration review. Use bots to review system configurations to ensure baseline hardening and ensure no misconfigurations. 配置复审。 使用机器人审核系统配置 ，确保基线硬化，避免配置错误。
   • Attack-path modelling. Perform predictive analytics on security data to determine vulnerable entry points and the likely path an attacker might use to gain access. 攻击路径建模。 对安全数据进行预测分析 ，确定易受攻击的入口点以及攻击者可能使用的访问权限路径。

Summary 摘要

AI technologies have been getting a lot of buzz lately. While the AI technologies have become a potent part of cyber attacks, AI technologies and analytics can also lift your company’s cyber capabilities to the next level by giving you visibility on the threats and vulnerabilities in your environment, and proactively analyze where you can take actions to minimize your organization's attack surface. By taking the lead on applying these disruptive innovations to cybersecurity, you can tip the balance in your favor and stay a step ahead of the threats. 人工智能技术最近备受关注。虽然人工智能技术已成为网络攻击的重要组成部分，但人工智能技术和分析还能提升您公司的网络能力，让您能够洞察环境中的威胁和漏洞，并主动分析可采取行动以减少组织攻击面的部分。通过率先将这些颠覆性创新应用于网络安全，您可以扭转天平，领先于威胁。

End notes: 注释：

1. MIT Technology Review and Darktrace, "Preparing for AI-enabled cyberattacks" (2021). 麻省理工技术评论与 Darktrace，《为人工智能驱动的网络攻击做准备》（2021 年）。
2. Deloitte, "Smart cyber: How AI can help manage cyber risk" (2019). 德勤，《智能网络：人工智能如何帮助管理网络风险》（2019年）。