There was no doubting the one topic on almost everyone’s minds at IRISSCON 2024: AI. But a hallmark of the event since it was first held in 2009 is visiting speakers who aren’t afraid to challenge popular narratives. The result, as ever, was presentations strong on realism and common sense, short on sales hype and scaremongering.

In one of the early sessions, Onur Korucu, managing partner of GovernID, spoke about how AI’s rapid progress is reshaping approaches to cybersecurity. Leaders guiding their organisations today need to know how to balance AI’s benefits – like real-time threat detection, rapid response, and automated defences – with new risks and complexities.

In her enthusiastic talk, Korucu encouraged the 400-strong audience to use the technology, get trained in it, and learn about it – and to realise its shortcomings. “We overestimate AI,” she said.

Counteracting the clichés

One common storyline we see in cybersecurity marketing is how criminals’ use of AI is a major threat. But IRISSCON offered a different perspective on this cliché. Research from Trend Micro found that criminals are mainly using AI to code – and they’re not even doing a stellar job at that. “The state of criminal large language models is actually pretty tame,” said Bob McArdle, director of Trend Micro’s Forward Looking Threat Research team. “So far we haven’t seen criminals write malware entirely in AI. Mostly they’re using it for scripts and smaller tools… It is an assistant to the malware developer, not actually replacing them.”

Criminals aren’t investing anywhere near the amount of money in AI as legitimate companies, McArdle added. That’s because criminals are “slow to change” and they have little incentive to invest in alternatives as long as easy exploits like ransomware continues to make money. “They don’t sink costs into something like we do with R&D,” he said. James Coker, reporting from the conference for Infosecurity Magazine, had this writeup of McArdle’s presentation.

How AI assists financial fraud

One area where AI can be effective in helping criminals is in creating scams using impersonation. ESET’s global cybersecurity advisor Jake Moore gave an entertaining and fast-paced look at how criminals can use deepfake technology to create ‘clones’. The ability to mimic real people can help criminals to convince victims that they’re speaking to someone in authority who can persuade them to make unauthorised payments or share confidential information. “Seeing is not believing,” Moore warned.

That’s why it’s essential to promote security awareness and training on AI-specific threats, said Craig Balding. Referring back to Jake Moore’s deepfake examples, Balding said he is aware of one company that guards against this exact risk by making sure staff notify their manager if someone claiming to be from the company asks them to transfer large sums of money.

An independent security consultant, Balding produces an excellent newsletter called Threat Prompt, which shows how security professionals can use AI to enhance their work. By his own estimates, he uses AI for a couple of hours every day, and his talk included practical advice on getting to grips with the technology.

Drowning in data? AI alleviates alert fatigue

In a similar vein, Forescout’s VP of security intelligence Rik Ferguson talked about how AI can help to manage the deluge of log information that security professionals often face.

“Every step in an attack represents an opportunity for a defender. The problem is, we live in a world where we are drowning in data, drowning in alerts. We don’t want visibility, we want insight. We don’t want to see more, we want to understand more. When you have more data that you can deal with, you’re getting negative returns. AI can help us as defenders to manage this huge amount of data,” Ferguson said.

Another recurring theme was ransomware. Dick O’Brien from Symantec’s threat hunter team explained that incidents are up on previous years, and he shed light on who’s committing them and what tactics they’re using.

Ransomware: the memory remains

For the first time, IRISSCON welcomed a speaker from Verizon, which produces the respected Data Breach Investigations Report (DBIR). Widely considered one of the industry’s leading sources of security research, the 2024 edition found that ransomware and extortion made up 32% of incidents.

Phillip Larbey, associate director for EMEA at Verizon, said the vast majority of cyber incidents involve at least one of three elements – human error, social engineering and ransomware. Many of these attacks are preventable, he added. Verizon’s data shows that 47 per cent of vulnerabilities are still unpatched 60 days after being discovered.

Directly following Larbey’s presentation, Dave Lewis of 1Password and Rich Mogull of Firemon gave a joint talk where they encouraged cybersecurity professionals to draw from the experience of how first responders deal with real-world incidents and natural disasters. There can be a tendency in the cybersecurity industry to treat unexpected scenarios as ‘black swan’ events. In reality, many of them are predictable. “We keep chasing after the next shiny thing but in fact a lot of vulnerabilities have been known for many years,” Lewis said. Infosecurity Magazine’s live report led with this reminder that much of what we see in cybersecurity is familiar.

Banishing black swans: the triage approach

Secondly, there’s a way to tame the chaos. Mogull drew on his own experience as a paramedic to say it’s possible to put in place triage systems, even for unpredicted events. This allows responders to manage them more effectively. “It’s all about having a series of systems and processes to be able to account for the unknown, for situations we’ve never encountered before,” he said.

If that all sounds like a recipe for increased stress among cybersecurity professionals, Eleanor Dallaway, co-founder of Assured.co.uk, closed IRISSCON with an appropriate message based on her research into burnout among cybersecurity leaders. In an industry that can be prone to high stress and ‘panic mode’, her talk was a welcome reminder for people to take care of their mental health.

Photo Credit: Dan Raywood