John Tuyen

Adventures of Functional Mediocrity

30 May 24

Offensive AI Tooling: Finally Arrived?

AI red-teaming tools helped X-Force break into a major tech manufacturer 'in 8 hours'

"In this particular case, the X-Force crew and its AI tooling found a flaw in the manufacturer's HR portal, exploited this to upload a shell, and then waited to see if they would get caught. They didn't, so they pushed further, escalating their privileges on the host, and used a rootkit to cover their tracks and avoid being detected."

"Then we just sat and waited, mapped up their internal network over time, and eventually got to the design of that key computer component," Thompson said.

Not to say that this wasn't predicted already by many experts, this is coming sooner than we think. Several predictions can be made based on what I've observed in the past 6 months:

  • Bug bounty hunters are going to be come more competitive especially those who know how to augment AI observance tech/agents.
  • A new competition battleground. Imagine Battle Bots but for Offensive LLM's to compete capture the flags or real world bounty programs. Leading models will get bought or licensed by public/private sectors.
  • A greater importance of shifting left in the software development lifecycle and ASR vulnerability management. Hopefully, this would lead to fostering a better security culture rather than a time consuming process.
  • An internal threat adversary model will exist to look out for existing gaps in the network. Give it an employee profile to mimic and all the knowledge of internal tools it needs, it will endlessly monitor and find a way to either laterally move or escalate privileges. This would help in use cases where making a network-wide rules/permission change but unsure what the adverse effects are.