Interviews | August 2, 2023

Generative AI Tools Are Enabling Targeted Attacks at Speed and Scale

Darktrace | ExtraHop | KnowBe4 | Wiz

Max Heinemeyer
Chief Product Officer


Q1. A survey that Darktrace conducted earlier this year revealed a 135% increase in "novel" social engineering attacks. What exactly is that? What are the implications of the trend for enterprise defenders?

In April, Darktrace Research revealed a 135% increase in ‘novel social engineering attacks’ across thousands of active Darktrace/Email customers from January to February 2023, corresponding with the widespread adoption of ChatGPT.

A novel social engineering phishing email is an email attack that shows a strong linguistic deviation – semantically and syntactically – compared to other phishing emails. While correlation doesn’t necessarily mean causation, the trend suggests that generative AI, such as ChatGPT, is providing an avenue for threat actors to craft sophisticated and targeted attacks at speed and scale.

The implications are two-fold. First, while security training and awareness programs remain an important part of a defense-in-depth approach, the value of teaching employees to spot attempts at social engineering delivered in text format is diminishing rapidly. We cannot put the onus on humans to spot these threats in a world where ‘bad’ emails can look all but indistinguishable to the human eye from ‘good’ emails. In tandem, traditional email security technologies which work from a knowledge of past attacks will struggle to detect these threats. If we don’t know how to define entirely new and unique attacks, how can we ever hope to recognize them based on past attacks?

Against this backdrop, it is important that human defenders are augmented with AI technology that understands their organization – employee behavior, based from their email inbox, is needed to create patterns of life for every email user: their relationships, tone and sentiments and hundreds of other data points. With this understanding of ‘you’, AI is able to determine if an email is malicious or benign, no matter how novel it is, thereby taking the burden of responsibility off the human. In turn, humans can pursue activities that drive productivity and performance.

Q2. What threats should organizations be aware of when permitting employees to use generative AI tools such as ChatGPT at work? What controls and guardrails do they need to have in place, to ensure secure use of AI-driven tools?

In order to reap the benefits of generative AI tools like ChatGPT, organizations need to approach it with all the same enterprise-level data risk considerations as if they were onboarding a new supplier or contractor, a third-party SaaS service or use of cloud file storage. ChatGPT is one of those services that was never really designed to provide operational capability with full data privacy protections from the get-go, and one of the most significant risks is that of IP and data loss – for example when sensitive files or information are entered as prompts and become part of the third-party AI model that’s available to others.

Developing in-house policies and educating employees on the information they can upload into these tools will be crucial to manage risks, but it is equally important to ensure that CISOs and security teams are equipped with the right technologies to monitor and, when necessary, respond to activity and connections to generative AI and large language model (LLM) tools. Technology which offers security leaders a full picture of their organisation and where generative AI fits into that will ensure that productivity is boosted by generative AI, without needing to worry about the potential security risks. Our latest innovations at Darktrace have focussed on delivering this to our global customer base through new risk and compliance models, empowering CISOs to detect and respond to generative AI activity that may deviate from company policies or best practices.

Q3. What can attendees at Black Hat USA 2023 expect to learn about Darktrace's latest capabilities and future direction? How does the company plan to leverage its presence at the event to engage with customers?

Following the release of our breakthrough PREVENT technology in July 2022, which allows defenders to get ahead of attackers targeting their organization by prioritizing vulnerabilities and continuously hardening defenses, we are incredibly excited to be showcasing our newest innovation at Black Hat this year, Darktrace HEAL. This is the final component of our technology vision, the Cyber AI Loop, the world’s first-ever set of interconnected AI capabilities working together to prevent, detect, respond to and heal from cyber-attacks all at once.

HEAL uses AI that learns from each individual company’s data to help their security teams more effectively prepare for and respond to cyber-attacks and is able to safely simulate real-world incidents that are customized for each environment to help teams practice, as well as bespoke AI-generated response playbooks that help prioritize remediation actions. Black Hat will be an opportunity for our community to receive demos of this new innovation from the broad technology and executive presence we have at the event this year. We encourage all attendees to get in touch for a chat about their security priorities and to understand how AI can uplift the SOC and supercharge other areas of defense such as email and cloud security, technical integrations, risk management and attack surface management.

On August 9th, the conference will hear about HEAL and the full Cyber AI Loop from one of our longstanding customers when VP of integrations at Darktrace Matt Bovbjerg takes the stage with Michael Sherwood, Chief Innovation Officer at the City of Las Vegas. The session ‘AI in Action: Protecting the City of Las Vegas from Every Stage of the Attack Lifecycle’ will delve into how our latest AI innovations can not only anticipate attacks, but withstand, recover from, and adapt to them in a dynamic and complex smart city environment.

Mark Bowling
Senior Vice President, Chief Information Security and Risk Officer


Q1. You were recently appointed to the newly created role of Chief Information Security and Risk Officer (CISRO) at ExtraHop. What are your responsibilities in the role? What's driving the need for such a role at enterprise organizations in general?

I am responsible for information security, physical security, personnel security, and enterprise risk management efforts at ExtraHop. In this capacity, my goal is to create a holistic model that captures a range of potential risks and threats to the business, including cyber risks, competitive threats, geopolitical risks, etc., and includes plans to mitigate those risks.

Chief information security and risk offers are in significant demand today because of the complex and rapidly evolving risk environment for organizations, and because cyber risk represents a growing proportion of business risk. Organizations of all sizes and sectors face constant threats from nation-state and cybercrime actors. Enterprises need to ensure that their information security, risk management, legal, and compliance functions all work together to protect sensitive data, company resources, and shareholder value, which is why it made sense at ExtraHop to combine the chief security officer and chief risk officer roles into one. It’s a powerful combination.

Q2. What were some key takeaways for security leaders from ExtraHop's 2023 Global Cyber Confidence Index: Cybersecurity Debt Drives Up Costs and Ransomware Risk report? Was there anything in the data that was surprising or unexpected?

The 2023 Global Cyber Confidence Index looked at the impact of cybersecurity debt on organizations security postures and their confidence in it. Cybersecurity debt refers to the unaddressed security vulnerabilities that pile up in organizations’ IT environments as a result of unpatched software, unmanaged devices, use of insecure network protocols, and more.

Our survey of 950 IT decision makers found a tight link between cybersecurity debt and heightened exposure to cybersecurity incidents, including ransomware: 77% of survey respondents said outdated cybersecurity practices contributed to at least half the incidents their organizations had experienced. They also reported a significant uptick in ransomware incidents, from an average of four over five years in 2021 to four attacks over the course of one year in 2022.

In addition, the study revealed specific security hygiene gaps, including the number of organizations running insecure network protocols (98%), the prevalence of unmanaged devices, and critical device vulnerabilities, and offered measures organizations can take to assess and remediate cybersecurity debt.

Q3. What key messages does ExtraHop plan to convey about its products and services to attendees at Black Hat USA 2023? What topics, features or insights will ExtraHop focus on at the event?

First of all, we’re thrilled to reveal “what’s in the black box” at our booth, #1540. Attendees will come away from our booth presentations, demos, and speaking sessions with an understanding of the power of the network in cybersecurity: the unique role the network plays in helping organizations see more, know more, and stop more cyberattacks, and the unique properties of the network that allow defenders to get to the “cybertruth,” the truth about what attackers are doing on their networks and how to stop them at top speed.

Of course, we also plan to showcase our latest product announcements, including our native integration with CrowdStrike FalconⓇ LogScale, which allows customers to bring network telemetry from ExtraHop Reveal(x) into the LogScale platform to improve threat hunting and accelerate incident response, as well as our new IDS module for Reveal(x), which is designed to address unique security requirements of U.S. government agencies as they look to adopt CISA’s Zero Trust Maturity Model, as required by the White House.

And on Wednesday, at 4:10 PM, I’ll be speaking about a cybercrime case I worked as an FBI agent, during a session called “The Law vs. Ch@os.”

We have tons of activities planned and couldn’t be more excited about Black Hat this year.

Perry Carpenter
Chief Evangelist and Strategy Officer


Q1. How has the employment scam landscape evolved in recent years? What do security teams and users need to know about the threat and staying safe from it?

Employment scams have become more targeted, elaborate, and harder to detect, posing substantial threats to both job seekers and organizations. One notable shift is the increased sophistication in social engineering techniques. Cybercriminals exploit publicly available information from social media profiles and professional networking sites to craft personalized messages, making their job offers seem authentic and convincing. These scams may involve enticing job opportunities, remote work positions, or freelance gigs, luring users into sharing even more personal information or falling for fraudulent payment schemes.

This has also spilled over into the world of phishing. Instead of relying on generic emails, scammers craft messages that convincingly imitate legitimate job portals or known organizations, tricking victims into revealing sensitive data, such as login credentials or financial details. Additionally, fake job advertisements on popular online platforms have become prevalent, leading users to malicious websites or prompting them to download malware-infected files.

And these aren’t smalltime hackers hoping to capitalize on human vulnerabilities around employment. For example, UNC2970, a North Korean organization, actively employs job recruitment scams to pursue both espionage and hacking-for-profit, serving the state's financial interests. These scams involve using backdoors as phishing hooks, enabling various malicious post-exploitation activities.

Security teams must emphasize the importance of user education and awareness to combat these threats effectively. Regularly conducting training sessions on recognizing employment scams, understanding phishing indicators, and best practices for verifying job opportunities can empower users to stay vigilant.

Job seekers should verify the legitimacy of the companies offering job opportunities, especially if contacted through unsolicited emails or messages. They should independently search for the company's website, contact information, and social media profiles to confirm its authenticity. Refraining from sharing sensitive, avoiding downloading files from suspicious sources, and exercising extreme skepticism can significantly reduce the risk of falling victim to these scams.

Q2. What were the biggest takeaways from KnowBe4's Annual Phishing Benchmarking Report? Was there anything in the data that was surprising or unexpected in any way?

One of the things I’m struck by each year is the sheer amount of data we are able to include in this report. The data set for this year’s study included over 32.1 million simulated phishing tests sent to 12.5 million users across 35,6000 organizations from seven regions: Africa, Asia, Australia/New Zealand, Europe, North America, South America, and the United Kingdom/Ireland.

In 2023, the overall Phish-prone percentage (PPP) baseline average for all industries was 33.2%, indicating a significant risk of employees falling for phishing before training. However, after participating in a monthly combination of simulated phishing and training, only 18.5% failed within 90 days, and after a year, the failure rate dropped to 5.4%. That’s an 82% improvement of susceptibility to phishing in just a year.

Keep in mind that these high-level numbers are averages. In the report, we provide a ton of detail broken-down across 19 industries. And, if you’re looking for something to be shocked about, some of the initial baseline percentages for organizations that haven’t yet conducted any simulated phishing activities can certainly be a shock. For example, prior to training, organizations with 1,000 employees or more within the insurance industry demonstrated a 53.2% PPP. But, again, in a show of the efficacy of intentional and consistent training, that PPP was brought down to 5.7% at the one-year mark. Another truly dramatic turnaround was Energy & Utilities organizations over 1,000 employees – their journey took them from a 51.1% baseline PPP to a PPP of only 4.5% at the one-year mark.

These susceptibility and resilience improvements are hugely interesting each year because they are shockingly consistent. The data is clear that a commitment to ongoing simulated social engineering testing pays off in these drastic reductions in susceptibility.

Q3. How does KnowBe4 plan to highlight the latest developments in phishing and ransomware education at Black Hat USA 2023?

We’ll have a ton of great swag, engaging talks about security awareness best practices, and I’ll also be delivering a talk and doing a signing for my latest book, The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing your Human Defense Layer. And, of course, even more than all of that, we’re excited to let attendees see our latest product developments firsthand.

We’re particularly excited about our newest product: PhishER Plus. With it, we’ve created the most powerful anti-phishing protection available in the world. PhishER Plus is powered by a new, unique KnowBe4 global threat feed. This is a triple-validated phishing threat feed crowdsourced from 10+ million trained users are leveraged to automatically block matching new incoming messages from reaching your users’ inboxes. This continually updated threat feed is managed by KnowBe4 and syncs with your Microsoft 365 mail server.

Using this threat feed, PhishER Plus automatically blocks phishing attacks before they make it into your users’ inboxes using:

  • KnowBe4's global network of 10+ million highly trained KnowBe4 end-users and their PhishER Administrators
  • PhishML, a unique AI-model trained on phishing emails that all other filters missed
  • Human-curated threat intel by KnowBe4’s Threat Research Lab

We see things no one else can because users report the attacks that make it through every other filter out there. These in-the-wild threats are the most dangerous, real-time social engineering attacks at any given point in time. And now we’re giving our customers a way to use the power of KnowBe4’s unique view into what’s making it past filters so that they can proactively update their blocklists as well as acting on messages that match an identified phishing threat other PhishER customers have "ripped" from their organization's mailboxes are then validated by the KnowBe4 Threat Research Lab. These messages are automatically quarantined by removing them from all of your users’ inboxes.

Mattan Shalev
Head of Product Management


Q1. How will customers benefit from the recent strategic collaboration agreement between Wiz and AWS? What factor drove the partnership decision?

The agreement deepens an already rich partnership between us and AWS. The SCA is designed to further accelerate cloud security for our mutual customers and make it easier for them to run their cloud environments on AWS. It gives them a simple way to tap into the transformative power of Wiz’s leading Cloud Native Application Protection Platform (CNAPP), and paves the way for hundreds of thousands of businesses to harness the power of the cloud and push the boundaries of innovation while maintaining strong security. Coupling AWS and Wiz has driven massive gains across leading businesses looking to secure their cloud environments, including BMW, Priceline, and Salesforce.

As far as factors that drove this decision, Wiz has surpassed $100 million on AWS Marketplace and won the 2022 Marketplace Startup Partner of The Year Award. Both milestones are reflections of the immense demand for the value proposition which Wiz and AWS jointly provide, including accelerated implementation, streamlined procurement, and consolidated billing.

Q2. What do organizations need to understand about the differences between CNAPP and Data Security Posture Management (DSPM)? Do you see the two technologies becoming integrated into a single capability in future?

Wiz is the first CNAPP to deliver integrated DSPM, which we announced last November.

In the cloud, exposure can become an incident in just a matter of hours. DSPM enables organizations to respond before a breach occurs by continuously monitoring for critical data exposure. DSPM dramatically reduces the time it takes to discover and fix data exposure.

Attackers on the hunt for sensitive data know how hard it can be to secure, which is why data leaks regularly appear in the headlines. Eliminating this risk should be a top priority for businesses, but it’s often easier said than done. An organization with hundreds of data assets and tens of thousands of data items could have millions of individual configurations, permissions, and lifecycle policies. Moreover, protecting a database from even simple network exposure is a complex problem that can be hamstrung by siloes such as those created by traditional tools. These tools don’t capture the full picture when it comes to exposure, and they completely miss complex risks that involve vulnerabilities and lateral movement.

Wiz DSPM enables customers to get ahead of the data exposure problem with a comprehensive platform that understands data risks at cloud scale. It helps them discover which data is stored where, who can access what, how data assets are configured and utilized across human and non-human identities, and how data moves across environments.

By extending our CNAPP with integrated DSPM capabilities to detect cloud data exposure and prevent data breaches Wiz enables customers to continuously monitor for data exposure before it becomes a costly breach and arm their teams with all the context they need to remediate issues and transform their cloud operating model.

Q3. How is Wiz planning on integrating AI capabilities into its technologies? Where do you see AI making the biggest difference in your market space?

With the rapid advancements in GenAI, many organizations are developing solutions that use GenAI such as large language models (LLMs). Wiz data shows that this is currently the fastest growing category in cloud, with half of cloud customers making use of these technologies.

Cloud customers will no doubt leverage generative AI to continue pushing the boundaries of innovation. At Wiz we are preoccupied with answering such questions as: How can they best do so securely? How do you securely build apps that leverage GenAI models?

Malicious actors can take advantage of a several known attack vectors to influence a GenAI model’s functionality or cause harm to its end users, including: data poisoning, hallucination abuse, indirect prompt injection, and direct prompt injection.

Wiz researchers are actively analyzing the risks that GenAI introduces into cloud applications so that we can provide recommendations on how best to secure sensitive data. Currently we recommend conducting an isolation review of your cloud application as part of your threat modelling process by analyzing the risks associated with customer-facing interfaces, determining which security boundaries are in use, and then measuring their strength. When choosing to incorporate a GenAI model into your service, it’s critical to assess the risks that the model and its interfaces may introduce into your system.

Q4. How does Wiz plan on using its presence at Black Hat USA 2023 to help customers gain a better understanding of the company's capabilities and solutions?

The advent of cloud signals a huge change to the way teams build software, and today’s cloud operating model requires a tight interlock between security and development. That’s what we enable at Wiz.

The single biggest trend in cloud security right now is consolidation. Security teams need a deep understanding of risk in order to be effective. They need to work with their development counterparts and think like a product team. That means having a clear understanding of priorities and you can’t do that without context. If you come by our booth we’ll be putting our “Level Up” theme on full display with demos and talks that show exactly how Wiz enables the new cloud operating model. We’ll also have various researchers attending to talk about recent discoveries and new scanning techniques.

Sustaining Partners