Personal Hacking Will Be A Pretty Fierce Bear
lock
Have you ever heard from the Nigerian prince?
You know – some disembodied person shows up on text or email or some other channel, talking about a big financial opportunity through which you personally can benefit by just sending a bit of money or your financial details.
It’s all the rage right now, but it’s likely that all of this will be seen as a landmark of the past decade pretty quickly.
We’re suddenly moving into a system where cyberattacks will be much more personalized and sophisticated – where broader spearphishing efforts will be replaced by hacks that use your personal information to reach out to you in a very targeted way.
Tomorrow’s scammer may know everything about you: where you work, how you work, what motivates you, who your family members are, etc. Why not? A lot of this information is online, in some shape or form, and with AI, it’s all too easy to scrape it together.
Personalized Hacking and Lack of Cybersecurity Firepower
One of the big problems in this current cybersecurity industry is simply a lack of workers.
“AI is shifting Cybersecurity from reactive to predictive,” said John Keister, CEO of MixMode, in a recent press statement on the state of cybersecurity today. “But legacy platforms are slowing customers down with their complexity and reliance on rules. To add to that pain, we have a huge gap where we don’t have the skilled workers to fill the job openings.”
Companies lack the human labor to address all of the growing attack vectors, and to be on the lookout for these kinds of personalized and customized attacks.
To use the language of cybersecurity experts, the attack surface is just too big. The set of attack vectors is too large.
And then there is the regulatory context.
Laws and Compliance
A spate of cybersecurity laws are supposed to help companies to batten down the hatches on cyberattacks, but if they’re too difficult for many firms to achieve compliance with, that can be an issue, too.
Some of our own reporting from Forbes goes over items like the Digital Operational Resilience Act, the EU AI Act, and Cybersecurity Maturity Model Certification. Metin Kortak explains how DORA, for its part, mandates forms of penetration testing and self-hacking in order to make sure that the company is testing its systems thoroughly.
But again, how do companies square the circle when it comes to achieving compliance with more of the cybersecurity regulations, by redoubling their efforts in these ways?
Yonatan Amit is the CEO and cofounder of 7AI, a firm focusing on cybersecurity and managed services.
At a recent presentation at Imagination in Action in April, he went over some of what his company is doing to battle hacking in the AI age.
A lot of it, he said, is about leveraging the power of AI agents – in other words, if we don’t have enough humans to do the cybersecurity work, maybe AI can do it for us.
“AI can alleviate the load on these poor workers,” he said, showing how some of the systems may be better than analysts in both the quantity and quality of cybersecurity efforts.
That is, he suggested, if it’s done the right way.
“The AI is taking a very long and complex path, but explaining every single step it’s doing, and why,” he said. “Because we as human have to believe the result. We have to report it. We have to make sure that we can go to our fiduciaries and explain what’s happening.”
Important Techniques
As an example, Amit pointed to a system that can smartly identify location mismatches, where a person logs in in one place, (he uses the example of Denver), and subsequently logged in to another (where he uses the example of Texas).
Essentially, he explained that one of two things will be true – either the person has multiple devices that created this mismatch, or somebody stole a password or information and is using that person‘s footprint in an illegitimate way.
Owning the Battleground
Cybersecurity defenders, Amit said, do have an important advantage.
They own the networks that are being competed for in terms of access.
“We own the battleground,” he said. “We define what checkpoints are. We define what our controls are. We define the policies that manifest these controls. The big problem is that it’s just such a complex thing to set up. It’s very, very hard to monitor all of those controls, and that’s where companies are failing, because the bottleneck is the ability to look at all the signal.”
The Value of Pen Testing
When asked about self-hacking, Amit described the practice as a “double-edged sword.”
It’s important, he suggested, to know how to correctly pursue self-hacking, with the right context and self-awareness about your network. When asked about the dark web, he explained that the dark web is an environment, full of data, but that hackers don’t just use the dark web.
He painted a picture: of a hacker who infiltrates a small shop of maybe ten people, and uses that network to trojan into a place like J. P. Morgan.
“It starts with: how do I get my initial foothold?” he said. “And that’s, oftentimes, by social engineering and convincing a person to act incorrectly. There’s another class of vulnerabilities. … but once you have that initial access, you have a lot of other activities, reconnaissance in your target, moving laterally across various assets, being able to operate within an environment.”
The World of Tomorrow
It’s not just cybersecurity where we’re going to see AI agents become ascendant. They’re going to be doing all kinds of work.
As I’ve been hearing about agentic AI, and that’s mostly over the past couple of years, people are envisioning systems where there’s not a lot of human in the loop activity at all. We have the specter of AI-only companies competing with those that have human leadership and humans working the front lines.
But here in cybersecurity, it makes sense to think of a human skills gap being addressed with smart automation. So look for this to become one of the biggest trends for this industry in 2025.