Previously, we’ve covered how threat actors are using GenAI to lower the barrier to entry of existing forms of attack. A recent FBI alert validates these observations and describes how threat actors use GenAI to facilitate financial fraud and extortion. AI-generated text assists with language translation, spelling, and grammar to make spear-phishing emails more convincing. And AI-generated images make fake social media profiles used for reconnaissance more believable.
While techniques like email phishing and fake persona use are not new, AI is making them more accessible to threat actors and more effective. When adversaries are able to exploit points of entry with greater ease and more effectively, the concern over AI-based attacks becomes very real for more organizations. Financially motivated threat actors tend to cast a wide net. As the scope and scale of this type of activity increases, post-compromise behaviors become more apparent. Organizations that weren’t previously impacted by these adversary groups (or not at significant levels) could see their defenses being put to the test.
So, how can organizations ensure they’re prepared for what we believe will be a growing trend in 2025?
Validating your defense-in-depth approach and quantifying your risk helps build resilience to these attacks. This is where Tidal Cyber helps.
When we started to see threat actors using AI in this way last year, we collaborated with recognized AI threat researcher and expert Rachel James to add adversary AI threat intelligence content to the Tidal Cyber knowledge base. Multiple new groups were added, and several other groups were updated with new MITRE ATT&CK® Technique Relationships derived from her repository. Our updates include an “AI Threats” tag for Community Edition users, which allows for easier access to this critical information.
To explain how Enterprise Edition users can use this content to validate and strengthen their Threat-Informed Defense, let’s take the adversary group Kimsuky as an example.
Kimsuky appears in many clients’ threat profiles because the group is so prolific. Users that have already included or decide to add Kimsuky to their threat profile will see their threat profile updated automatically with the AI-related threat information and TTPs, with cascading effects for any Coverage Maps using this profile.
Kimsuky has recently been observed using several AI-enabled techniques, which map to distinct ATT&CK Techniques. Two of those Techniques, which had not been previously linked to Kimsuky, are vulnerability research and spear-phishing, specifically:
Once inside an environment, Kimsuky reverts to the dozens of TTPs they traditionally use to impact an organization.
In the Tidal Cyber platform, when users see T1588 and T1566 in their threat profile and know a specific group is using these techniques, they can easily pivot to see all the specific security tools and solutions that relate to and defend against each of them.
Enterprise users that have already added their existing capabilities into their Defensive Stacks in the platform can view their updated Coverage Map and metrics to understand how well they are protected against each of these techniques. Capabilities like vulnerability security solutions and systems for patching vulnerabilities help defend against T1588.006 (and follow-on exploitation of discovered or developed weaknesses). Gateways and other email security tools represent common, concrete ways to help defend against T1566. Basic cyber hygiene processes such as phishing and social engineering training and user awareness are also included in the analysis.
The Coverage Map also shows how well the organization is protected against the additional TTPs Kimsuky is known to employ once they have gained access. The platform’s Recommendation engine suggests reconfigurations to improve the efficacy of existing tools against all the associated TTPs, and additional security measures that could be put in place to address coverage gaps.
Threat-Informed Defense is all about synthesizing intelligence using threat profiles and marrying that data with coverage maps to calculate risk reduction given an organization’s existing security tools. The Tidal Cyber platform helps defenders figure out which of their hundreds of security tools to focus on at any given time to strengthen security posture, including against AI-based attacks. In a rapidly evolving adversary environment where the barriers to entry are lowering, Tidal helps defenders continue to raise the bar on defenses.