However, a new SANS Institute research paper warns that, in certain conditions, an attacker could leverage the new function to disable all user accounts.
The lesson, said Johannes Ullrich, the institute’s dean of research, is that autonomous AI action tools have to be tuned and tested like any other automation capability.
“Automatic isolation and attack disruption are not new concepts,” Ullrich said in an email, “but ideas like these have been used in the past in open source and commercial tools. This feature is most important in organizations with under-resourced IT security teams, as it automates attack response. However, these features must be carefully tuned. If they are left unconfigured, attackers can use them to delay response by disrupting accounts used by administrators.”
Nonetheless, in today’s environment, tools like these are important. Robert Enderle, IT consultant and head of the Enderle group, noted that modern automated malware and ransomware attacks move at machine speed, which means human response times are effectively obsolete.