Organisations’ lack of attention to some of the most basic tenets of cyber hygiene not only continues to hamstring defenders but increasingly leaves the door wide not only to career cyber criminals using tried-and-tested tactics, but also less sophisticated actors exploiting artificial intelligence (AI) agents and models to power attacks at scale in an emerging phenomenon that experts at data observability specialist Splunk are calling vibe-hacking.
Speaking at a session held at this year’s Splunk.conf, taking place in Boston this week, Splunk cyber executives lamented poor security practice and called on businesses to “eat their cyber vegetables”, while acknowledging that CISOs have a mountain to climb to do so.
Ryan Fetterman, senior security strategist at Cisco Foundation AI and Splunk SURGe, his historical position had been to tell people not to get too worked up about AI changing the nature of cyber attacks, because threat actors were typically using such models to recreate the same methodologies favoured by humans, albeit at scale and more efficiently.
However, he said, this was clearly now changing. He noted in particular the emergence of an AI-powered ransomware PromptLock – which was discovered by ESET researchers at the end of August – although this turned out to be a proof of concept (PoC) developed by engineers at the Tandon School of Engineering at New York University (NYU),
“Cyber vegetables are important,” said Fetterman. “The reason for that is because the bar has been lowered for attackers using AI to scale their attacks and require less sophistication to do the things that they want to do. That makes it easier to find the low-hanging fruit for things like ransomware.”
Fetterman detailed an example of a ransomware incident in which the threat actor engaged in vibe-hacking – a nefarious bedfellow to the marginally more benign vibe-coding phenomenon.
He explained how the attacker used an AI agent to help conduct a full ransomware attack chain from initial target reconnaissance to vulnerability exploitation to execution and encryption. If this wasn’t already bad enough, they were also able to scale this attack chain across a total of 16 victims.
“I think that is scary because that can obviously scale to more attackers and scale to more victims, and now the targets that may not have been appealing from a financial perspective previously can in aggregate bring more of a return for those attackers, and maybe organisations that would have been lower on the priority list are fair game,” said Fetterman.
Splunk CISO Michael Fanning told Computer Weekly that nailing the basics was the most important part of any cyber security programme.
“I think very often we chase these shiny new technologies and capabilities and often they are a solution looking for a problem,” he said. “We need to think about what are the problems we’re trying to solve.
“When you learn how to play basketball, you start by learning how to make a layup, how to shoot free throws, how to play defense – and those are some of the hallmarks of a good team, there’s nothing fancy about that,” added Fanning. “The same is true with running cyber security – really nailing the basics in the core domains of cyber security is just an integral part of actually protecting your environment.”
Fanning acknowledged that it is understandable that some security leaders might give into novelty. However, he added: “Usually when that happens that’s indicative of a lack of strategy for your organisation.”
Security leaders who have defined their top security initiatives and objectives can better keep their teams focused on what truly matters, and on the right track, and avoid such “pet projects” that serve only to distract and increase risk, said Fanning.
