AI is both friend and foe of the defender—in the right hands, it has the power to improve security, cut through the alert noise, and suss out threats so they can be quickly remediated. But in the wrong hands, it can find points of vulnerability faster than human counterparts and accelerate and scale attacks. It also is having a profound affect on threat intelligence.
John Watters, CEO at iCOUNTER, a security pioneer known for founding and leading cybersecurity companies like iSight Partners which was eventually sold to Fire Eye and integrated into Mandiant, came out of retirement when he saw how AI was going to revolutionize threat intelligence—and the threats themselves. Adversaries are winning on the innovation, he says, while defenders are in the midst of stagnation. He explains why it’s time to reimagine how to counter threats in modern times.
Q. You were happily retired and then AI burst on the scene, what compelled you to jump back in?
A. The reason I came out of retirement is because we're going to go through the Industrial Revolution 50 times faster over the next three or four years, I wasn't here to sit this chapter out in history .
Q. Why is threat intelligence so ripe for AI ?
A. In my view, threat intelligence is really commoditized now. There are all these companies saying, “here are more actors, here are more tools, here are more capabilities, here are our IOCs.” And the industry just kind of like white noise now. So, what the adversaries say is “Well, yeah, we used to use the same playbooks against the same people, but now the defenders are leveraging AI to very quickly respond to the same stuff.” The trade craft is going to go the way of antivirus and malware signatures. Then defenders say “forget the tool level. Let's block the infrastructure they come from,” anonymizing and rotating the infrastructure. And the adversaries then build an automated way for target selection, target reconnaissance, and then custom build unique playbooks for each target. Everybody becomes patient zero, and that changes the game and how you defend.
Q. Why is it so difficult for defenders to keep up, or best, adversaries ?
A. The cybersecurity industry is kidding themselves if they think they're the innovators. Adversaries lead innovation, and all we do is try to maintain pace, but they're doing at a time of innovation acceleration in general, facilitated through AI in a time of defensive stagnation. Fifty-three percent of CISO budgets are flattened down this year, and people are like deer in the headlights, looking at all this AI stuff, and they don't know what to do. So, you got innovation stagnation for the defender, and innovation acceleration for the attacker. That creates a widened security gap, which means pain is on the horizon.
Q. AI is reshaping everything, including software development? Is it making us safer or is it a liability? Or both?
A. AI is amazing in that we can all leverage vendors faster. As we deploy AI, it becomes a bigger target, creates a broader attack surface. We see this playing out real time on our platform. We have more [hackers joining the platform than ever before, because the bar to entry is so much lower. Historically, you had to have some level of capability. Self-taught on YouTube, or you played around until you figured out [how to code] then you would start to build scripting and automation and development experience. But today you develop a little hackbot based on ChatGPT or some other tool, and you can suddenly join these platforms and start a new line. Well, the adversaries are doing the same thing. So as much as we're trying to advance the defender to say AI helps you scale and move faster, we're seeing that come from the other side as well. We're seeing zero data exploits happening in hours. It’s well under 24 hours now that they're able to decompile these things, build an exploit, and launch it.
Q. How can that gap be closed ?
A. We use intelligence to counter targeted threat operations. [Defenders need to] get inside the development cycle of adversaries and reimagine how to counter threats in this modern world. Everything we built and deployed leverages intelligence fundamentally and AI to create it; then we correlate it with a digital profile. We say what's a customer look like that's being targeted? They've got their whole ecosystem. They’ve got their suppliers, all their third parties. Those are all ways in their data is distributed a lot of these different places. That’s third-party risk.
Q. To protect that ecosystem, you’re pioneering what you call risk intelligence. Could you explain what you mean by that?
A. One of these segments we’re disrupting is third-party risk. We call it risk intelligence, not threat intelligence. Threat Intelligence is what's happening around the world. Risk intelligence is this is a threat that's active against you. Now it's a risk. [As a defender]’ I’m trying to understand that better and maybe take it seriously as well. Risk intelligence is a whole different beast; it intersects with your ecosystem. Using modern capability and tactics, we have digital spies all over the underground, logging everything we see—every time a database is sold, access is sold, admin rights are being sold, there's a data breach anywhere, we witness all of it and we log it in our database. We then correlate all that threat information against the digital profile of our customer, and we find matches. Now you’ve got active threat against a specific target, and rather having their internal team sift through all the hay to find the needles, we [say] “here's a needle.”
Q. So, no more alert fatigue?
A. The [threat intel traditionally] produced, 95 percent of it never weighed into a decision. They could be the most beautifully curated, editorially written constructs, with all the technical detail, and most people never even read it. Unless there's an intersection with them. A company is trying to find where the risk is in all this noise. No longer just the noise, you’ve got to find the signal. We serve up signals.