Full Report
Cybercriminals are using AI for help in planning and conducting cyberattacks—but cybersecurity vendors are fighting back. Learn from Acronis Threat Research Unit about how AI-powered security solutions are closing the gap in the battle against AI-driven cyber threats. [...]
Analysis Summary
# Main Topic
The evolving battlefield between cybercriminals leveraging Artificial Intelligence (AI) for offensive operations and cybersecurity vendors using AI-powered solutions to counter these threats, specifically referencing findings from the Acronis Threat Research Unit (TRU).
## Key Points
- Cybercriminals are utilizing AI to enhance phishing campaign quality (fewer errors, more legitimacy) and for coding assistance, vulnerability research, and network invasion planning (e.g., state-sponsored APTs using Gemini AI).
- Acronis TRU observed a significant increase: the number of email-based attacks rose by almost 200% from H2 2023 to H2 2024, with phishing accounting for three out of four attacks.
- Cybersecurity vendors are actively fighting back using AI in defense, leveraging it for detection of novel malware, improving incident explanations via chatbots, and automating threat hunting and remediation.
- AI-based script generation promises to democratize security capabilities by allowing non-experts to create remediation scripts (e.g., in response to EDR alerts) and automate security configurations across numerous workloads.
## Threat Actors
- State-sponsored Advanced Persistent Threat (APT) groups are explicitly mentioned as utilizing AI assistants (like Gemini) for attack preparation.
- General cybercriminals are utilizing generative AI to craft more effective phishing emails rapidly.
## TTPs
**Offensive TTPs (AI-Enhanced):**
- Enhanced generation of phishing emails using AI for speed and quality.
- Using AI assistants for coding malicious tools and scripts.
- Researching publicly disclosed vulnerabilities and target organization details.
- Searching for methods to invade already compromised networks.
- Exploiting deepfakes and potentially poisoning AI models.
**Defensive/Counter TTPs (AI-Powered Security):**
- Detecting unseen variations of malware samples.
- Utilizing AI-powered chatbots linked to EDR to explain security incidents clearly to non-expert users.
- Automating threat hunting and remediation decision-making.
- Semantic search of past support tickets for automated resolution recommendations and root cause analysis.
- Generating remediation scripts instantly based on security threats detected by EDR.
## Affected Systems
- Systems targeted by AI-enhanced phishing attacks (implied recipients of the 200% rise in email attacks).
- AI platforms themselves have faced attacks (mentioned as coming under attack).
- General IT infrastructure relying on configuration management, for which AI scripting can standardize security settings.
## Mitigations
- **For Incident Understanding:** Deploying AI-powered chatbots linked to EDR to provide simple, jargon-free explanations of security incidents.
- **For Remediation/Automation:** Implementing AI-based script generation capabilities for automating user/system management, software installation, remediation steps, and standardizing security configurations.
- **Proactive Defense:** Continued innovation by security vendors to leverage AI for detecting novel threats and automating response faster than attackers.
## Conclusion
The battle between offensive and defensive AI usage is currently tilted slightly towards cybercriminals, who have rapidly adopted generative AI for improving traditional attack vectors like phishing. However, cybersecurity vendors are rapidly closing this gap by deploying mature AI capabilities in detection, analysis, and automated response, promising to level the playing field through tools like AI-assisted scripting for enhanced remediation and configuration standardization. Organizations should monitor the adoption of AI-driven defense solutions to counter the significant rise in AI-assisted threats observed by TRU.