AI Is Raising the Stakes: Why Security Basics Matter More Than Ever
AI is changing the economics of vulnerability discovery. As the barrier to finding and weaponising software flaws falls, organisations can no longer assume that fully patched systems and perimeter controls are enough. The fundamentals of good security - minimising attack surface, enforcing least privilege, segmenting environments, managing data properly and investing in detection - are becoming more important, not less.
A “zero-day exploit” - a previously-unknown vulnerability for which no patch exists - used to be the province of nation-state threat actors, well-resourced nation-sponsored crime groups and highly-competent security researchers. Zero-days have always been difficult to defend against directly as they are, by definition, unknown and unsignatured.
Researching, identifying and weaponising security vulnerabilities has historically been difficult, time-consuming, expensive and therefore the province primarily of those who saw this activity as providing a meaningful return on investment - those who wanted to target well-protected organisations and remain undetected whilst they dwelled for a long time. For the rest of the criminal groups looking for a financial benefit, there have been much easier ways to gain access to valuable systems and data - configuration errors, poor passwords, phishing attacks and social engineering.
In the age of agentic AI, the barrier to entry for vulnerability identification and exploitation is lowering. The newest frontier models, such as Anthropic’s Mythos 5, are being treated like offensive weapons due to concerns that they will allow vulnerabilities to be discovered and rapidly weaponised with ease. Even readily-available older models, such as Opus 4.6, have a good detection rate for vulnerabilities where they have access to the source code. For most high-profile open source projects, it would be safe to assume that LLMs are being used to seek vulnerabilities and weaknesses both by maintainers and by potential adversaries.
AI models are making adversaries and defenders alike more efficient in planning and executing their activities, and whilst human creativity and ingenuity is not being replaced wholesale, there is no doubt that AI models are now in a position where it is no longer prohibitively difficult for a casual adversary or single motivated individual to identify and exploit a previously-unknown vulnerability in a fully-patched system.
Enterprise support personnel are already seeing the impact of the acceleration in vulnerability research across the world. The volume of patches being rolled out by software vendors has increased across the board as software vendors conduct more vulnerability research, enabled by AI tooling to be faster and more thorough than ever before. For Cyber Essentials certification, all critical and high risk patches must be applied consistently within 14 days, underlining the importance of patching regimes for overall resilience - over time, this window may tighten further as the threat landscape evolves. Update volumes, and tight windows for patching, mean that support teams are under pressure to test and roll out security patches faster and more frequently than ever before. Many are overloaded by this patching burden, but this is not likely to end any time soon and therefore enterprises will need to adapt.
The exploitation of software vulnerabilities to gain an initial foothold is only one route that an adversary can take to gain a foothold in a target organisation, and historically if patches were kept up to date the likelihood of a successful exploitation was relatively low due to the difficulty in identifying unknown software flaws. This calculation has fundamentally changed in the last six months, but what does that mean for keeping an organisation safe?
For the last twenty years or so, patching the perimeter and implementing firewalls has provided many organisations with a reasonable level of protection from the internet at large, leaving adversaries to attempt to gain access using stolen passwords, or through the introduction of malware in phishing attacks. The widespread move to the cloud resulted in a shift towards credential and token theft from users, and more adversary-in-the-middle phishing attacks for initial access.
AI-augmented vulnerability research presents both an opportunity and a threat, and initial access to an organisation through the front door via vulnerability exploitation is much more likely. But AI-identified vulnerabilities are not magic. Whilst we should expect that many more initial points of compromise in coming years will arise as a result of a previously-unknown vulnerabilities being weaponised in the wild, it does not automatically follow that there should be more catastrophic data breaches as a result.
Defence, in the age of AI-augmented vulnerability research, cannot be limited to technical processes such as software patching. The organisations that adhere to the tried-and-tested security principles will be in a position to mitigate the zero-day threat much more effectively than organisations that are beset with technical security debt or lax security enforcement.
- Minimise attack surface area: Preventing the exposure of systems, services and interfaces that are not required to be accessible reduces the ability of an adversary armed with an exploit to use this to cause damage. If the vulnerable service cannot be accessed, the exploit cannot be used.
- Least privilege: Where every identity is operating with the minimum level of system and data access required to perform their role within the organisation, the impact of a compromise of an identity is limited to the privileges of that role. If the compromised identity does not have the right privileges for the adversary to achieve their objectives, they will need to think again and move to a different position.
- Data minimisation and data hygiene: An organisation cannot lose data that it does not have. Organisations that remove and destroy data that is no longer required, and properly manages access to the data that is required, are far less likely to be exposed to situations where a single user compromise leads to a bulk data breach.
- Segmentation: Separating operating environments into smaller, logically distinct regions based on sensitivity, risk or function makes lateral movement more difficult for an adversary and prevents them from accessing everything from a single point of compromise.
- Defence in depth: Ensuring that layered controls are present both for prevention and detection improves the likelihood of an attempted exploitation failing, and improves the likelihood of a breach being detected early.
- Invest in detection: As it is increasingly likely that initial compromises will occur, the speed with which an intrusion can be detected and contained becomes more important. Organisations with a well-resourced detection function, that can respond rapidly, are less likely to suffer damage.
When an adversary is able to gain a foothold in the organisation - human, or AI-led - their success and ability to cause damage is limited by the implementation of layered security controls and the adherence to core security principles.
For organisations with poor adoption of those security principles, catastrophic breach impacts following initial access are already likely and the AI revolution makes it more likely that such breaches will happen regularly and at speed. For organisations adhering strongly to security principles, even when initial access is gained by an adversary, the impact of a breach tends to be much, much lower - and the impediments to an adversary means that they have to work much harder and overcome many more hurdles before they can actually cause the damage they want.
When simulating cyber attacks through our adversary simulation services, the difference between an organisation possessing significant technical security debt and an organisation with strong security fundamentals is crystal clear to us in terms of the complexity of operating, the magnitude of the success we have and the time it takes us to achieve an objective during an exercise.
Whilst the fundamental security principles have not changed in the last twenty years, we’re approaching a tipping point where organisations that have so far not been “found out” will find themselves subject to an onslaught from which there is no hiding. In this world of accelerated research, you neglect the basics at your peril.
Improve your security
Our experienced team will identify and address your most critical information security concerns.