# Assessing risk during and after DX How does more automation increase human vulnerability factors silur@DigitalizationDay2023 --- ## Whoami - Forbes 30/30 independent consultant/dev - Ethical hacker - Cryptographer - Quantum computing/crypto researcher - Cofounder --- ## Agenda - Current statistics & War stories - Consensus on the implications of wrong execution - Threat modelling - Definition of an organization - Attacker goals (unformalized) --- - An example digitalization framework - Defense during digitalization - MITRE ATT&CK - F.A.I.R - NIST SP800-37 --- - Defense After the digitalization - Supply chain monitoring - Blue teaming primer - Monitor -> Response -> Rinse&Repeat - Personnel training --- On AI - Pros&Cons - Clever Hans - Case studies - A makeshift framework --- Goals:  <small>source: Fortinet, 2018</small> --- Importance of components  <small>source: Fortinet, 2018</small> --- Consensus  <small>source: Fortinet, 2018</small> ---  <small>source DOI 10.1177/0008125620940296</small> ---  <small>source: Fortinet, 2018</small> --- Main reasons for the concern - DX is usually a scale-up step - Scale-up is not as agile as startup - New tech is scary at this point - Unavoidable in order to keep competitive - Astronomically increased attack surface --- Threat modelling  --- Makeshift components - Organization :office: - Assets :moneybag: - Attacker goals :smiling_imp: --- ## Organization :office: - a multi-agent system with - identifiable boundaries - system-level goals toward which - the constituent agent’s efforts are expected to make a contribution <small>Phanish Puranam, Oliver Alexy, and Markus Reitzig, “What’s ‘New’ about New Forms of Organizing?” Academy of Management Review, 39/2 (April 2014): 162-180.</small> --- ## Asset :moneybag: _Anything of value that the organization seeks to protect, both tangible and non-tangible_ Examples: - Physical products - IT infrastructure, servers - Employee health - Regulation compliance - Office HQ - PR --- ## Attackers :smiling_imp: _An agent that acts against the asset in a way that can result in loss to the organization, tangible or intangible_ :warning: Attackers are not always rational :warning: ---  --- ## Loss magnitude - Implies detailed knowledge of assets - Implies projections of future performance, knowledge of direct and opportunity costs - Usually a business-heavy assessment --- ## Loss frequency - Implies detailed knowledge of current adversarial actors - ... their TTPs (tactics, techniques and procedures) - and nternal controls against them - Usually a secops-heavy --- ## TTP & Risk frameworks ---  <small>source: https://www.lockheedmartin.com/</small> ---  ---  <small>source: NIST SP800-37</small> ---  <small>source: NIST SP800-37</small> ---  <small>source: NIST SP800-30</small> ---  <small>source: FAIR Institute</small> --- This means we can approach risk trough each component: - Asset-oriented - Threat-oriented - Vulnerability-oriented Each approach can have different results, best is to average them all! ---  --- After DX: - Implement a proper IDS, EDR (or better XDR) - SIEM - Logging and Logshipping - Backups and backup testing - Incident response team and plan - Personnel and equipment testing - Continous policies - SSO, mandatory MFA, ban BYOD. --- ## On the current AI DX --- Clever hans :horse: ---  ---  --- "Every hacker's favorite exploit is human stupidity. By blindly worshipping AI without understanding it, we created artificial stupidity." --- This latest DX is not like any before. So far, attacks against the new systems were heuristic, and could be fixed with patches. Some AI attacks do not behave like this :/ ---  <small>source: https://arxiv.org/pdf/2207.00091.pdf</small> ---  ---  --- __Hacking a "Smart" Rifle__ {%youtube BJPCYdjrNWs%} --- You can certify your models against these attacks! Certificate compliance will eventually be a new policy (hopefully enforced) --- Conclusion - Organization-wide attacks and APTs are possible due to lack of policies - DX is itself a policy, but incomplete without blueteam planning - DX security policies are not a single step, it's a continous process need to be monitored and updated - The AI DX is somewhat special :robot_face: --- ## Thanks for your attention! https://silur.dev slides are online: