case study on artificial intelligence in cyber security

AI in cybersecurity an introduction and case studies

An introduction to AI in cybersecurity with real-world case studies in a Fortune 500 organization and a government agency

Despite all the recent advances in artificial intelligence and machine learning (AI/ML) applied to a vast array of application areas and use cases, success in AI in cybersecurity remains elusive. The key component to building AI/ML applications is training data, which traditionally must be manually labeled by subject matter experts (SMEs) in order to train ML models to perform a given task. Organizations seeking to develop custom AI/ML applications for cyber use cases face numerous challenges, each of which is addressed by Snorkel Flow:

Availability of training data : Unlike other domains, where open-source training datasets are often readily available, datasets featuring real-world cyber events within enterprise networks are rarely released, stifling the development of AI/ML applications. Organizations are left with the daunting task of creating custom labeled datasets required to train ML models.
Truly massive scale: The amount of network traffic generated on a daily basis by enterprises of every size is almost inconceivably large. Relying on teams of cyber analysts to manually review and label all of this data by hand in order to train ML models is a complete non-starter.
No two networks are alike : Each enterprise network and policy environment is unique, requiring custom ML training datasets specific to each network’s unique characteristics. The varying definitions of normal versus malicious traffic, and the distinction between authorized and prohibited activities, render “one-size-fits-all” training data and models largely ineffective.
Dynamic threat environment: Cyber adversaries are creative and adaptive, constantly evolving their tactics, techniques, and procedures to circumvent security measures. Static solutions that don’t allow network defenders to respond to constantly-changing threats will always be one step behind.

Snorkel Flow enables organizations to quickly and easily build their own labeled ML training datasets in-house, on their own network data and relying on their own cyber analysts’ knowledge. This allows them to train custom AI applications specifically suited to the unique nature of their networks and policy environments, and adapt these applications rapidly to accommodate network/policy changes or shifting adversary tactics. All of this can be achieved without any sensitive data leaving the organization within a fully governable and auditable workflow.

In this series of articles, we highlight two major case studies in which Snorkel AI customers overcame these challenges to develop AI/ML applications for cyber use cases with Snorkel Flow:

A Fortune 500 telecommunications provider uses Snorkel Flow to classify encrypted network data flows
A U.S. Government agency uses Snorkel Flow for application classification and network attack detection

AI in cybersecurity case study: Fortune 500 telco uses Snorkel Flow to classify encrypted network data flows

A globally-recognized Fortune 500 telecom company used Snorkel Flow to classify encrypted network data flows into their associated application categories. The customer’s data science team faced a number of challenges for this task, including:

Their past experience of labeling network traffic data by hand was too slow, noisy, and expensive , requiring precious time from network data experts.
Their existing probe used a static set of rules based on a fixed set of Service Name Indicators (SNIs), leading to a brittle solution that was difficult to adapt .
Their previous approach also struggled to accommodate changing data distributions, such as responding to network trouble tickets or alarms.
Multiple tools were required to cover the end-to-end machine learning pipeline, from data exploration and labeling, to model training and analysis.

Task description: Classifying network data flows

To evaluate Snorkel Flow’s ability to accelerate the development of ML models and AI applications for network data use cases , this customer compared a new solution they developed in Snorkel Flow against an existing solution based on a fully-supervised ML model trained on 178,000 ground-truth data examples. The Snorkel Flow solution was also compared against a baseline model trained on a subset of 2,000 examples from this ground-truth dataset. The goal was to see whether Snorkel Flow could enable this organization to produce a solution capable of replacing the fully-supervised ML in a fraction of the time required to manually label a ground-truth training dataset.

In this data, individual flows contained categorical and text features like source/destination port and IP address, SNIs, and forward/backward packets. Flows were then preprocessed to include statistical features, such as forward/backward inter-arrival time (IAT) statistics, flow bytes per second, and flow packets per second. Users of varying skill levels combined a number of different strategies for this effort, including creating no-code labeling functions with Snorkel Flow’s built-in network data visualization tools, writing code-based labeling functions using Snorkel Flow’s Python SDK, and leveraging Snorkel Flow’s ability to auto-generate labeling functions based on self-training and semi-supervised methods.

Results with Snorkel Flow

From an initial subset of only 2,000 ground-truth labeled examples, this telecom customer used Snorkel Flow to produce an additional 198,000 programmatically-labeled examples. A model trained in Snorkel Flow on this 200,000-example training dataset was 26.2% more accurate than a baseline model trained on the subset of 2,000 examples, and within 0.2% accuracy of a fully-supervised model trained on all 178,000 ground-truth examples. For aspects of the data that change over time, such as SNIs (which are prone to drift in production settings), the Snorkel Flow model was compared with a static rules-based solution and the baseline model described above. Incredibly, the Snorkel Flow model was 77.3% more accurate than the rules-based approach and also outperformed the baseline model by nearly 10% . An additional experiment was performed to test Snorkel Flow’s ability to adapt to changing distributions in the data, like the proportions between application types in the network traffic. Here, the Snorkel Flow model beat the baseline model by over 20% and managed to slightly outperform a fully-supervised model as well.

Ultimately, using Snorkel Flow enabled this customer to:

Deliver high-accuracy ML models for a network data application quickly , without being slowed down by an extensive hand-labeling process.
Develop adaptable solutions that provide a marked improvement over brittle, rules-based approaches.
Build applications that are robust to network data drift , by maintaining consistently-high performance scores even when data distributions change.
Help network data experts and data scientists to work together, using first-class network visualization and data processing utilities in a unified platform.

Encouraged by these impressive results on their first Snorkel Flow project, this customer is now developing a new application focused on anomaly detection for IMS network equipment metrics. This effort will identify real-time anomalies over time-series data , starting with the number of call attempts per second.

AI in cybersecurity case study: U.S. Government agency uses Snorkel Flow for application classification and network attack detection

A major AI center of excellence within the U.S. government selected Snorkel Flow to evaluate programmatic labeling as a means of accelerating the development of AI/ML applications for multiple cyber use cases. For this, ML models created in Snorkel Flow were compared with models trained on pre-labeled datasets. This group recognized hand-labeling as inadequate for their purposes for a variety of reasons:

Sensitive data cannot be shared externally for crowdsourced or outsourced labeling. Internal access is also frequently restricted to only those with a valid need-to-know, making the task of labeling ML training data even more difficult.
Labeling data by hand leads to ineffective workforce utilization. Experienced cyber SMEs are in high demand and short supply. There simply aren’t enough available to hand-label millions (or tens of millions) of individual data points.
Labeling data isn’t a “one and done” task. ML training data must be frequently updated to adapt to changes in real-world inputs or shifts in organizational objectives, which only magnifies the scalability issue.
ML models trained on hand-labeled data lack explainability. For an important policy decision or military action, it’s essential to articulate precisely why a specific choice was made. The need for trustworthy AI extends this to AI/ML.

Task description: Application type classification

The dataset for this task consisted of network packets collected from different applications, described using 50 data features and containing over 2,700,000 total records. The feature set included a mix of packet statistics (e.g., packet count, length of traffic, etc.), along with source/destination IP addresses and ports. Destination IP is very useful for predicting application type, but generally not advisable for use in training an ML model because applications often change the destination IPs used over time, and a model trained on this feature would not be able to adapt to such changes. Snorkel Flow provided a way to use the destination IP to quickly label training data with labeling functions, while preventing the resulting ML model from using it for training in lieu of more reliable packet statistics. In Snorkel Flow, we refer to this as a “non-servable” feature : a feature that can be used for labeling the data, but should not be relied upon as a feature for model training or prediction.

That is, as shown in the image below, destination IP was incorporated as a non-servable feature for the labeling functions (LFs) used to label the training data, alongside packet statistics and port information as servable features. However, at inference time, the trained model only relies on the servable features (i.e., packet statistics and port information), excluding destination IP as a non-servable feature.

Using Snorkel Flow, the customer’s team of data scientists and cyber SMEs programmatically labeled nearly 280,000 records using just 6 labeling functions. All the labeling functions had extremely high precision, with four achieving 100% precision, one hitting 99%, and another reaching 96% precision, and each with coverage proportional to the class distribution in the original dataset. An ML model trained in Snorkel Flow on this programmatically-labeled dataset was compared with a baseline model trained on 2,000 pre-labeled examples (representing a typical hand-labeled dataset for this kind of task). The Snorkel Flow model trained on the programmatically-labeled dataset outperformed the baseline by 7.4 points on an F1 scale. Additionally, the built-in targeted error analysis tools in Snorkel Flow were leveraged to discover and address several errors in the original dataset for this task. For example, a number of DNS traffic records were improperly labeled (by the source) as various different application types, rather than being labeled as DNS traffic itself. Snorkel Flow made it easy to quickly filter the dataset to identify these examples, leading the customer’s cyber SMEs to determine that all DNS traffic should be treated the same, rather than being grouped inconsistently into traffic examples from different applications. Overall, based on the error analysis performed in Snorkel Flow and the data errors detected, 41% of the original dataset was relabeled.

Task description: Network attack detection (Port scan vs. Benign traffic)

For this second task, a dataset of ~30,000 network packets with 85 features (e.g., packet length, IAT, etc.) was used to characterize traffic as either benign or part of a port scan attack . Instead of relying on interactive SME input in Snorkel Flow, here is an existing network attack ontology was directly transformed into labeling functions.

With just two labeling functions derived from the ontology, 100% of the original dataset was programmatically labeled in Snorkel Flow (i.e., all 30,000 examples). An ML model trained on the programmatically-labeled dataset achieved 88.1% accuracy.

Based on these initial successes, this federal customer is now exploring further work using Snorkel Flow to enable other mission-critical applications for AI in cybersecurity , and also extending the deployment of Snorkel Flow to non-cyber areas like financial analysis .

For organizations building AI applications using programmatic labeling and the data-centric AI approach pioneered by Snorkel and enabled by Snorkel Flow, solving all of these challenges becomes possible. To learn more about Snorkel and how we can help your organization accelerate the development of AI solutions for cyber use cases, or to request a demo , follow us on Twitter , Linkedin , Facebook , or Instagram . or contact us to learn more.

Join the community

Latest product demos

Sutherland delivers great customer experiences for its clients through a combination of consulting, services, implementation of proprietary and third-party software solutions, and SaaS and PaaS offerings, including implementing AI to enhance data security.

After seeing a rise in cybersecurity incidents in its IT environment, global industrial supplier ANDRITZ AG deployed an integrated set of managed security services on a virtual platform that provides 100% visibility, decision making support and the ability to process millions of events per day.

Credico, a professional services firm, enabled 100% tablet policy compliance and enhanced endpoint security with IBM Security MaaS360 – an AI-powered UEM solution, allowing them to manage 2,000 – 3,000 tablets for a diverse set of independent sales offices (ISOs) spread out across the US, Canada and beyond.

To better protect its patient data and applications and to comply with regulations, United Family Healthcare deployed an AI-enabled security operations platform that increased visibility and sped up its time to detect, contain and respond to ransomware attacks through the use of AI.

Learn how to safeguard your people and data from cyberattacks. Get deeper insight into attackers’ tactics and recommendations to proactively protect your organization.

Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs. Hint: AI and automation are playing transformative roles.

More than 80% of SOC practitioners say that manual investigation of threats slows down their overall threat response times.

Research shows that organizations with fully deployed security AI and automation have experienced an average reduction of USD 3 million in data breach costs.

Learn about the elements of enterprise AI including trust, transparency and governance.

Schedule time to talk with an IBM representative about your organization's unique cybersecurity needs and discuss how AI-powered solutions can help.

1. Global Security Operations Center Study Results , administered by Morning Consult and commissioned by IBM, March 2023. Based on responses from 1,000 surveyed security operation center professionals from 10 countries.

2. Charles, B. S. (2016, October 16). Forrester Study Highlights a Company’s 90 Percent Reduction in Fraud Costs Using IBM Trusteer Solutions .

Role of Artificial Intelligence (AI) in Cybersecurity

See how FortiAIOps, an AI-powered solution, delivers visibility and speeds IT operations.

Why Is Artificial Intelligence (AI) Important In Cybersecurity?

Artificial intelligence (AI) enables machines to perform tasks that typically require human intelligence, including making decisions, recognizing human speech, perceiving visual elements, and translating languages. AI uses training data to comprehend context and determine how to respond or react in different situations.

Artificial intelligence in cybersecurity is increasingly critical to protecting online systems from attacks by cyber criminals and unauthorized access attempts. If used correctly, AI systems can be trained to enable automatic cyber threat detection, generate alerts, identify new strands of malware , and protect businesses’ sensitive data.

Benefits of artificial intelligence in cybersecurity include leveraging AI techniques—such as deep learning, machine learning (ML), knowledge representation and reasoning, and natural language processing—for a more automated and intelligent cyber defense. In this way, organizations can discover and mitigate the thousands of cyber events that they can come across daily.

Is It Safe To Automate Cybersecurity?

Strengthening cybersecurity currently requires human intervention. However, tasks such as system monitoring can be automated through AI. Automating the process will increase organizations’ threat intelligence capabilities and save them time discovering new threats. This is vital as cyberattacks increase in sophistication.

Cybersecurity automation using AI is safe because it is built on existing use cases in various business environments. For example, human resources (HR) and information technology (IT) teams use AI to onboard new employees and provide them with the resources and appropriate level of access to do their job effectively.

Automation is particularly important in cybersecurity given the ongoing shortage of expert security staff. This allows organizations to enhance their security investments and improve operations without having to worry about finding additional skilled personnel.

The benefits of automating AI in cybersecurity include:

Cost-efficiency: Pairing cybersecurity with AI results in faster data collection. This makes incident management response more dynamic and efficient. It also removes the need for security professionals to carry out manual, time-consuming tasks so they can focus on more strategic activities that add value to the business.
Removing human error: A common weakness of traditional security defenses is the need for human intervention, which can lead to costly human error. Artificial intelligence in cybersecurity removes the human element from most security processes. This is a more efficient approach because human resources can be reallocated to where they are most required.
Better decision-making: Automating cybersecurity helps organizations identify and correct potential deficiencies in their security strategy. In this way, they are able to implement formalized procedures that can result in more secure IT environments.

However, organizations also need to be aware that cyber criminals adjust their methods to resist new AI cybersecurity tools. Hackers also use AI to create advanced attacks and deploy new and updated forms of malware to target both traditional and AI-enhanced systems.

How Can AI Help Prevent Cyberattacks?

AI in cybersecurity reinforces cyber threat intelligence , enabling security professionals to:

Search for characteristics of cyberattacks
Strengthen their defenses
Analyze data—such as fingerprints, typing styles, and voice patterns—to authenticate users
Discover clues as to the identity of specific cyberattackers

Applications of AI in Cybersecurity

Password protection and authentication.

With AI in cybersecurity, organizations can better protect passwords and secure user accounts through authentication . Most websites include features that allow users to log in to purchase products or contact forms for people to input sensitive data. Extra security layers are necessary to keep their information secure and prevent it from getting into the hands of malicious actors.

AI tools, such as CAPTCHA , facial recognition, and fingerprint scanners enable organizations to automatically detect whether an attempt to log in to a service is genuine. These solutions help prevent cybercrime tactics like brute-force attacks and credential stuffing , which could put an organization’s entire network at risk.

Phishing Detection and Prevention Control

Phishing remains one of the biggest cybersecurity threats facing businesses across all industries. AI within email security solutions enables companies to discover anomalies and indicators of malicious messages. It can analyze the content and context of emails to quickly find whether they are spam messages, part of phishing campaigns, or legitimate. For example, AI can quickly and easily identify signs of phishing, such as email spoofing , forged senders, and misspelled domain names.

ML algorithm techniques allow AI to learn from data to make analysis more accurate and evolve to address new threats. It also helps AI better understand how users communicate, their typical behavior, and textual patterns. This is crucial to preventing more advanced threats like spear phishing , which involves attackers attempting to impersonate high-profile individuals like company CEOs. AI can intercept suspicious activity to prevent a spear-phishing attack before it causes damage to corporate networks and systems.

Vulnerability Management

As cyber criminals deploy more sophisticated methods and techniques, thousands of new vulnerabilities are discovered and reported every year. As a result, businesses struggle to manage the vast volume of new vulnerabilities they encounter every day, and their traditional systems cannot prevent these high-risk threats in real time.

AI-powered security solutions such as user and entity behavior analytics (UEBA) enable businesses to analyze the activity of devices, servers, and users, helping them identify anomalous or unusual behavior that could indicate a zero-day attack . AI in cybersecurity can protect businesses against vulnerabilities they are unaware of before they are officially reported and patched.

Network Security

Network security involves the time-intensive processes of creating policies and understanding the network’s topography. When policies are in place, organizations can enact processes for identifying legitimate connections versus those that may require inspection for potentially malicious behavior. These policies can also help organizations implement and enforce a zero-trust approach to security .

However, creating and maintaining policies across multiple networks requires a significant amount of time and manual effort. Organizations often do not deploy the correct naming conventions for their applications and workloads. This means security teams may have to spend more time determining which workloads belong to specific applications. AI learns organizations’ network traffic patterns over time, allowing it to recommend the right policies and workloads.

Behavioral Analytics

With behavioral analytics, organizations can identify evolving threats and known vulnerabilities. Traditional security defenses rely on attack signatures and indicators of compromise (IOCs) to discover threats. However, with the thousands of new attacks that cyber criminals launch every year, this approach is not practical.

Organizations can implement behavioral analytics to enhance their threat-hunting processes . It uses AI models to develop profiles of the applications deployed on their networks and process vast volumes of device and user data. Incoming data can then be analyzed against those profiles to prevent potentially malicious activity.

Benefits of Artificial Intelligence (AI) in Managing Cyber Risks

Implementing AI in cybersecurity offers a wide range of benefits for organizations looking to manage their risk. Typical benefits are:

Ongoing learning: AI’s capabilities constantly improve as it learns from new data. Techniques like deep learning and ML enable AI to recognize patterns, establish a baseline of regular activity, and discover any unusual or suspicious activity that deviates from it. AI’s ability to learn on an ongoing basis makes it more difficult for hackers to circumvent an organization’s defenses.
Discovering unknown threats: As cyber criminals devise more sophisticated attack vectors , organizations are left vulnerable to unknown threats that could cause massive damage to networks. AI provides a solution for mapping and preventing unknown threats, including vulnerabilities that have yet to be identified or patched by software providers.
Vast data volumes: AI systems can handle and understand vast amounts of data that security professionals cannot. In this way, organizations can automatically discover new threats among vast amounts of data and network traffic that might go undetected by traditional systems.
Improved vulnerability management: In addition to discovering new threats, AI enables organizations to manage vulnerabilities better. It helps them assess their systems more effectively, improve problem-solving, and make better decisions. It can also identify weak points in networks and systems so that organizations are constantly focused on the most critical security tasks.
Enhanced overall security posture: Manually managing the risk of a range of threats, from denial-of-service (DoS) and phishing attacks to ransomware , can be difficult and time-consuming. But with AI, organizations are able to detect various types of attacks in real time and efficiently prioritize and prevent risks.
Better detection and response: Threat detection is a necessary element of data and network protection. AI-enabled cybersecurity can result in rapid detection of untrusted data and more systematic and immediate response to new threats.

What are the benefits of automating AI in cybersecurity?

Future of AI in Cybersecurity

AI in cybersecurity is increasingly playing a pivotal role in the fight against more advanced cyber threats. Because AI continually learns from the data it is exposed to, new technologies built on AI processes and techniques are crucial to identifying the latest threats and preventing hackers from exploiting new vulnerabilities in the quickest time possible.

How Fortinet Can Help

Fortinet offers AI-powered cybersecurity solutions to protect organizations against known and emerging cyber threats. FortiAI , which is a deep-learning solution designed specifically to remove the need for time-consuming manual investigation of cyberattacks, enables organizations to accelerate their responses to advanced threats by identifying and classifying attack vectors in real time and instantaneously blocking them from reaching corporate networks.

FortiAI relies on data from FortiGuard Labs, which provides the latest insight into emerging security threats. FortiAI empowers organizations to detect and protect against the millions of threats that FortiGuard Labs discovers every day.

How is AI used in cybersecurity?

AI in cybersecurity is used to help organizations automatically detect new threats, identify unknown attack vectors, and protect sensitive data.

What is artificial intelligence in cybersecurity?

AI in cybersecurity is the use of techniques like deep learning, machine learning, and natural language processing to build more automated and intelligent security defenses.

How does AI help in cybersecurity?

AI in cybersecurity helps discover and mitigate new cyber events and attack vectors. It allows organizations to keep pace with the evolving threat landscape and handle massive volumes of threats.

Is AI a benefit or threat to cybersecurity?

AI systems are a huge benefit to organizations’ cybersecurity teams, helping them protect their networks from the latest emerging threats in real time. However, it is worth noting that cyber criminals increasingly use the same AI tools to evolve their attack vectors.

Free Product Demo

Explore key features and capabilities, and experience user interfaces.

Resource Center

Download from a wide range of educational material and documents.

Free Trials

Test our products and solutions.

Contact Sales

Have a question? We're here to help.

Media Center
Contracting

We are the trusted AI leader to the nation; revolutionizing the country through AI solutions that power, protect, and propel society toward positive outcomes.

Our end-to-end innovation ecosystem allows clients to architect intelligent and resilient solutions for future missions.

With more than 110 years of management consulting expertise, Booz Allen supports both large-scale transformation and specialized problem-solving. We are part of your team—from strategy to implementation.

Cybersecurity Cybersecurity We protect our clients against the attacks of today, and prepare them for the threats of tomorrow. Through decades of experience and the most advanced tools available, we keep your mission secure and your business moving forward.
Digital Solutions Digital Solutions We’re trusted to advance the nation’s most sensitive missions through digital transformation—with solutions that deliver the right capabilities with the most valuable insights, at the moments that matter most.
Engineering Engineering Pioneering next-gen tools & products with world-class engineering expertise centered in 27 labs across the U.S.
Products Products Many of our clients are under pressure to keep pace with today's rapidly changing tech environment, which is why we are constantly adding new products to our suite of tools. Explore our Products page to learn more.

We're building value and opportunity by investing in cybersecurity, analytics, digital solutions, engineering and science, and consulting. Our culture of innovation empowers employees as creative thinkers, bringing unparalleled value for our clients and for any problem we try to tackle. Empower People to Change the World ®

Civil Government Civil Government Whether ensuring citizen safety, security, and well-being or boosting our national competitiveness, we work shoulder-to-shoulder with civil government clients to help them deliver on their public service missions.

Booz Allen Commercial delivers advanced cyber defenses to the Fortune 500 and Global 2000. We are technical practitioners and cyber-focused management consultants with unparalleled experience – we know how cyber attacks happen and how to defend against them.

Cyber Fusion Centers Cyber threat intelligence and threat defense operations combined into a single, integrated security entity.

We deploy deep technical talent, industry-specific insights, and more than one hundred and ten years of practitioner experience to deliver advanced cyber defenses.

Incident Response Named a leader in the IDC MarketScape report, our solutions respond to advanced persistent threats, transform operations post-incident, and enable clients to prepare for sophisticated attacks.
Defense Defense As the nation's military services take on new missions, adopt innovative technologies, tackle acquisition and budgeting challenges, and address warfighters' medical needs, our experts are there to help.
Energy, Resources & Utilities Energy, Resources & Utilities We help public and private-sector energy clients gain greater efficiency in the oil patch through innovation, navigate complex critical infrastructure protection and carbon regulations, identify new revenue streams, and protect their information from external threats.
Health Health We're helping health and life sciences organizations across the public and private sectors navigate their rapidly changing environments and complex markets to drive more effective treatment and business approaches.
Homeland Security & Law Enforcement Homeland Security & Law Enforcement We help law enforcement agencies develop and deploy specialized technical investigative tools and technologies. Our homeland security teams work to address some of the most difficult issues facing government leaders.
Intelligence Intelligence Our intelligence experts integrate talent and technology to protect national security, supporting some of today’s most critical missions.
Southeast Asia With an established legacy of helping clients overcome complex challenges, we expanded our global presence into Southeast Asia.
Europe Our teams of experts work shoulder to shoulder with clients in Europe—making their mission of deterrence and defense our mission.

See how we deliver space defense capabilities with analytics, AI, cybersecurity, and PNT to strengthen information superiority.

Transportation Transportation Effectively integrating emerging technology, public policy, and efficient operations is the most pressing challenge facing all our clients. Our expertise allows us to add value from conceptual design through implementation.
Search Jobs Search Jobs Search open jobs and find positions that match your skills, interests, and location.

Dedicated to harnessing the power of data? Explore analytics and data science positions to learn more.

Cleared Opportunities Are you a dedicated cleared professional craving meaningful work? Find your purpose with a new job opportunity.
Commercial Looking to protect the world’s most respected brands from sophisticated cyber crime? So are we. Discover open jobs with a commercial focus.
Consulting Eager to revolutionize how organizations work? Review our open consulting jobs to learn more.
Corporate Functions Ready to keep the internal gears of our company moving? Find a position that moves you by exploring our corporate-focused positions.
Cyber Passionate about stopping cyber attacks before they occur? Get started by discovering cybersecurity job opportunities.
Digital Focused on building advanced systems? Take a look at our current digital job openings and forge a new future.

Driven by designing solutions to complex technical problems? Put your problem-solving skills to use by exploring our engineering jobs.

Dedicated to the physical and emotional wellbeing of people? Review open jobs in health and science and learn more.

Intelligence Analysis Eager to help our clients understand their operational landscape? Explore intelligence analysis jobs to learn more.

Ready to address the government and military’s biggest challenges? Review open jobs and learn more about our mission focus.

Read about our people-first approach, our social impact work, and how we will empower you to change the world.

Learn about our approach to professional growth, including tuition reimbursement, mobility programs, and more.

Review and search for open jobs in the United States and learn how you can help the government and military from our home base.

Review and search for open jobs in Hawaii, Japan, Korea, Alaska, Guam, Singapore, and Australia and support the U.S. government and its allies around the world.

Review and search for open jobs in Europe and defend the homeland while safeguarding other nations.

We’d love to meet you. Find upcoming Booz Allen recruiting and networking events near you.

Tips From our Military Recruiting Team Military or veteran job seeker? Get advice from our military talent recruiters.

Find out how veterans can pursue careers in AI, cloud, and cyber.

Transitioning Military Hiring FAQs Find answers to the most common questions about your post-service career with Booz Allen.
Graduating Students Graduating and looking for entry-level roles? Start here.
Application Process for Graduating Students Ready to apply to Booz Allen? Review the steps to start your journey.
Summer Games Internship Program Seeking an internship that will give you hands-on experience? Learn more.
FAQs for Intern Candidates and Graduating Students Find answers to your most pressing questions about internships and entry-level positions.
Preparing for Your Interview Learn more about our interview process and how you can prepare to meet our team.
Our Application & Hiring Process Want to know what happens after you submit your job application? Review a step-by-step overview.

Explore our comprehensive benefits programs and learn how we support your total wellbeing.

Application Process FAQs Have a question about the application process? Find answers to common questions here.
Returning Applicants Returning Applicants Previously applied? Login to view your application status or update your profile.
Awards and Recognition Awards and Recognition We are proud to call ourselves a bold, forward-thinking, global company with a guiding purpose of empowering people to change the world. It’s rewarding when others think of us that way, as well.

As a values-driven company, we make a difference in communities where we live and work.

Women Learn more about our commitment to fostering equality and providing the growth and development opportunities women want and need.
LGBTQ+ Learn how our dedication to the equality and advancement of LGBTQ+ employees and allies is helping our employees thrive and build a legacy of pride.
Disabilities Learn more about how we champion an inclusive environment that leverages our differences and empowers our employees with disabilities.
Veterans & Military Families Learn why collaborating with veterans and their families is part and parcel of our DNA.

Learn how we cultivate a culture of inclusion and celebrate the diverse backgrounds and experiences of our employees.

Learn how we’re driving empowerment, innovation, and resilience to shape our vision for the future through a focus on environmental, social, and governance (ESG) practices that matter most.

Each year, we celebrate the client engagements, leading ideas, and talented people that support our success.

Policies and Programs Learn about Booz Allen Hamilton's policies and programs.

Our latest global events, including webinars and in-person, live events and conferences.

Heritage Heritage Discover Booz Allen’s defining moments and how that heritage is woven into the firm’s consulting and technology expertise today.

Our engineers, scientists, software developers, technologists, and consultants live to solve problems that matter. We’re proud of the diversity throughout our organization, from our most junior ranks to our board of directors and leadership team.

Board of Directors The diversity of our Board of Directors underscores Booz Allen's commitment to creating opportunity for our people and demonstrates the importance of diversity to our success.
Leadership Team Booz Allen takes pride in a culture that encourages and rewards the many dimensions of leadership—innovative thinking, active collaboration, and personal service. We’re particularly proud of the diversity of our Leadership Team and Board of Directors, among the most diverse in corporate America today.
Alumni Join your fellow Booz Allen alumni to network, stay up to date on industry news, and keep connections strong with new job opportunities.
Purpose & Values Purpose & Values Our Purpose and Values are more than just words. Learn how the expression of our values guide our decisions, actions and aspirations.
Artificial Intelligence
Cybersecurity
Digital Solutions
Engineering
Civil Government
Cyber Fusion Centers
Cybersecurity Strategy
Incident Response
Energy, Resources & Utilities
Homeland Security & Law Enforcement
Intelligence
Southeast Asia
Transportation
Search Jobs
Analytics/Data Science
Cleared Opportunities
Corporate Functions
Health & Science
Intelligence Analysis
Mission-Focused Careers
Culture at Booz Allen
Professional Development
U.S. Locations
Indo-Pacific Careers
European Careers
Recruiting & Networking Events
Tips From our Military Recruiting Team
Upskilling Into Tech Roles
Transitioning Military Hiring FAQs
Graduating Students
Application Process for Graduating Students
Summer Games Internship Program
FAQs for Intern Candidates and Graduating Students
Preparing for Your Interview
Our Application & Hiring Process
Employee Benefits
Application Process FAQs
Returning Applicants
Awards and Recognition
Community Impact and Philanthropy
Disabilities
Veterans & Military Families
Multiculturalism
ESG & Annual Reports
Policies and Programs
Board of Directors
Leadership Team
Purpose & Values

The Role of Artificial Intelligence in Cybersecurity

Learn about this emerging area in part 2 of our 2021 technology spotlight.

With technology news breaking daily, it’s a challenge to know which innovations to follow. In this series, we introduce emerging technologies that will accelerate enterprise transformation in 2021. This second entry discusses the growing importance of artificial intelligence (AI) within the cyber realm . In case you missed it, the first briefing on machine learning operations (MLOps) is here .

Download the Cyber and AI Overview

2021 technology spotlight, part 2, what is the role of ai in the cyber ecosystem.

Historically, cybersecurity has been a field dominated by resource-intensive efforts. Monitoring, threat hunting, incident response, and other duties are often manual and time-intensive, which can delay remediation activities, increase exposure, and heighten vulnerability to cyber adversaries.

Over the past few years, artificial intelligence solutions have rapidly matured to the point where they can bring substantial benefits to cyber defensive operations across a broad range of organizations and missions. By automating key elements of labor-heavy core functions, AI can transform cyber workflows into streamlined, autonomous, continuous processes that speed remediation and maximize protection.

The Benefits of Applying AI to Cyber

AI’s cyber applications offer major advantages for the government and business leaders responsible for protecting people, systems, organizations, and communities from today’s relentless cyber adversaries. Acting as a force multiplier for seasoned cyber professionals, AI’s functions across the cyber lifecycle include monitoring vast swaths of data to detect nuanced adversarial attacks, quantifying the risks associated with known vulnerabilities, and powering decision making with data during threat hunts.

Immediate and long-term benefits of integrating AI into an organization’s cybersecurity ecosystem include that it:

Improves protection and remediation due to AI’s ability to detect nuanced attacks, heighten security, and enhance incident response
Increases time savings as AI expedites the detection and response cycle time, rapidly quantifying risks and accelerating analyst decision making with data-driven mitigation measures
Fortifies protection of brand reputation and trust in an organization’s security systems and protocols
Improves workforce satisfaction, as cybersecurity professionals can focus on higher level tasks as opposed to time-consuming, manual actions

A Future Secured by AI-Integrated Cyber: 5 Key Takeaways

What should you and your organization be thinking about as we look toward a future secured with more and more help from AI? Here are our top takeaways for federal government leaders. Download the full report to see our recommendations for business leaders, technologists, investors, and students:

AI is meeting the needs of today’s heightened security requirements. For government environments that require the highest level of cybersecurity protection—defense and national security agencies in particular—AI is expanding what’s possible.
Through automation, AI provides a competitive advantage. As AI grows more prevalent, it will be easier to augment human capability in government and Department of Defense cybersecurity roles, expanding impact and efficiency.
The application of AI functions will minimize human error. Integration of AI capabilities into manual and semi-manual processes can minimize errors and inconsistencies.
New skill sets will be in demand for cyber professionals. Organizations will hire AI experts for their experience applying AI and machine learning technology to cybersecurity instead of just looking for traditional cyber skillsets.
This emerging space will continue to expand in impact across industries. Deals in cybersecurity and AI have more than doubled in the past 4 years, and AI’s ability to support cybersecurity will only grow with time. Cybersecurity leaders should explore the breadth of AI use cases and potential applications to the federal mission.

Want to learn more about AI in cybersecurity? Download the complete overview.

Get in touch to learn about booz allen technology scouting.

Our technical monitoring services allow leading organizations to accelerate modernization through targeted innovation. We provide a tailored approach, offering custom research, connections via our innovation network, and technical services in our solutions labs. Our end-to-end capabilities allow clients to discover, acquire, and deploy new technologies for transformational results.

Featured Content from this Series

A 5-minute read on the future of encryption—part 3 of our 2021 emerging technology spotlight. Read More

Meet Our Leaders

Chief Technology Officer

Emerging Technology Resources

A Solution for Enterprise-Scale DevSecOps

Our framework scales DevSecOps and overcomes the most common software delivery barriers. Read More

Transform Training with Immersive Technology

Discover how VR, AR, AI and haptics engage the full brain with simulation-based training. Read More

Edge Computing: Expert Guide on How and Why to Use It

In our edge computing e-book, explore how organizations can develop a successful edge network. Read More

Establishing a Secure and Resilient 5G Ecosystem

The telecommunications revolution depends on establishing cybersecure 5G solutions. Read More

We unpack DataOps—the key challenges, frameworks, and taking it from concept to action. Read More

INFORMATION FOR

International
Contract Officers
Small Businesses
Finance and Banking
Government & Civil Agencies
Infrastructure
Life Sciences & Healthcare
Transportation & Logistics

FEATURED SOLUTIONS

Artificial Intelligence (AI)
Digital Customer Experience
Elite Training
Enterprise DevSecOps
Mission Readiness
Workforce of the Future
Why Booz Allen
Join Our Team
Webinars & Events
Privacy Policy
Terms of Use
Cookie Policy

Stay Connected with Booz Allen

Investigating the applications of artificial intelligence in cyber security

Published: 09 September 2019
Volume 121 , pages 1189–1211, ( 2019 )

Cite this article

Naveed Naeem Abbas 1 , 2 ,
Tanveer Ahmed 3 ,
Syed Habib Ullah Shah 1 , 4 ,
Muhammad Omar ORCID: orcid.org/0000-0002-7071-5760 1 &
Han Woo Park 5

5610 Accesses

24 Citations

6 Altmetric

Explore all metrics

Artificial Intelligence (AI) provides instant insights to pierce through the noise of thousands of daily security alerts. The recent literature focuses on AI’s application to cyber security but lacks visual analysis of AI applications. Structural changes have been observed in cyber security since the emergence of AI. This study promotes the development of theory about AI in cyber security, helps researchers establish research directions, and provides a reference that enterprises and governments can use to plan AI applications in the cyber security industry. Many countries, institutions and authors are densely connected through collaboration and citation networks. Artificial neural networks, an AI technique, gave birth to today’s research on cloud cyber security. Many research hotspots such as those on face recognition and deep neural networks for speech recognition may create future hotspots on emerging technology, such as on artificial intelligence systems for security. This study visualizes the structural changes, hotspots and emerging trends in AI studies. Five evaluation factors are used to judge the hotspots and trends of this domain and a heat map is used to identify the areas of the world that are generating research on AI applications in cyber security. This study is the first to provide an overall perspective of hotspots and trends in the research on AI in the cyber security domain.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price includes VAT (Russian Federation)

Instant access to the full article PDF.

Rent this article via DeepDyve

Institutional subscriptions

The mechanisms of AI hype and its planetary and social costs

Alva Markelius, Connor Wright, … Yu-Ting Kuo

Cyber risk and cybersecurity: a systematic review of data availability

Frank Cremer, Barry Sheehan, … Stefan Materne

AI-Driven Cybersecurity: An Overview, Security Intelligence Modeling and Research Directions

Iqbal H. Sarker, Md Hasan Furhad & Raza Nowrozy

Aghion, P., Jones, B. F., & Jones, C. I. (2017). Artificial intelligence and economic growth. NBER Working Paper Series . https://doi.org/10.3386/w23928 .

Article Google Scholar

Byres, E. (2004). The myths and facts behind cyber security risks for industrial control systems. Proceedings of the VDE Kongress . https://rampages.us/keckjw/wp-content/uploads/sites/2169/2014/11/Myths-and-Facts-for-Control-System-Cyber-security.pdf

Chen, C. (2006). CiteSpace II: Detecting and visualizing emerging trends and transient patterns in scientific literature. Journal of the American Society for Information Science and Technology . https://doi.org/10.1002/asi.20317 .

Chen, C. (2016). How to use CiteSpace . British Columbia, Canada: Lean Publishing. Retrieved from https://leanpub.com/howtousecitespace .

Chen, C., Dubin, R., & Kim, M. C. (2014). Orphan drugs and rare diseases: A scientometric review (2000–2014). Expert Opinion on Orphan Drugs, 2 (7), 709–724. https://doi.org/10.1517/21678707.2014.920251 .

Chen, C., & Leydesdorff, L. (2013). Patterns of connections and movements in dual-map overlays: A new method of publication portfolio analysis. Journal of the American Society for Information Science and Technology . Retrieved from https://www.researchgate.net/publication/236039476_Patterns_of_Connections_and_Movements_in_Dual-Map_Overlays_A_New_Method_of_Publication_Portfolio_Analysis .

Chen, H., & Storey, V. C. (2012). Business intelligence and analytics: From big data to big impact. MIS Quarterly, 36 (4), 1165–1188. https://doi.org/10.1145/2463676.2463712 .

Dilek, S., Cakır, H., & Aydın, M. (2015). Applications of artificial intelligence techniques to combating cyber crimes: A review. International Journal of Artificial Intelligence & Applications, 6 (1), 21–39. https://doi.org/10.5121/ijaia.2015.6102 .

Gautam, P. (2019). A bibliometric approach for department-level disciplinary analysis and science mapping of research output using multiple classification schemes. Journal of Contemporary Eastern Asia, 18 (1), 7–29. https://doi.org/10.17477/jcea.2019.18.1.007 .

Göztepe, K. (2012). Designing fuzzy rule based expert system for cyber security. International Journal of Information Security Science, 1 (1), 13–19.

Google Scholar

Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., & Witten, I. H. (2009). The WEKA data mining software: An update. ACM SIGKDD Explorations Newsletter , 11 . Retrieved from https://dl.acm.org/citation.cfm?id=1656278 .

Hengstler, M., Enkel, E., & Duelli, S. (2016). Technological forecasting & social change applied artificial intelligence and trust—The case of autonomous vehicles and medical assistance devices. Technological Forecasting and Social Change, 105, 105–120. https://doi.org/10.1016/j.techfore.2015.12.014 .

Holmberg, K., & Park, H. W. (2018). An altmetric investigation of the online visibility of South Korea-based scientific journals. Scientometrics, 117 (1), 603–613.

Imran, M., Castillo, C., Lucas, J., Meier, P., & Vieweg, S. (2014). Aidr. In Proceedings of the 23rd international conference on world wide web — WWW’14 companion , (April) (pp. 159–162). https://doi.org/10.1145/2567948.2577034 .

Jan, N., & Ludo, V. E. (2010). Software survey: VOSviewer, a computer program for bibliometric mapping. Scientometrics . https://doi.org/10.1007/s11192-009-0146-3 .

Jha, S., & Topol, E. J. (2016). Adapting to artificial intelligence: Radiologists and pathologists as information specialists. JAMA Journal of the American Medical Association, 316 (22), 2353–2354. https://doi.org/10.1001/jama.2016.17438 .

Jin, Y., & Li, X. (2018). Visualizing the hotspots and emerging trends of multimedia big data through scientometrics. Multimedia Tools and Applications . https://doi.org/10.1007/s11042-018-6172-5 .

Kim, H. J., Jeong, Y. K., & Song, M. (2016). Content- and proximity-based author co-citation analysis using citation sentences. Journal of Informetrics, 10 (4), 954–966. https://doi.org/10.1016/j.joi.2016.07.007 .

Li, S., & Sun, Y. (2013). The application of weighted co‐occurring keywords time gram in academic research temporal sequence discovery. Proceedings of the American Society for Information Science and Technology , 50 (1), 1–10. https://doi.org/10.1002/meet.14505001037 .

Article MathSciNet Google Scholar

Li, J., Xu, W. W., Wang, F., Chen, S., & Sun, J. (2018). Examining China’s internet policies through a bibliometric approach. Journal of Contemporary Eastern Asia, 17 (2), 237–253. https://doi.org/10.17477/jcea.2018.17.2.237 .

Litman, T. (2014). Autonomous vehicle implementation predictions implications for transport planning. Transportation Research Board Annual Meeting, 42 (January), 36–42. https://doi.org/10.1613/jair.301 .

Liu, S., Chen, C., Ding, K., Wang, B., Xu, K., & Lin, Y. (2014). Literature retrieval based on citation context. Scientometrics, 101 (2), 1293–1307. https://doi.org/10.1007/s11192-014-1233-7 .

Loebbecke, C., & Picot, A. (2015). Reflections on societal and business model transformation arising from digitization and big data analytics: A research agenda. Journal of Strategic Information Systems, 24 (3), 149–157. https://doi.org/10.1016/j.jsis.2015.08.002 .

Machine, P., & Tools, L. (n.d.). Datamining. Practical machine learning tools and technicals with java implementations.

Malav, A., Kadam, K., & Kamat, P. (2017). Prediction of heart disease using K-means and artificial neural network as hybrid approach to improve accuracy. International Journal of Engineering and Technology, 9 (4), 3081–3085. https://doi.org/10.21817/ijet/2017/v9i4/170904101 .

Ofli, F., Meier, P., Imran, M., Castillo, C., Tuia, D., Rey, N., et al. (2016). Combining human computing and machine learning to make sense of big (aerial) data for disaster response. Big Data, 4 (1), 47–59. https://doi.org/10.1089/big.2014.0064 .

Omar, M., Mehmood, A., Choi, G. S., & Park, H. W. (2017). Global mapping of artificial intelligence in Google and Google Scholar. Scientometrics, 113 (3), 1269–1305. https://doi.org/10.1007/s11192-017-2534-4 .

Pak Chung, W., Chen, C., Gorg, C., Shneiderman, B., Stasko, J., & Thomas, J. (2011). Graph analytics-lessons learned and challenges ahead. IEEE Computer Graphics and Applications, 31 (5), 18–29. https://doi.org/10.1109/MCG.2011.72 .

Pannu, A. (2015). Artificial intelligence and its application in different areas. Certified International Journal of Engineering and Innovative Technology, 4 (10), 79–84. https://doi.org/10.1155/2009/251652 .

Park, H. J., & Park, H. W. (2018). Two-side face of knowledge building using scientometric analysis. Quality & Quantity, 52 (6), 2815–2836.

Park, H. C., Youn, J. M., & Park, H. W. (2018). Global mapping of scientific information exchange using altmetric data. Quality & Quantity, 53 (2), 935–955.

Parkes, D. C., & Wellman, M. P. (2015). Economic reasoning and artificial intelligence. Science, 349 (6245), 267–272. https://doi.org/10.1126/science.aaa8403 .

Article MathSciNet MATH Google Scholar

Ramchurn, S. D., Huynh, T. D., Wu, F., Ikuno, Y., Flann, J., Moreau, L., et al. (2016). A disaster response system based on human-agent collectives. Journal of Artificial Intelligence Research, 57, 661–708. https://doi.org/10.1613/jair.5098 .

Saridakis, G., Benson, V., Ezingeard, J., & Tennakoon, H. (2015). Technological forecasting & social change individual information security, user behaviour and cyber victimisation: An empirical study of social networking users. Technological Forecasting and Social Change . https://doi.org/10.1016/j.techfore.2015.08.012 .

Small, H., & Greenlee, E. (1980). Citation context analysis of a co-citation cluster: Recombinant-DNA. Scientometrics, 2 (4), 277–301. https://doi.org/10.1007/BF02016349 .

Su, H. N., & Lee, P. C. (2010). Mapping knowledge structure by keyword co-occurrence: A first look at journal papers in Technology Foresight. Scientometrics, 85 (1), 65–79. https://doi.org/10.1007/s11192-010-0259-8 .

Wang, F. Y., Zheng, N. N., Cao, D., Martinez, C. M., Li, L., & Liu, T. (2017). Parallel driving in CPSS: A unified approach for transport automation and vehicle intelligence. IEEE/CAA Journal of Automatica Sinica, 4 (4), 577–587. https://doi.org/10.1109/JAS.2017.7510598 .

Zhou, Z. H., & Jiang, Y. (2003). Medical diagnosis with C4.5 Rule preceded by artificial neural network ensemble. IEEE Transactions on Information Technology in Biomedicine, 7 (1), 37–42. https://doi.org/10.1109/TITB.2003.808498 .

Download references

Acknowledgements

I wish to acknowledge someone who means a lot to me, my father (Mr. Irshad Hussain), for showing faith in me and giving me the liberty to make my own choices. I salute you for the selfless love, care, pain and sacrifice you offered to me in order to shape my life.

Author information

Authors and affiliations.

Department of Computer Science and IT, The Islamia University of Bahawalpur, Bahawalpur, Pakistan

Naveed Naeem Abbas, Syed Habib Ullah Shah & Muhammad Omar

H/No. 39-A, Jamal-E-Sarwar Colony, Chowk Churratah, Dera Ghazi Khan, Pakistan

Naveed Naeem Abbas

Department of Computer Science, COMSATS University, Islamabad, Pakistan

Tanveer Ahmed

H/No. 2147, Block 18, College Chowk, Dera Ghazi Khan, Pakistan

Syed Habib Ullah Shah

Department of Media and Communication, Interdisciplinary Program of Digital Convergence Business, YeungNam University, 214-1, Dae-dong, Gyeongsan-si, Gyeongsangbuk-do, 712-749, South Korea

Han Woo Park

You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Muhammad Omar or Han Woo Park .

Rights and permissions

Reprints and permissions

About this article

Abbas, N.N., Ahmed, T., Shah, S.H.U. et al. Investigating the applications of artificial intelligence in cyber security. Scientometrics 121 , 1189–1211 (2019). https://doi.org/10.1007/s11192-019-03222-9

Download citation

Received : 16 June 2019

Published : 09 September 2019

Issue Date : November 2019

DOI : https://doi.org/10.1007/s11192-019-03222-9

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Artificial intelligence
Cyber security
Scientometric
Visualization
Emerging trend
Research hotspot
Find a journal
Publish with us
Track your research

Cybersecurity and AI: The challenges and opportunities

Deepfakes, spear-fishing and falsifying data are just some of the cybersecurity risks that can increase as Artificial Intelligence progresses. Image: Unsplash/Wance Paleri

.chakra .wef-1c7l3mo{-webkit-transition:all 0.15s ease-out;transition:all 0.15s ease-out;cursor:pointer;-webkit-text-decoration:none;text-decoration:none;outline:none;color:inherit;}.chakra .wef-1c7l3mo:hover,.chakra .wef-1c7l3mo[data-hover]{-webkit-text-decoration:underline;text-decoration:underline;}.chakra .wef-1c7l3mo:focus,.chakra .wef-1c7l3mo[data-focus]{box-shadow:0 0 0 3px rgba(168,203,251,0.5);} Lindiwe Matlali

.chakra .wef-9dduvl{margin-top:16px;margin-bottom:16px;line-height:1.388;font-size:1.25rem;}@media screen and (min-width:56.5rem){.chakra .wef-9dduvl{font-size:1.125rem;}} Explore and monitor how .chakra .wef-15eoq1r{margin-top:16px;margin-bottom:16px;line-height:1.388;font-size:1.25rem;color:#F7DB5E;}@media screen and (min-width:56.5rem){.chakra .wef-15eoq1r{font-size:1.125rem;}} Cybersecurity is affecting economies, industries and global issues

A hand holding a looking glass by a lake

.chakra .wef-1nk5u5d{margin-top:16px;margin-bottom:16px;line-height:1.388;color:#2846F8;font-size:1.25rem;}@media screen and (min-width:56.5rem){.chakra .wef-1nk5u5d{font-size:1.125rem;}} Get involved with our crowdsourced digital platform to deliver impact at scale

Stay up to date:, cybersecurity.

Listen to the article

As Artificial Intelligence (AI) advances rapidly, so does its potential to be used in cybercrime.
This problem is particularly acute as the world faces a 3.4 million-person shortage of cybersecurity professionals.
AI can also be a powerful tool to combat cyber threats — but it must be harnessed responsibly and securely.

Artificial intelligence is already shaping the world around us — and that trend is only set to grow.

The new technology — which has recently undergone vast, expectation-beating improvements — has seeped into virtually every industry, one way or another. It is transforming processes and propelling innovations.

But like most technological advancements, AI brings with it an array of complex challenges, particularly in the domain of cybersecurity.

The transformative potential of AI tools like ChatGPT or Alphabet’s Bard is immense. Their generative capabilities can foster creativity, improve customer service, aid decision-making, and much more. And they, indeed, are just the tip of the iceberg when it comes to the potential of AI. However, these powerful tools are also susceptible to manipulation by cybercriminals, leading to threats that can disrupt corporate systems and inflict significant damage.

Have you read?

4 ways ai can help us enter a new age of cybersecurity, why ai is the key to cutting-edge cybersecurity, quantum machine learning: a new tool in the cybersecurity locker, the changing cyber-threat landscape.

As the sophistication of AI increases, so does the complexity of cyber threats. Consider a scenario where a skilled cybercriminal uses an AI tool to draft a highly personalised spear-phishing message. This message, blending seamlessly with the organization's internal communication style, can deceive even the most vigilant employees. Traditional security systems often prove ineffective against such sophisticated attacks, leaving businesses vulnerable to significant disruption.

Similarly, cyber-attackers can use AI to create deepfake voices and impersonate high-ranking executives. A well-executed deepfake could deceive employees into authorising large unauthorised fund transfers, exploiting human trust to circumvent security measures.

Another potential scenario involves attackers using AI to tamper with a system's data, creating an alluring yet entirely fabricated stock portfolio. The attackers can then profit from this false information before the fraud is detected.

In another possible abuse, an artificial email exchange between top executives appears to discuss a corporate scandal. If leaked, such fraudulent communication could plummet the company's stock price and cause irreparable damage to its reputation.

The global cyber skills gap

The escalating sophistication of cyber threats underscores the importance of skilled cybersecurity professionals. Yet, the global demand for these experts far outstrips the supply. According to the 2022 Cybersecurity Workforce Study by (ISC)², we face a global shortage of 3.4 million cybersecurity professionals.

Africa, in particular, is struggling with this skills gap. According to the Global Knowledge 2022 IT Skills and Salary Report, the continent has the highest percentage of IT decision-makers reporting a significant shortage of cybersecurity skills. This deficiency puts African businesses at heightened risk and hampers their ability to respond to cyber threats effectively.

Addressing the cybersecurity challenge

Addressing the cybersecurity challenge requires concerted efforts from businesses, policymakers and AI developers. Policymakers can play a critical role by creating robust legal frameworks that promote cybersecurity best practices, foster talent development and encourage international cooperation to combat cybercrime.

Businesses must invest in strengthening their cybersecurity infrastructure and training their staff to handle potential threats. This includes regular security audits, incident response planning and promoting a security-first culture. Incorporating AI in cybersecurity strategies can also play a crucial role in identifying threats and improving response times.

AI developers have a unique responsibility to design systems that are robust and resilient against misuse. Techniques like differential privacy and federated learning can be used to protect data. At the same time, efforts like OpenAI's work on AI and cybersecurity research are vital to staying ahead of evolving threats.

Embracing the future

As AI continues evolving and integrating into our daily lives, we must ensure our cybersecurity strategies evolve. The threats are significant — but so too are the opportunities.

AI can be a powerful ally in combating cyber threats, but its potential must be harnessed responsibly and securely. Collaborative efforts from all stakeholders are essential in navigating the challenges and seizing this new digital frontier's opportunities.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

.chakra .wef-1dtnjt5{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-flex-wrap:wrap;-ms-flex-wrap:wrap;flex-wrap:wrap;} More on Cybersecurity .chakra .wef-nr1rr4{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;white-space:normal;vertical-align:middle;text-transform:uppercase;font-size:0.75rem;border-radius:0.25rem;font-weight:700;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;line-height:1.2;-webkit-letter-spacing:1.25px;-moz-letter-spacing:1.25px;-ms-letter-spacing:1.25px;letter-spacing:1.25px;background:none;padding:0px;color:#B3B3B3;-webkit-box-decoration-break:clone;box-decoration-break:clone;-webkit-box-decoration-break:clone;}@media screen and (min-width:37.5rem){.chakra .wef-nr1rr4{font-size:0.875rem;}}@media screen and (min-width:56.5rem){.chakra .wef-nr1rr4{font-size:1rem;}} See all

'Pig-butchering’ scams on the rise as technology amplifies financial fraud, INTERPOL warns

Spencer Feingold and Johnny Wood

April 10, 2024

Key strategies for building cyber resilience in 2024

Deryck Mitchelson

April 3, 2024

China outlines new plans for industrial cybersecurity - and other cybersecurity news to know this month

Akshay Joshi

March 21, 2024

3 trends set to drive cyberattacks and ransomware in 2024

Scott Sayce

February 22, 2024

'Operation Cronos' seizes major cybercrime group – and other cybersecurity news to know this month

February 21, 2024

LockBit: How an international operation seized control of ‘the world’s most harmful cybercrime group’

Kate Whiting

The State of AI in Cybersecurity 2023: Insights About Use Cases

How AI in cybersecurity prioritizes process automation, enhancing efficiency and mitigating risks.

In Aberdeen’s recent study on The State of AI in 2023 , we found that all three of the traditional use cases for AI in cybersecurity are prevalent:

Pattern recognition : illustrative examples include filtering out noise, minimizing false positives, and freeing up cybersecurity analysts to work on the most relevant threats.
Process automation : illustrative examples include analyzing and correlating data from multiple sources and enabling faster triage, forensics, and response to security-related incidents.
Predictions : illustrative examples include automatically scanning networks and systems for vulnerabilities, identifying weaknesses most likely to be exploited by attackers, and prioritizing recommended patches or updates.

However, the top performers — so far, at least — are strongly differentiated from all others by an extra emphasis on process automation , as seen in Figure 1 below. Saving time and money is always welcome, but in this case, they can also lead directly to other highly desirable outcomes — including reducing security-related risks and acting as a force multiplier to help address the endemic cybersecurity workforce shortage .

Figure 1: All three traditional use cases for AI in cybersecurity are prevalent, but the top performers have an extra emphasis on process automation

Source: The State of AI in 2023 ; Aberdeen, October 2023

See More: The State of AI in Cybersecurity 2023: The Good News — and Some Ongoing Challenges

In addition, Aberdeen’s State of IT in 2023 dataset shows that all three of the traditional high-level categories of business value for cybersecurity-related initiatives were among the top benefits that organizations say they have realized as a result of using AI in a cybersecurity context:

Improve operational efficiencies — e.g., reduce cost and time, increase productivity (51% of all respondents)
Manage downside risks to a more acceptable level — e.g., reduce the frequency and impact of security-, privacy-, fraud-, and compliance-related incidents (43% of all respondents)
Enable/optimize the success of upside opportunities and strategic business objectives — e.g., increase revenue, growth, profitability, and market share (38% of all respondents)

In this regard, there was little difference between the top performers and all others.

TL;DR — The Main Takeaway

Aberdeen’s research shows that organizations already recognize that AI can contribute to their cybersecurity-related initiatives in multiple dimensions — but right now, saving time and money by emphasizing process automation use cases is given the highest priority.

In Aberdeen’s view, this approach is well-suited for our current economic times and the current state of maturity for AI in cybersecurity.

In the final blog of this 4-part series about The State of AI in Cybersecurity, we’ll look at Aberdeen’s research findings about the leading AI-enabled solution categories , both current and planned.

How can your organization leverage AI for cybersecurity? Why is it crucial in today’s cybersecurity landscape? Let us know on Facebook Opens a new window , X Opens a new window , and LinkedIn Opens a new window . We’d love to hear from you!

Image Source: Shutterstock

Share This Article:

Vice President and Research Fellow, Information Security and IT GRC, Aberdeen

The Road To AI Lies Through the Cloud: Google Cloud Next 2024 Highlights

Meta Launches New Custom Artificial Intelligence Chip

Many Professionals Are Scared of AI: HR Managers Are Embracing It

Google Unveils Custom Arm-Based CPU and Data Center AI Chips

Getting Real About Gen AI: What You Need to Know

The Power of Cyber Threat Intelligence: Safeguarding Elections

Technologies

Artificial intelligence in cybersecurity: applications & the future

December 26, 2022

In recent years, artificial intelligence (AI) has become essential in cyber security. As the threat environment has evolved, so has the need for AI services and cyber security solutions to help organizations defend against new and increasingly sophisticated attacks. Cybersecurity is a complex and ever-changing field, and AI can provide the speed and agility needed to handle emerging threats.

AI in cybersecurity: a summary

While the use of AI in cybersecurity is a decade-old conversation, the recent advancements in computing power and cloud technologies have finally made AI feasible for threat intelligence. In this article, we discuss the role of AI in cybersecurity, outline its most important applications, provide real-life examples and consider the future outlook of this technology.

Table of contents

Tech overview
Future outlook
Implementation
Criminals’ use of AI

The future of AI in cybersecurity

CAGR of AI in the cybersecurity market from 2022 to 2033

Acumen Research and Consulting

the global average cost of a single data breach

of executives consider AI the best technology to counter nation-state cyberattacks

Why apply AI in cybersecurity?

Today, industry players rely on the latest technological advancements to stay on top of the competition. At the same time, the mass proliferation of these technologies and devices has created new opportunities for cybercriminals. Hackers are constantly coming up with new ideas to infiltrate enterprises via desktop computers, webcams, routers, printers, and smartphones and expose sensitive consumer and business data. As a result, the established security protocols and practices, some dating back decades, are insufficient to properly address new unconventional exfiltration, phishing, identity theft, network incursion and password-cracking attacks. This is why forward-looking organizations are investing in AI to bolster their security systems.

The history of cybersecurity, and really any type of security, is an age-old game of cat and mouse. Just as we develop AI tools to protect ourselves, antagonists are developing AI to further complicate their attacks.

Mike Chapple

Information security leader and IT, analytics, and operations teaching professor, University of Notre Dame

AI vs data analytics

To better understand why exactly AI is the most effective technology for combating cyberthreats, let’s compare this technology to its closest relative – data analytics.

Artificial intelligence

By its nature, AI is designed to learn and evolve. This means that it can keep pace with the ever-changing landscape of cybersecurity threats. Additionally, AI can process large amounts of data much faster than humans to quickly identify patterns and anomalies indicating a potential threat.

Data analytics

Supervised by humans, data analytics examines large data sets and identifies patterns, trends or behavior that can point to malicious activity. On the downside, data analytics can be time-consuming and expensive and is limited to human ability to process and interpret data. Most importantly, data analytics systems are highly dependent on humans to evolve, meaning that, unlike AI, such systems are not self-learning.

6 use cases of AI in cyber security

1 Threat detection

Artificial intelligence can identify and prioritize new, previously unknown cyberthreats by analyzing data sets for patterns and anomalies. This allows organizations to respond quickly and efficiently to new threats. In addition, AI can correlate different data sets to provide a complete picture of an attack, so that security teams can understand its scope and nature and better mitigate it in the future. By comparison, traditional methods of security analysis often involve security specialists manually sifting through large data sets, which can be time-consuming and lead to errors.

2 Automated malware detection

Malware is software designed to cause disruption in organizations’ networks by exploiting connected devices. Traditional malware detection methods involve monitoring the network for signature matches, which requires a considerable amount of manual work from security experts. In comparison, AI systems can automatically pinpoint even zero-day malware by analyzing huge amounts of historical data. Moreover, AI can identify patterns and trends in past attacks and alert companies, helping to improve the existing security strategy and proactively protect corporate systems from such future exploits.

3 Social engineering detection

Verizon's 2021 Data Breach Investigation report observes that 85% of cyber security attacks are now social engineering attacks that prey upon humans’ trusting nature. Previously, the problem with using AI for social engineering attacks was that they couldn’t be fully “explained” to ML systems. However, deep learning models, the most sophisticated machine learning models that mimic human thinking, can analyze even unlabeled data and learn independently. This makes deep learning-based systems more effective in combating social engineering attacks than traditional Secure Email Gateway and similar systems. Additionally, AI can also be used to create “phishing simulations” that can test user susceptibility to social engineering attacks. This is a great way of raising awareness and ensuring that employees are better equipped to deal with real-life attacks.

4 Helping to work smarter

Even for seasoned cybersecurity professionals, one of the biggest pain points is incident response prioritization. According to research by Trend Micro Incorporated, 70% of employees at security operation centers are emotionally overwhelmed by security alert volumes. And while AI can’t replace cybersecurity professionals, it can streamline their work and make it easier. Today’s AI models can keep track of the constantly evolving cyber threat landscape and help human analysts decide what security alert to respond to first. As a result, AI can help enterprises allocate their efforts to the most critical threats first, reducing the overall risk to the organization.

5 Managing vulnerability

As the world switched to remote working, old cybersecurity challenges have become more prevalent while new ones arose as well. However, traditional vulnerability assessment tools have grown outdated in increasingly more hybrid environments often containing mobile and IoT devices. The most important distinction between AI-based and conventional vulnerability assessment tools is that the former can accurately define the risk score of all devices, regardless of how critical they are to running a given business. There are situations when even the most isolated devices without an internet connection can pose a significant threat to the organization’s well-being, and AI can provide additional context for assessing their vulnerability.

6 Spotting cyberattack trends

Prolific marketing specialists are already relying on various AI-driven tools to analyze social media trends and learn what topics customers engage with the most. Similarly, AI can be used to analyze forums, cybersecurity social media pages, and news websites to better understand which cyberattacks are becoming more popular in a given sector, and what attacks cybersecurity experts currently deem the most concerning.

Performing such large-scale analysis on a daily basis is almost impossible for human analysts, but by applying modern natural language processing techniques, companies can grasp valuable insights from an endless information stream on the internet.

Real-life examples of AI cyber security adoption

Looking for professional ai consultants, the benefits of ai in cybersecurity, faster threat detection.

Automated AI-driven systems can speed up incident response times.

Reduced false positives

Artificial intelligence can reduce the number of false positives that often overwhelm security teams.

Enhanced accuracy

Machine learning can provide more accurate results than traditional security analysis methods.

Improved correlation of data

AI-enabled tools can correlate different data sets to provide a more comprehensive picture of an attack.

Self-sufficiency

AI-based systems can generate their own security rules and signatures, meaning they are less reliant on human input and more effective at stopping new threats.

Increased automation

Automated security systems can free up time for analysts to focus on other tasks.

Better detection of zero-day threats

By its nature, AI is good at spotting novel patterns, which can help detect previously unknown attacks.

Greater flexibility

AI systems quickly adapt to changing circumstances and new data sets, which makes them more resilient in the face of ever-changing threats.

AI in cybersecurity implementation advice

While the benefits of AI in cybersecurity are apparent, organizations often struggle to implement this technology, so we provide some important tips on making it a success.

Prepare datasets

One of the most persistent problems with AI implementation is that a company’s existing datasets are of insufficient quality for AI integration. Since the reliability of an AI system’s output depends on the quality and availability of data that it consumes, you must ensure that your data is clean, complete, and up-to-date.

Select the right use cases

Integrate SOAR

Employ a governance framework

It is tempting to add machine learning tools into many business processes, and it is indeed becoming ubiquitous, but AI tools suffer from bias, vulnerability to attack, and a lack of explainability. Without proper governance and oversight, we are simply exposing industry, people, and the environment to significantly more risk.

Jessica Newman

Program Lead at UC Berkeley’s AI Security Initiative

How cybercriminals use AI

AI is a controversial topic in the context of cybersecurity because it can be used both by companies to defend against cybercriminals and by cybercriminals to attack companies.

Data poisoning

Data poisoning refers to a cyberattack where cybercriminals alter AI model integrity by injecting minimally-perturbed samples into the training datasets. The wrongdoers can subtly manipulate datasets for AI algorithms training using their own AI models and gradually change AI systems’ outputs the way they want without raising suspicion.

Password guessing

Those popup windows that ask you to use more complex passwords are more than just an annoyance. Modern deep-learning-based password guessing systems can easily link many data traces that you have left on the limitless expanse of the internet to your personality and guess a simple password in a matter of seconds. People that use their favorite color or model of car, dog’s name, date of birth, or beloved song name for passwords stand no chance against today’s AI-based systems. This is why it’s highly advisable to use long passwords that make absolutely no sense to thwart such AI-powered attacks.

Deepfake manipulation

Most flashy uses of AI among hackers revolve around deepfake manipulation. It's now possible to impose a new deepfake identity onto a participant in real time, thanks to DeepFaceLive, a streaming implementation of DeepFaceLab, the most popular open-source project for superimposing photorealistic identities onto individuals in video footage. The most famous deepfake crime to date was defrauding $243,000 from a company CEO, with an audio deepfake impersonation of a chief executive used to obtain a wire transfer. Now that it's possible to add video to audio deepfakes in real time, the attacks can be highly realistic.

Improve your cybersecurity with AI

Facing the sophistication and scale of modern cyberattacks, it has become clear that conventional approaches to cybersecurity no longer suffice. Cybercriminals are using AI to automate their attacks and evade detection, so businesses need to fight fire with fire by integrating AI into their security solutions. This will help them improve their threat detection, identify emerging trends and stay one step ahead of the attackers. As the reliance on technology grows, cyber threat protection will become ever more important, and AI will play a vital role. If you are looking for a robust AI-based cybersecurity solution to withstand even the most sophisticated cyber threats, feel free to contact Itransition’s experts to discuss your project.

Cyber security consulting

We provide businesses with a broad range of cyber security services, covering all types of organizational IT assets. Get our assistance

AI services and solutions

Explore our range of AI services, along with key AI use cases, related technologies, and adoption guidelines.

Machine learning in manufacturing: key applications, examples & adoption guidelines

Learn how machine learning can help manufacturers to improve operational efficiency, discover real-life examples, and learn when and how to implement it.

AI in the automotive industry: 20 use cases and examples

Learn how artificial intelligence transforms modern automobiles and discover over 20 use cases and real-life examples of AI in automotive.

Using AI to scale wealth management

Discover how wealth management companies use AI to generate more leads, automate back-office tasks, improve customer relationships, and improve bottom lines

Sales and general inquires

Want to join Itransition?

Please be informed that when you click the Send button Itransition Group will process your personal data in accordance with our Privacy notice for the purpose of providing you with appropriate information.

The total size of attachments should not exceed 10 MB.

Allowed types:

Explore AI by Industry PLUS
Consumer goods
Heavy industry
Natural resources
Professional services
Transportation
AI Best Practice Guides PLUS
AI White Paper Library PLUS
AI Business Process Explorer PLUS
Enterprise AI Newsletter
Emerj Plus Research
AI in Business Podcast
The AI Consulting Podcast
AI in Financial Services Podcast
Precisely – Building Trust in Data
Shift Technology – How Insurers are Using AI
Uniphore – The Future of Banking CX in APAC
Uniphore – The Economic Impact of Conversational AI and Automation
Uniphore – The Future of Complaints Management
Uniphore – Conversational AI in Banking

Artificial Intelligence in Cybersecurity – Current Use-Cases and Capabilities

Raghav is serves as Analyst at Emerj, covering AI trends across major industry updates, and conducting qualitative and quantitative research. He previously worked for Frost & Sullivan and Infiniti Research.

Artificial Intelligence in Cybersecurity - What's Possible Today

AI has made some inroads in the cybersecurity sector and several AI vendors claim to have launched products that use AI to help safeguard against cyber threats. At Emerj, we’ve seen many cybersecurity vendors offering AI and machine learning-based products to help identify and deal with cyber threats. Even the Pentagon created the Joint Artificial Intelligence Center (JAIC) to upgrade to AI-enabled capabilities in their cybersecurity efforts.

In this article, we list out some of the more common use-cases for AI in cybersecurity, where there has been some evidence of real-world business use. Specifically, we cover:

AI for Network Threat Identification

AI Email Monitoring

AI-based Antivirus Software

AI-based User Behavior Modeling

Ai for fighting ai threats.

We begin our analysis of AI in the cybersecurity space with an explanation for why AI is such a good fit for cybersecurity.

The Natural Fit for Artificial Intelligence in Cybersecurity

For a business safeguarding their data, network security is critical, and even small data centers might have hundreds of applications running, each of which need to have different security policies enforced. Human experts might take several days to weeks to fully understand these policies and make sure the security implementation is successful.

Cybersecurity inherently involves repetitiveness and tediousness. This is because identification and assessment of cyberthreats require scouring through large volumes of data and looking for anomalous data points. Companies can use the data collected by their existing rules-based network security software to train AI algorithms towards identifying new cyberthreats.

Understanding the consequences of the attack and the response needed from the company also requires further data analysis. AI algorithms can be trained to take certain predefined steps in the event of an attack and over time can learn what the most ideal response should be through input from cybersecurity subject-matter experts.

Human security experts cannot match the speed and scale at which AI software can accomplish these data analysis tasks. Additionally, AI-based cybersecurity data analysis software can complete the task with consistently higher accuracy than human analysts. Large-scale data analysis and anomaly detection are some of the areas where AI might add value today in cybersecurity.

Many cybersecurity intrusions usually operate over the enterprise network monitoring the data going in and out of the network is one way to detect cybersecurity threats. Monitoring each ‘packet’ of data that is part of the enterprise networks communications is almost impossible for human analysts to monitor accurately.

Machine learning-based software can potentially use multiple techniques such as statistical analysis, keyword matching, and anomaly detection to determine if a given packet of data is different enough from the baseline of data packets used in the training dataset.

All of this seems to indicate that artificial intelligence is now starting to be seen as an effective tool to gain serious advantages against fraudsters and hackers.

AI for Network Threat Identification

Enterprise network security is critical for most companies, and the hardest part about establishing good network cybersecurity processes is understanding all the various elements involved in the network topography. For human cybersecurity experts, this means time-consuming work in tracking all the communications going in and out of the enterprise network.

Managing the security of these enterprise networks involves identifying which connection requests are legitimate and which are attempting unusual connection behavior, such as sending and receiving large volumes of data or having unusual programs running after connection to an enterprise network.

The challenge for cybersecurity experts lies in identifying which parts of an application, whether on the web, mobile platforms, or applications that are in development or testing, might be malicious. Identifying the malicious applications amongst thousands of similar programs in a large-scale enterprise network requires enormous amounts of time and human experts are not always accurate.

AI-based network security software can potentially monitor all incoming and outgoing network traffic in order to identify any suspicious or out of the ordinary patterns in the traffic data. The data in question here is usually too voluminous for human cybersecurity experts to accurately classify threat incidents.

In a real-world example, the startup ShieldX Networks claims they use AI to speed up the process of identifying which security policies are applicable for each application. In addition, the company claims their software can study the network communications data for each application over a period of time and then generate suggestions for security policy for that application.

Apart from this, in the banking sector AI vendors such as Versive (now acquired by eSentire) offer enterprise cybersecurity AI software that use anomaly detection to identify network security threats. The company claims their software can help financial firms and banks with adversary detection and cybersecurity threat management.

AI vendor Versive (now acquired by eSentire) offers enterprise cybersecurity AI software called the VSE Versive Security Engine, which they claim can help banks and financial institutions analyze large datasets of transactions and cybersecurity-related data using machine learning.

Versive claims banks NetFlow (network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic), proxy, DNS data (computer network data) as inputs to the Versive Security Engine. The software can then monitor enterprise networks using anomaly detection to alert human officers in case of deviations in the data that might be similar to events in past cyberthreats.

Enterprise firms understand the importance of monitoring email communications in order to prevent cybersecurity hacking attempts such as phishing. Machine learning-based monitoring software is now being used to help improve the detection accuracy and the speed of identifying cyberthreats.

Several different AI technologies are being used for this use-case. For instance, some software use computer vision to “view” emails to see if there are features in the email that might be indicative of threats, such as images of a certain size. In other cases, natural language processing is used to read through the text in emails coming in and going out of the organization and identify phrases or patterns in text that are associated with phishing attempts. Using anomaly detection software can help identify if the email’s sender, recipient, body, or attachments are threats.

This use-case again highlights AI’s strengths with large scale data analysis. It is not difficult for a human employee to read through an email and identify suspicious features, but doing so for millions of emails sent and received within large organizations on a day-to-day basis is simply impossible. AI software can instead read through all the incoming and outgoing emails and report the most likely cases of cybersecurity threats to security personnel.

For instance, Tessian claims to provide email monitoring AI software that can help financial firms prevent misdirected emails, prevent data breaches and phishing attacks. The company’s software likely uses natural language processing and anomaly detection in different steps in order to identify which emails are likely cybersecurity threats.

AI-based Antivirus Software

Traditional antivirus software function by scanning files on an enterprise network to see if any of them match the signature of known malware or viruses. The problem with this approach is that it is dependent on security updates for the antivirus software when new viruses are discovered. Additionally, this method makes traditional antivirus software slow in terms of real-time threat detection and makes deploying a scalable system challenging.

In contrast, AI-based antivirus software in many cases uses anomaly detection to study program behavior. Antivirus systems using AI focus on detecting unusual behavior generated by programs rather than matching signatures of known malware.

While traditional antivirus software works well for threats that have been previously encountered and identified through its public signature, new threats are not easily detected and resolved by these types of software. Steve Grobman, SVP at McAfee claims that most traditional antivirus software can achieve a 90% threat detection rate . The added advantage that AI brings to the table in this use-case is in increasing the threat detection rate to even 95% or above.

Cylance, which was acquired by Blackberry, claims their Smart Antivirus product offering uses AI to predict, detect and respond to cybersecurity threats. The company claims that unlike traditional antivirus software, Cylance’s AI-enhanced Smart Antivirus does not need virus signature updates but rather learns to identify patterns that indicate malicious programs from scratch over time.

Some types of cybersecurity attacks on enterprise systems can compromise specific users in the organization by taking over their login credentials without their knowledge. Cyberattackers who have stolen a user’s credentials can gain access to an enterprise network through technically-legitimate means and are thus hard to detect and stop. AI-based cybersecurity systems can be used to detect a pattern of behavior for particular users in order to identify changes in those patterns. In doing so, they can alert security teams when that pattern is broken.

AI vendors such as Darktrace offer cybersecurity software that they claim uses machine learning to analyze raw network traffic data to understand the baseline of what normal behavior is for each user and device in an organization. Using training datasets and inputs from subject-matter experts, the software learns to identify what constitutes a significant deviation from the normal baseline behavior and immediately alert the organization to cyber threats.

Companies need to improve the speed at which they detect cyberthreats because hackers are now employing AI to potentially discover points of entry in enterprise networks. Thus, deploying AI software to guard against AI-augmented hacking attempts might become a necessary part of cybersecurity defense protocols in the future.

In the past couple of years, companies around the world have succumbed to cyberthreats and ransomware attacks such as WannaCry and NotPetya. These types of attacks spread rapidly and affect a large number of computers. It’s likely that the perpetrators of these types of attacks might use AI technology in the future. The advantage that AI could give these hackers is similar to what AI offers in businesses: rapid scalability.

Cybersecurity Vendor Crowdstrike claims their security software, Falcon Platform , uses AI to guard against such ransomware threats. The software reportedly uses anomaly detection for end-point security in enterprise networks. The video below demonstrates how the software works:

The Future of AI in Cybersecurity

AI-use in cybersecurity systems can still be termed as nascent at the moment. Businesses need to ensure that their systems are being trained with inputs from cybersecurity experts which will make the software better at identifying true cyber attacks with far more accuracy than traditional cybersecurity systems.

Businesses need to understand that these systems are only as good as the data that is being fed to them. AI systems are usually famously touted to be “garbage in, garbage out” systems, and a data-centric approach to AI projects is necessary for continued success.

The one challenge for companies using purely AI-based cybersecurity detection methods is to reduce the number of false-positive detections. This might potentially get easier to do as the software learns what has been tagged as false positive reports. Once a baseline of behavior has been constructed, the algorithms can flag statistically significant deviations as anomalies and alert security analysts that further investigation is required.

Cybersecurity applications are among the most popular AI applications today. This is in large part due to the fact that these applications rely on anomaly detection which machine learning models are very well suited for. Additionally, most large businesses might already have existing cybersecurity teams, product development budgets and IT infrastructure to handle large amounts of data.

Header image credit: Vice

The top 100 global banks, including Goldman Sachs, are beginning to take AI strategies very…

Artificial intelligence is changing the way healthcare networks do business and physicians perform their routine…

Morgan Stanley is a US financial institution known mostly for its financial advisory services. According…

Barclays is a UK bank ranked 20th on S&P Global’s list of the top 100 banks.…

HSBC Holdings is a multinational banking and financial services holding company and is ranked 99th…

Musical Artificial Intelligence – 6 Applications of AI for Audio

The U.S. music industry is an economic staple generating an estimated $7.7 billion in retail revenue in 2016, according to the Recording Industry Association of America. The year 2016 also marked the first time that music industry revenue was generated primarily from “streaming music platforms.”

Artificial Intelligence at the CIA – Current Applications

It is clear the United States government has recently taken a strong stance in attempts to proliferate artificial intelligence technology innovations for the United States Department of Defense. There are those who believe that the US, Russia, and China have entered into a modern day Space Race-style competition to develop and harness artificial intelligence technologies.

Artificial Intelligence in Corporate Banking – Current Applications

AI software for corporate banks is not too different from those for retail banks, although their data requirements and intentions for the software will differ. AI vendors currently selling to banks typically have clients covering all types of banking, but few specify any of their solutions to be for corporate banking specifically. Instead, they market themselves across the entire industry and give corporate banking details where appropriate.

Artificial Intelligence in Business Intelligence 950×540

6 Examples of AI in Business Intelligence Applications

Enterprise seems to be entering a new era ruled by data. What was once the realm of science fiction, AI in business intelligence is evolving into everyday business as we know it. Companies can now use machines algorithms to identify trends and insights in vast reams of data and make faster decisions that potentially position them to be competitive in real-time.

AI for Cybersecurity in Finance – Current Applications

In 2017, Equifax’s systems were compromised by hackers, and the data of over 143 million Americans was exposed. Other incidents, such as the WannaCry and Petya ransomware scams, have highlighted the vulnerabilities in financial cybersecurity globally. According to the Global Banking and Finance Review, such cyber attacks have cost nearly USD 360 billion per year in losses for each of the last three years.

Market Reasearch and Advisory
AI Presentations and Keynotes
Emerj Plus Membership
AI In Business Podcast
AI In Finance Services Podcast
Subscribe to our AI Newsletter
Advertise with us
Terms and Conditions
Refund and Cancellation Policy
Privacy Policy

Review Study of the Impact of Artificial Intelligence on Cyber Security

Ieee account.

Change Username/Password
Update Address

Purchase Details

Payment Options
Order History
View Purchased Documents

Profile Information

Communications Preferences
Profession and Education
Technical Interests
US & Canada: +1 800 678 4333
Worldwide: +1 732 981 0060
Contact & Support
About IEEE Xplore
Accessibility
Terms of Use
Nondiscrimination Policy
Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Portal login

ASD Cyber Threat Report 2022-2023

This rating relates to the complexity of the advice and information provided on the page.

Content written for

Attachments.

ASD's Cyber Threat Report 2022-2023 7.67MB .pdf
Fact Sheets - Businesses & Organisations - 2022-2023 190KB .pdf
Fact sheets - Critical Infrastructure - 2022-2023 172KB .pdf
Fact Sheets - Individuals - 2022-2023 173KB .pdf

I am pleased to present the Annual Cyber Threat Report 2022–23 developed by the Australian Signals Directorate (ASD).

As the Defence Strategic Review made clear, in the post-Second World War period Australia was protected by its geography and the limited ability of other nations in the region to project combat power. In the current strategic era, Australia’s geographic advantages have been eroded as more countries have enhanced their ability to project combat power across greater ranges, including through the rapid development of cyber capabilities.

Australia’s region, the Indo-Pacific, is also now seeing growing competition on multiple levels – economic, military, strategic and diplomatic – framed by competing values and narratives.

In this context, Australian governments, critical infrastructure, businesses and households continue to be the target of malicious cyber actors. This report illustrates that both state and non-state actors continue to show the intent and capability to compromise Australia’s networks. It also highlights the added complexity posed by emerging technologies such as artificial intelligence.

The report demonstrates the persistent threat that state cyber capabilities pose to Australia. This threat extends beyond cyber espionage campaigns to disruptive activities against Australia’s essential services. The report also confirms that the borderless and multi-billion dollar cybercrime industry continues to cause significant harm to Australia, with Australians remaining an attractive target for cybercriminal syndicates around the world.

Through case studies, the report demonstrates the persistence and tenacity of these cyber actors. It shows that these adversaries constantly test vulnerabilities in Australia’s cyber ecosystem and employ a range of techniques to evade Australia’s cyber defences.

The threat environment characterised in this report underscores the importance of ASD’s work in defending Australia’s security and prosperity. It also reinforces the significance of the Australian Government’s investment in ASD’s cyber and intelligence capabilities under Project REDSPICE (Resilience, Effects, Defence, Space, Intelligence, Cyber, Enablers).

It is clear we must maintain an enduring focus on cyber security in Australia. The Australian Government is committed to leading our nation’s efforts to bolster our cyber resilience.

We also know that the best cyber defences are founded on genuine partnerships between and across the public and private sectors. The development of this report, which draws on insights from across the Commonwealth Government, our international partners, Australian industry and the community, is a testament to this collaboration.

This report presents a clear picture of the cyber threat landscape we face and is a vital part of Australia’s collective efforts to enhance our cyber resilience.

The Hon Richard Marles, MP Deputy Prime Minister and Minister for Defence

Richard Marles - Defence Minister standing in front of the Australian Flag

About ASD’s ACSC

ASD’s Australian Cyber Security Centre (ACSC) is the Australian Government’s technical authority on cyber security. The ACSC brings together capabilities to improve Australia’s national cyber resilience and its services include:

the Australian Cyber Security Hotline, which is contactable 24 hours a day, 7 days a week, via 1300 CYBER1 (1300 292 371)
publishing alerts, technical advice, advisories and notifications on significant cyber security threats
cyber threat monitoring and intelligence sharing with partners, including through the Cyber Threat Intelligence Sharing (CTIS) platform
helping Australian entities respond to cyber security incidents
exercises and uplift activities to enhance the cyber security resilience of Australian entities
supporting collaboration between over 110,000 Australian organisations and individuals on cyber security issues through ASD’s Cyber Security Partnership Program.

The most effective cyber security is collaborative and partnerships are key to this work. ASD thanks all of the organisations that contributed to this report. This includes Australian local, state, territory and federal government agencies, and industry partners.

Executive summary

Malicious cyber activity continued to pose a risk to Australia’s security and prosperity in the FY 2022-23. A range of malicious cyber actors showed the intent and capability needed to compromise vital systems, and Australian networks were regularly targeted by both opportunistic and more deliberate malicious cyber activity.

ASD responded to over 1,100 cyber security incidents from Australian entities. Separately, nearly 94,000 reports were made to law enforcement through ReportCyber – around one every 6 minutes.

ASD identified a number of key cyber security trends in FY 2022–23:

State actors focused on critical infrastructure – data theft and disruption of business.

Globally, government and critical infrastructure networks were targeted by state cyber actors as part of ongoing information-gathering campaigns or disruption activities. The AUKUS partnership, with its focus on nuclear submarines and other advanced military capabilities, is likely a target for state actors looking to steal intellectual property for their own military programs. Cyber operations are increasingly the preferred vector for state actors to conduct espionage and foreign interference.

In 2022–23, ASD joined international partners to call out Russia’s Federal Security Service’s use of ‘Snake’ malware for cyber espionage, and also highlighted activity associated with a People’s Republic of China state-sponsored cyber actor that used ‘living-off-the-land’ techniques to compromise critical infrastructure organisations.

Australian critical infrastructure was targeted via increasingly interconnected systems .

Operational technology connected to the internet and into corporate networks has provided opportunities for malicious cyber actors to attack these systems. In 2022–23, ASD responded to 143 cyber security incidents related to critical infrastructure.

Cybercriminals continued to adapt tactics to extract maximum payment from victims.

Cybercriminals constantly evolved their operations against Australian organisations, fuelled by a global industry of access brokers and extortionists. ASD responded to 127 extortion-related incidents: 118 of these incidents involved ransomware or other forms of restriction to systems, files or accounts. Business email compromise remained a key vector to conduct cybercrime. Ransomware also remained a highly destructive cybercrime type, as did hacktivists’ denial-of-service attacks, impacting organisations’ business operations.

Data breaches impacted many Australians .

Significant data breaches resulted in millions of Australians having their information stolen and leaked on the dark web.

One in 5 critical vulnerabilities was exploited within 48 hours.

This was despite patching or mitigation advice being available. Malicious cyber actors used these critical flaws to cause significant incidents and compromise networks, aided by inadequate patching.

Cyber security is increasingly challenged by complex ICT supply chains and advances in fields such as artificial intelligence. To boost cyber security, Australia must consider not only technical controls such as ASD’s Essential Eight, but also growing a positive cyber-secure culture across business and the community. This includes prioritising secure-by-design and secure-by-default products during both development (vendors) and procurement (customers).

ASD’s first year of REDSPICE increased cyber threat intelligence sharing, the uplift of critical infrastructure, and an enhanced 24/7 national incident response capability.

Genuine partnerships across both the public and private sectors have remained essential to Australia’s cyber resilience; and ASD’s Cyber Security Partnership Program has grown to include over 110,000 organisations and individuals.

Year in review

What asd saw.

Average cost of cybercrime per report, up 14 per cent

small business: $46,000
medium business: $97,200
large business: $71,600.

Nearly 94,000 cybercrime reports, up 23 per cent

on average a report every 6 minutes
an increase from 1 report every 7 minutes.

Answered over 33,000 calls to the Australian Cyber Security Hotline, up 32 per cent

on average 90 calls per day
an increase from 69 calls per day.

Top 3 cybercrime types for individuals

identity fraud
online banking fraud
online shopping fraud.

Top 3 cybercrime types for business

email compromise
business email compromise (BEC) fraud
online banking fraud.

Publicly reported common vulnerabilities and exposures (CVEs) increased 20 per cent.

What ASD did

Responded to over 1,100 cyber security incidents , similar to last year.
10 per cent of all incidents responded to included ransomware , similar to last year.
Notified 158 entities of ransomware activity on their networks, compared to 148 last year, roughly a 7 per cent increase.
Australian Protective Domain Name System blocked over 67 million malicious domain requests, up 176 per cent.
Domain Takedown Service blocked over 127,000 attacks against Australian servers, up 336 per cent.
Cyber Threat Intelligence Sharing partners grew by 688 per cent to over 250 partners.
issued 103 High-priority Operational Taskings, up 110 per cent
distributed around 4,900 reports to approximately 1,360 organisations, up 16 per cent and 32 per cent respectively.
3 CI-UPs completed covering 6 CI assets
3 CI-UPs in progress
20 CI-UP Info Packs sent
5 CI-UP workshops held.
Notified 7 critical infrastructure entities of suspicious cyber activity , up from 5 last year.
Published or updated 34 PROTECT and Information Security Manual (ISM) guidance publications .
Published 64 alerts, advisories, incident and insight reports on cyber.gov.au and the Partnership Portal.
Individual Partners up 24 per cent
Business Partners up 37 per cent
Network Partners up 29 per cent.
Led 20 cyber security exercises involving over 75 organisations to strengthen Australia’s cyber resilience.
Briefed board members and company directors covering 33 per cent of the ASX200.

ASD is able to build a national cyber threat picture, in part due to the timely and rich reporting of cyber security incidents by members of the public and Australian business. This aggregation of cyber security incident data enables ASD to inform threat mitigation advice with the latest trends and threats posed by malicious cyber actors. Any degradation in the quantity or quality of information reported to ASD harms cyber security outcomes. Information reported to ASD is anonymised prior to it being communicated to the community.

ASD categorises each incident it responds to on a scale of Category 1 (C1), the most severe, to Category 6 (C6), the least severe. Incidents are categorised on severity of effect, extent of compromise, and significance of the organisation.

The number of C2 incidents rose from 2 in FY 2021–22 to 5 in FY 2022–23. This includes significant data breaches involving cybercriminals exfiltrating data from critical infrastructure for the purposes of financial gain.

Cyber security incidents are consistent with last financial year, with around 15 per cent of all incidents being categorised C3 or above. Of the C3 incidents, over 30 per cent related to organisations self-identifying as critical infrastructure, with transport (21 per cent), energy (17 per cent), and higher education and research (17 per cent) the most affected sectors.

The most common C3 incident type was compromised assets, network or infrastructure (23 per cent), followed by data breaches (19 per cent) and ransomware (14 per cent). Common activities leading to C3 incidents included exploitation of public–facing applications (20 per cent) and phishing (17 per cent).

Almost a quarter (24 per cent) of C3 incidents involved a tipper, where ASD notified the affected organisations of suspicious activity.

While reports of low-level malicious attacks are often categorised as unsuccessful, reports of unsuccessful activity are still indicative of continual targeting of Australian entities.

ASD responded to over 1,100 cyber security incidents, around the same as in the last financial year

Cyber security incidents by sector

Compared to 2021–22, the information media and telecommunications sector fell out of the top 5 reporting sectors.

Government sectors and regulated critical infrastructure have reporting obligations, which may explain the relatively high reporting rate for these sectors compared with others.

ASD categorises sectors following the Australian and New Zealand Standard Industrial Classification (ANZSIC) Divisions from the Australian Bureau of Statistics. The public safety and administration division encompasses several sectors including federal, state, territory and local governments, public order and safety services, and Defence.

Table 3 : The top 10 reporting sectors

Federal Government 30.7%, State and local government 12.9%, Professional, scientific and technical services 6.9%, and 7 more.

Chapter 1: Exploitation

Half of vulnerabilities were exploited within 2 weeks of a patch, or of mitigation advice being released, highlighting the risks entities take by not promptly patching.
Patching vulnerabilities in internet-facing services should occur within 2 weeks, or 48 hours if an exploit exists.
Vulnerable internet-facing devices and applications are convenient targets for malicious cyber actors. In addition to patching, unnecessary internet-facing services should be disabled.

Vulnerable and exposed

As Australians integrate more technology into their lives and businesses, the number of possible weak points or vectors for malicious cyber actors to exploit – known as the attack surface – grows. The larger the attack surface, the harder it is to defend. Malicious cyber actors often exploit security weaknesses found in ICT, known as common vulnerabilities and exposures (CVEs), to break into systems, steal data, or even take complete control over a system.

The number of published CVEs has been steadily on the rise. The US National Vulnerability Database published 19,379 CVEs in FY 2020–21, 24,266 CVEs in FY 2021–22, and 29,019 CVEs in FY 2022–23.

To identify the rates at which CVEs were exploited after a patch or mitigation was made available, ASD analysed 60 CVEs covering 1 July 2020 to 28 February 2023. The analysis found around 82 per cent of vulnerabilities had an attack vector of ‘network’ under the Common Vulnerability Scoring Scheme. This indicates that malicious actors prefer vulnerabilities that are remotely exploitable and are present on internet-facing or edge devices. Exploitation of these vulnerabilities allows malicious actors to pivot into internal networks. The analysis also found:

1 in 5 vulnerabilities was exploited within 48 hours of a patch or mitigation advice being released
half of the vulnerabilities were exploited within 2 weeks of a patch or mitigation advice being released
2 in 5 vulnerabilities were exploited more than one month after a patch or mitigation advice was released.

Despite more than 90 per cent of CVEs having a patch or mitigation advice available within 2 weeks of public disclosure, 50 per cent of the CVEs were still exploited more than 2 weeks after that patch or mitigation advice was published. This highlights the risk entities carry when not patching promptly. These risks are heightened when a proof-of-concept code is available and shared online, as malicious cyber actors can leverage this code for use in automated tools, lowering the barrier for exploitation.

ASD observed that Log4Shell (CVE-2021-44228) and ProxyLogon (CVE-2021-26855) were by far the most commonly exploited vulnerabilities throughout the analysis period, with these 2 vulnerabilities representing 29 per cent of all CVE-related incidents.

CVEs do not have an expiration date. In one instance, ASD observed that malicious cyber actors successfully exploited an unpatched 7-year-old CVE. Additionally, ASD still receives periodic reports of WannaCry malware – 6 years after its release – which is likely due to old, infected legacy machines being powered on and connected to networks. Incidents like this highlight the importance of patching as soon as possible, and also demonstrate the long tail of risks that unpatched and legacy systems can pose to entities.

Percentage of vulnerabilities by time to exploit

During 2022–23, ASD published many alerts warning Australians of vulnerabilities, such as the critical remote code execution vulnerability in Fortinet devices (CVE-2022-40684), and a high-severity vulnerability present in Microsoft Outlook for Windows (CVE-2023-23397). ASD also published a joint Five-Eyes advisory detailing the top 12 CVEs most frequently and routinely exploited by malicious cyber actors for the 2022 calendar year.

To help mitigate vulnerabilities, ASD recommends all entities patch, update or otherwise mitigate vulnerabilities in online services and internet-facing devices within 48 hours when vulnerabilities are assessed as critical by vendors or when working exploits exist. Otherwise, vulnerabilities should be patched, updated or otherwise mitigated within 2 weeks. Entities with limited cyber security expertise who are unable to patch rapidly should consider using a reputable cloud service provider or managed service provider that can help ensure timely patching.

ASD acknowledges not all entities may be able to immediately patch, update or apply mitigations for vulnerabilities due to high-availability business requirements or system limitations. In such cases, entities should consider compensating controls like disabling unnecessary internet-facing services, strengthening access controls, enforcing network separation, and closely monitoring systems for anomalous activity. Entities should ensure decision makers understand the level of risk they hold and the potential consequences should their systems or data be compromised as a result of a malicious actor exploiting unmitigated vulnerabilities.

Further patching advice can be found in ASD’s Assessing Vulnerabilities and Applying Patches guide.

Cyber hygiene

In addition to patching, effective cyber security hygiene is vital. At cyber.gov.au, ASD has published a range of easy-to-understand advice and guides tailored for individuals, small and medium business, enterprises, and critical infrastructure providers.

All Australians should:

enable multi-factor authentication (MFA) for online services where available
use long, unique passphrases for every account if MFA is not available, particularly for services like email and banking (password managers can assist with such activities)
turn on automatic updates for all software – do not ignore installation prompts
regularly back up important files and device configuration settings
be alert for phishing messages and scams
sign up for the ASD’s free Alert Service
report cybercrime to ReportCyber.

Australian organisations should also:

only use reputable cloud service providers and managed service providers that implement appropriate cyber security measures
regularly test cyber security detection, incident response, business continuity and disaster recovery plans
review the cyber security posture of remote workers, including their use of communication, collaboration and business productivity software
train staff on cyber security matters, in particular how to recognise scams and phishing attempts
implement relevant guidance from ASD’s Essential Eight Maturity Model, Strategies to Mitigate Cyber Security Incidents and Information Security Manual
join ASD’s Cyber Security Partnership Program
report cybercrime and cyber security incidents to ReportCyber.

Case study 1: Malicious cyber actors exploit devices 2 years after patch

On 24 May 2019, Fortinet, a US vendor that creates cyber security products, released a security advisory and accompanying patch for CVE-2018-13379, which was a severe vulnerability that required immediate patching.

On 2 April 2021, the US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory on the exploitation of Fortinet FortiOS vulnerabilities, which indicated advanced persistent threat (APT) groups were scanning devices for CVE-2018-13379 and likely to gain access to multiple government, commercial, and technology services networks.

On 3 April 2021, ASD released an alert reminding organisations that APT groups had been observed exploiting CVE-2018-13379. Later, in September 2021, ASD received a report of a successful exploitation of CVE-2018-13379 against an Australian entity. Despite being vulnerable for more than 2 years, the victim’s device had not been patched.

While it is difficult to ascertain how widely Fortinet devices are used globally, researchers identified around 50,000 targets that remained vulnerable 2 years after the patch was released. This number is so significant that it was added to CISA’s Top Routinely Exploited Vulnerabilities list.

The primary mitigation against these attacks is to patch vulnerabilities as soon as possible. If patching is not immediately possible, the entity should consider removing internet access from Fortinet devices until other mitigations can be implemented.

Case study 2: A network compromise at the Shire of Serpentine Jarrahdale

The rural Shire of Serpentine Jarrahdale, 45 kilometres from the Perth CBD, may seem an unlikely place for malicious cyber activity to unfold. But, in early 2023, the Shire experienced a network compromise. Shire ICT Manager Matthew Younger said the malicious cyber actor took advantage of a public-facing system. ‘We’re quite diligent with our patching, but unfortunately we missed an update to our remote work server,’ Mr Younger said.

Before taking immediate remediation action, the Shire’s ICT team held a conference call with ASD to discuss the best way to manage the compromise, and Mr Younger said ASD’s help was first-class. ‘We put a perimeter around the compromised server, checked for lateral movement, and gathered evidence to work out what happened. Everything we found led back to the importance of the Essential Eight.’

ASD also sent an incident responder to help the Shire’s ICT team capture virtual machine snapshots and log data. ASD handles incident data with strict confidentiality, and such data helps its analysts understand how cyber security incidents occur and produces intelligence to help build the national cyber threat picture and to prevent further attacks.

Mr Younger said that after the compromise, the Shire doubled-down on its efforts to implement ASD’s Essential Eight. ‘We enforced passphrases, we improved our information security policies, and we improved our user security training. We also validated our controls through penetration testing and phishing exercises.’

Mr Younger credits much of the Shire’s success to its agile leadership who, with limited resources, foster the right security culture to both respond to cyber threats and implement mitigations.

CVE-2020-5902

BIG-IP refers to a suite of products from cyber security vendor F5, which includes firewall and application delivery solutions. On 1 July 2020, F5 released a security advisory detailing a critical vulnerability in their BIG-IP Traffic Management User Interface (TMUI). Within 48 hours of patch release, security researchers discovered malicious cyber actors scanning for and exploiting unpatched devices.

The Essential Eight

ASD’s Essential Eight are some of the most effective cyber security mitigation strategies, and includes:

ASD uses its cyber threat intelligence to ensure its cyber security advice is contemporary and actionable. ASD’s advice is not formed in a silo. Feedback from partners across government and industry, such as how cyber security mitigations are implemented within organisations, is important. Feedback helps ASD update advice like the Essential Eight.

More information on the Essential Eight, including the Essential Eight Assessment Process Guide and Essential Eight Maturity Model Frequently Asked Questions , can be found at cyber.gov.au.

Chapter 2: Critical infrastructure

During FY 2022–23, Australian critical infrastructure networks regularly experienced both targeted and opportunistic malicious cyber activity. Activity against these networks is likely to increase as networks grow in size and complexity.
Malicious cyber actors can steal or encrypt data, or gain insider knowledge for profit or competitive advantage. Some actors may attempt to degrade or disrupt services and these incidents can have cascading impacts.
Designing robust cyber security measures for operational technology environments is vital to protect the safety, availability, integrity and confidentiality of essential services. Secure-by-design and secure‑by-default products should be a priority.

Actors target critical infrastructure for many reasons

Critical infrastructure assets and networks are attractive targets for malicious cyber activity as these assets need to hold sensitive information, maintain essential services, and often have high levels of connectivity with other organisations and critical infrastructure sectors.

A cyber incident can result in a range of impacts to critical services. For instance, the disruption of an electricity grid could cause a region to lose power. Without power, a hospital may lose access to patient records and struggle to function, internet services may be down and affect communications and payment systems, or water supply could be impacted.

Globally, a broad range of malicious cyber actors, including state actors, cybercriminals and issue‑motivated groups, have demonstrated the intent and the capability to target critical infrastructure. Malicious cyber actors may target critical infrastructure for a range of reasons. For example, they may:

attempt to degrade or disrupt services, such as through denial-of-service (DoS) attacks, which can have a significant impact on service providers and their customers
steal or encrypt data or gain insider knowledge for profit or competitive advantage
preposition themselves on systems by installing malware, in anticipation of future disruptive or destructive cyber operations, potentially years in advance
covertly seek sensitive information through cyber espionage to advance strategic aims.

Critical infrastructure can be targeted by the mass scanning of networks for both old and new vulnerabilities. In February 2023, an Italian energy and water provider was affected by ransomware. While there was no indication the water or energy supply was affected, it reportedly took 4 days to restore systems like information databases. Italy’s National Cybersecurity Agency publicly noted the ransomware attack targeted older and unpatched software, exploiting a 2-year-old vulnerability.

Critical infrastructure is a target globally

During 2022–23, critical infrastructure networks around the world continued to be targeted, causing impacts on network operators and those relying on critical services. In the latter half of 2022, the French health system reportedly sustained a number of cyber incidents. One hospital fell victim to a ransomware incident, resulting in the cancellation of some surgical operations and forcing patients to be transferred to other hospitals. The hospital’s computer systems had to be shut down to isolate the attack.

Russia’s war on Ukraine has continued to demonstrate that critical infrastructure is viewed as a target for disruptive and destructive cyber operations during times of conflict. Malicious cyber actors have targeted and disrupted hospitals, airports, railways, telecommunication providers, energy utilities, and financial institutions across Europe. Destructive malware was also used against critical infrastructure in Ukraine.

In September 2022 and May 2023, ASD and its international partners published advisories highlighting that state actors were targeting multiple US critical infrastructure sectors, and strongly encouraged Australian entities to review their networks for signs of malicious activity. More details about these advisories is in the state actor chapter .

Australian critical infrastructure is impacted

Australian critical infrastructure networks regularly experienced both targeted and opportunistic malicious cyber activity. During 2022–23, ASD responded to 143 incidents reported by entities who self-identified as critical infrastructure, an increase from the 95 incidents reported in 2021–22. The vast majority of these incidents were low-level malicious attacks or isolated compromises.

The main cyber security incident types affecting Australian critical infrastructure were:

compromised account or credentials
compromised asset, network or infrastructure

These incident types accounted for approximately 57 per cent of the incidents affecting critical infrastructure for 2022–23. Other more prominent incident types were data breaches followed by malware infection.

ASD encourages critical infrastructure entities to report anomalous activity early and not wait until malicious activity reaches the threshold for a mandatory report. Reporting helps piece together a picture of the cyber threat landscape, and informs ASD’s cyber security alerts and advisories for the benefit of all Australian entities.

Critical infrastructure networks have a broad attack surface

The interconnected nature of critical infrastructure networks, and the third parties in their ICT supply chain, increases the attack surface for many entities. This includes remote access and management solutions, which are increasingly present in critical infrastructure networks.

Operational technology (OT) and connected systems, including corporate networks, will likely be of enduring interest to malicious cyber actors. OT can be targeted to access a corporate network and vice versa, potentially allowing malicious cyber actors to move laterally through systems to reach their target. Even when OT is not directly targeted, attacks on connected corporate networks can disrupt the operation of critical infrastructure providers.

Systems where software or hardware are not up to date with the latest security mitigations are vulnerable to exploitation, particularly when these systems are exposed to the internet. ICT supply chain and managed service providers are another avenue malicious cyber actors can exploit.

Explainer 1: Operational technology

OT makes up those systems that detect or cause a direct change to the physical environment through the monitoring or control of devices, processes, and events. OT is predominantly used to describe industrial control systems (ICS), which include supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS).

Australian critical infrastructure providers often operate over large geographical areas and require interconnection between dispersed OT environments. Separately, remote access to OT environments from corporate IT environments and the internet has become standard operating procedure. Remote access allows engineers and technicians to remotely manage and configure the OT environment. However, this interconnection or remote access requires an internet connection, which creates additional cyber security risks to OT environments.

In April 2023, irrigation systems in Israel were reportedly disrupted when the ICS supporting the automated water controllers were compromised. Israel’s National Cyber Organisation was able to warn many farmers to disconnect their remote control option for the irrigation systems, so the disruption was minimal. Being able to disconnect from remote control also highlights the value of a manual override mechanism in some instances.

Next-generation OT is expected to contain built-in remote access and security features, which could address some of the issues related to remote access and internet exposure. ASD continues to advise entities to prioritise secure-by-design and secure-by-default products in procurements, and take a risk-based approach to managing risks associated with new technologies or providers. Good cyber security practices will be particularly important during a transition to new technologies.

At cyber.gov.au, ASD has published a range of cyber security guides for OT and ICS, and also principles and approaches to secure-by-design and default.

In focus: food and grocery sector

The food and grocery sector covers a broad supply chain including processing, packaging, importing, and distributing food and groceries. Food and grocery manufacturing is Australia’s largest manufacturing sector, comprising over 16,000 businesses and representing around 32 per cent of all manufacturing jobs. Food and grocery organisations are an attractive target for malicious cyber actors as this sector’s provision of essential supplies has little tolerance for disruption.

The sector’s complex supply chains and growing online sales mean food and grocery organisations have a large attack surface. The sector is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems. Additionally, many entities in this sector hold sensitive data that may be of value to malicious cyber actors, such as personal information or intellectual property.

Like other manufacturing entities, food and grocery organisations have increasingly adopted just-in-time inventory and delivery chains in pursuit of greater efficiency and reduced waste. This means the food and grocery sector is also vulnerable if a supplier is affected by a cyber incident that disrupts services.

Large entities in this sector may be targeted based on the view that they can be extorted for large sums of money. Smaller entities may be perceived as having lower cyber security maturity, and may be used to access more lucrative targets in their supply chain. Malicious cyber actors may seek to remain undetected on systems to establish a secure foothold and then move to other systems within a business to exfiltrate data or maintain a presence for future malicious activity.

A cyberattack against entities in this sector could have significant impacts for both the victim organisation and its customers. For example, a ransomware attack that locks systems could halt production and delivery, rendering a business unable to fulfil its orders. The second order impacts of this could be costly – including lost revenue, or lost confidence from business partners and customers alike.

Early detection of malicious activity is vital for mitigating cyber threats. It can take time to discover a compromised network or system, so robust and regular monitoring is essential. Likewise, practised incident response plans and playbooks should form part of broader corporate and cyber plans to aid remediation and minimise the impact of a compromise. Entities in this sector should seek secure-by-design and secure‑by-default products wherever possible to boost their cyber security posture.

A comprehensive list of resources for critical infrastructure is available at cyber.gov.au, including guidance for cyber incident response and business continuity plans.

Case study 3: Global food distributor held to ransom

In February 2023, Dole – one of the world’s largest producers and distributors of fruit and vegetables – was a victim of a ransomware incident, resulting in a shut down of its systems throughout North America. Other reported impacts included some product shortages, a limited impact on operations, and theft of company data – including some employee information. While Dole acted swiftly to minimise the impacts of the incident, it still reported USD $10.5 million in direct costs, and faced reputational damage.

Explainer 2: Effective separation

Separating network segments can help to isolate critical network elements from the internet or other less sensitive parts of a network. This strategy can make it significantly more difficult for malicious cyber actors to access an organisation’s most sensitive data, and can aid cyber threat detection.

In 2022–23, ASD observed that effective separation through network segmentation and firewall policies prevented malware from impacting an Australian critical infrastructure provider. Additionally, through effective separation an Australian critical infrastructure provider prevented the deployment of malware from a contractor’s USB drive onto their OT environment.

Network separation is more than just a logical or physical design decision: it should also consider where system administration and management services are placed. Often, the corporate IT network is separated from the OT environment, because the corporate IT network is usually seen as having a higher risk of compromise due to its internet connectivity and services like email and web browsing.

However, if a malicious cyber actor compromises the corporate IT network and gains greater access privileges, then the corporate IT firewall may no longer provide the desired level of protection for the OT environment. This similarly applies if the Active Directory (AD) Domain for the OT environment is inside an AD Forest administered from the corporate IT network.

Critical infrastructure operators should regularly assess the risk of insufficient separation of system administrative and management role assignments. For example, in scenarios where the virtualisation of OT infrastructure or components is managed by privileged accounts from a corporate domain, if the corporate environment was to become compromised then the OT environment would potentially be impacted and those necessary privileged IT accounts may not be accessible.

Case study 4: Horizon Power working with ASD

Western Australian energy provider Horizon Power distributes electricity across the largest geographical catchment of any Australian energy provider – around 2.3 million square kilometres, or roughly an area 4 times bigger than France. It operates a diverse range of OT and ICT infrastructure to manage around 8,300 kilometres of transmission lines and deliver power to more than 45,000 customers.

In early 2023, Horizon Power partnered with ASD to conduct a range of activities to help examine and test its cyber security posture and controls. Horizon Power’s security team worked side-by-side with ASD’s experts to help improve threat detection, security event triage and response; practice forensic artefact collection; and enhance security communication across the enterprise. The activities have helped to improve both the speed and the quality with which Horizon Power can respond to and manage cyber incidents, including sharing cyber threat intelligence with ASD.

Horizon Power Senior Technology Manager Jeff Campbell said engaging ASD was easy, there were clear objectives, and the network assessments were excellent. ‘Long past are the days of holding cards to our chest. Sharing information is really important across multiple industries and sectors. To improve security, you need to find out what you don’t know.’

Mr Campbell said having ASD onsite helped to test many assumptions about the company’s network security, like its segmentation practices and vulnerability management. 'The engagement highlighted the importance of getting visibility over systems, and also helped to demonstrate that effective cyber security is vital to helping mitigate business risks.'

Learn more about the open, collaborative partnership between Horizon Power and the Australian Signals Directorate that enabled Horizon Power to bolster its cyber security controls.

Building cyber resilience in critical infrastructure

Malicious cyber activity against Australian critical infrastructure is likely to increase as networks grow in size and complexity. Critical infrastructure organisations can do many things to reduce the attack surface, secure systems, and protect sensitive data to help ensure Australia’s essential services remain resilient. Such as:

Follow best practice cyber security, like ASD’s Essential Eight, or equivalent framework as required for a critical infrastructure risk-management program.
Thoroughly understand networks, map them, and maintain an asset registry to help manage devices on all networks, including OT. Consider the security capabilities available on devices as part of routine architecture and asset review, and the most secure approach to hard-coded passwords.
Scrutinise the organisation’s ICT supply chain vulnerabilities and risks.
Prioritise secure-by-design or secure-by-default products. Consider the security controls of any new software, hardware, or OT before it is purchased, and understand vendor support for future patches and ongoing security costs. Build cyber security costs into budgets for the entire lifecycle of the product, including the product’s replacement.
Understand what is necessary to keep critical services operating and protect these systems as a priority. Ensure OT and IT systems can be, or are, segmented to ensure the service is able to operate during a cyber incident.
Treat a cyber incident as a ‘when’ not ‘if’ scenario in risk and business continuity planning, and regularly practice cyber incident response plans.
Maintain open communication with ASD. ASD has a number of programs to support critical infrastructure, including cyber uplift activities and cyber threat intelligence sharing.
Follow ASD’s cyber security publications tailored for critical infrastructure entities available at cyber.gov.au.

Explainer 3: The Trusted Information Sharing Network

The Department of Home Affairs’ Trusted Information Sharing Network (TISN) takes an all-hazards approach to help build security and resilience for organisations within the Australian critical infrastructure community. To rapidly and flexibly address current and future threats to Australia’s security, the TISN allows for all levels of government and industry to connect and collaborate.

Since launching the TISN platform in 2022, the network has been vital in amplifying key messages and information to members, facilitating sector group meetings and contributing to the weekly Community of Interest meetings to inform members of current data breaches, cyber threats, and technical advice available from ASD.

Explainer 4: Resilience in financial services

CPS 230 Operational Risk Management

Events of recent years have demonstrated the critical importance of financial institutions being able to manage and respond to operational risks, evident for example in the challenges of the COVID-19 pandemic, technology risks and natural disasters. Sound operational risk management is fundamental to financial safety and system stability.

To ensure that all APRA-regulated entities in Australia are well placed to manage operational risk and respond to business disruptions when they inevitably occur, on 17 July 2023, APRA released the new Prudential Standard CPS 230 Operational Risk Management (CPS 230).

CPS 230 encompasses operational risk controls and monitoring, business continuity planning and the management of third-party service providers. The aim of the standard is to:

strengthen operational risk management with new requirements to address weaknesses that have been identified in existing practices of APRA-regulated entities. This includes requirements to maintain and test internal controls to ensure they are effective in managing key operational risks
improve business continuity planning to ensure that APRA-regulated entities are ready to respond to severe business disruptions, and maintain critical operations such as payments, settlements, fund administration and claims processing. It is important that all APRA regulated entities are able to adapt processes and systems to continue to operate in the event of a disruption and set clear tolerances for the maximum level of disruption they are willing to accept for critical operations
enhance third-party risk management by extending requirements to cover all material service providers that APRA-regulated entities rely upon for critical operations or that expose them to material operational risk, rather than just those that have been outsourced.

The new standard also aims to ensure that APRA-regulated entities are well positioned to meet the challenges of rapid change in the industry and in technology more generally.

CPS 234 Information Security

As part of APRA’s Cyber Security Strategy, all regulated entities are required to engage an independent auditor to perform an assessment against CPS 234, APRA’s Information Security Prudential Standard. This is the largest assessment of its kind conducted by APRA.

By the end of 2023, more than 300 banks, insurers and superannuation trustees will have completed their assessment. Early insights, from the assessments completed so far, have identified a number of common weaknesses across the industry, including:

incomplete identification and classification for critical and sensitive information assets
limited assessment of third-party information security capability
inadequate definition and execution of control testing programs
incident response plans not regularly reviewed or tested
limited internal audit review of information security controls
inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.

A summary of these findings, along with guidance to address gaps, have been shared in a recent APRA Insight Article – Cyber Security Stocktake Exposes Gaps. Entities are encouraged to review the common weaknesses identified and incorporate relevant strategies and plans to address shortfalls in their own cyber security controls, governance policies and practices. APRA will continue to work with entities that do not sufficiently meet CPS 234 requirements, to lift the benchmark for cyber resilience across the financial services industry.

Chapter 3: State actors

State cyber actors will likely continue to target government and critical infrastructure, as well as connected systems and their supply chains as part of ongoing cyber espionage and information‑gathering campaigns. They do not just want state secrets; businesses also hold valuable and sensitive information.
Some state actors are willing to use cyber capabilities to destabilise and disrupt systems and infrastructure. They may preposition on networks of strategic value for future malicious activities.
Government and industry partnerships are vital in boosting national cyber security and resilience against cyberattacks by state actors.

Strategic context

The global and regional strategic environment continues to deteriorate, which is reflected in the observable activities of some state actors in cyberspace. In this context, these actors are increasingly using cyber operations as the preferred vector to build their geopolitical competitive edge, whether it is to support their economies or to underpin operations that challenge the sovereignty of others. In the Australian Security Intelligence Organisation’s Annual Report 2021–22, espionage and foreign interference was noted to have supplanted terrorism as Australia’s principal security concern.

Some states are willing to use cyber capabilities to destabilise or disrupt economic, political and social systems. Some also target critical infrastructure or networks of strategic value with the aim of coercion or prepositioning on a network for future disruptive activity.

State actors have an enduring interest in obtaining information to develop a detailed understanding of Australians and exploit this for their advantage. While government information is an attractive target for state actors seeking strategic insights into Australia’s national policy and decisions, many Australian businesses also hold sensitive and valuable data such as proprietary information, research, and personal information. Unlike cybercriminals who may post stolen data in public forums, state actors usually try to keep their activities covert – seeking to remain unnoticed, both when they are on an entity’s network and after a compromise.

State actors use various tools and techniques

In some cases, state actors may develop bespoke tools and techniques to fulfil their operational aims. In May 2023, ASD released a joint cyber security advisory with its international partners on the Snake implant – a cyber espionage tool designed and used by Russia’s Federal Security Service (FSB) for long-term intelligence collection on high-priority targets around the globe. Shortly after, Australia co-badged another joint cyber security advisory with international partners that outlined malicious cyber activity associated with a People’s Republic of China (PRC) state-sponsored cyber actor.

Case study 5: Advisory – People’s Republic of China state-sponsored cyber activity

[Go to advisory]

In May 2023, ASD joined international partners in highlighting a recently discovered cluster of activity associated with a PRC state-sponsored cyber actor, also known as Volt Typhoon. The campaign involved ‘living-off-the-land’ techniques – using built-in operating tools to help blend in with normal system and network activities. Private sector partners identified that this activity affected networks across US critical infrastructure sectors. However, the same techniques could be applied against critical infrastructure sectors worldwide, including in Australia.

ASD published the People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection advisory on cyber.gov.au and hosted numerous events to brief its Network Partners. For help to implement the advisory – call 1300 CYBER1 ( 1300 292 371 ).

Even when state actors have access to more advanced capabilities, they can use common tools and techniques to avoid the discovery of their best capabilities. For example, state actors continue to use relatively well-known tactics, such as exploiting unpatched or misconfigured systems and spear phishing.

The threat of state actor cyber operations is very real

State actors will likely continue to target government and critical infrastructure, as well as connected systems and their supply chains, as part of ongoing cyber espionage and information-gathering campaigns. Significant disruptive and destructive activities could occur if there were a major deterioration in Australia’s geopolitical environment. It is clear that preventative cyber security measures – such as implementing cyber security essentials, information-sharing and national cyber cooperation – are by far the best ways to help secure Australian networks.

In focus: Russia’s war on Ukraine

Cyber operations have been used alongside more conventional military activities during Russia’s war on Ukraine. Both Russia and Ukraine have faced many cyberattacks that impacted their societies, with extensive targeting of government and critical infrastructure networks.

Cyberattacks that began before the invasion of Ukraine have continued into 2023. Between January 2022 and the first week of February 2023, the Computer Emergency Response Team-Europe (CERT-EU) identified and analysed 806 cyberattacks associated with Russia’s war on Ukraine.

There has been extensive cyber targeting of Ukrainian networks across many sectors, including finance, telecommunications, energy, media, military and government. Ukraine has faced ransomware, denial‑of‑service (DoS) attacks, and mass phishing campaigns against critical infrastructure, government departments, officials and private citizens.

Russia has also been subject to cyber operations. Russian authorities have reported some of its federal agencies’ websites, including its energy ministry, were compromised by unknown attackers in a supply chain attack. Cyberattacks against Russia have tended to target entities related to the government, military, banking, logistics, transport and energy sectors.

Cyberattacks in Europe associated with Russia’s war on Ukraine

Map highlighting most countries surrounding Ukraine

Figure 3 : Countries impacted by cyberattacks associated with Russia’s war on Ukraine

Cyber operations have enabled a borderless conflict

Cyber operations associated with Russia’s invasion have affected entities in multiple countries during the first year of the conflict, including the European Parliament, European governments, the Israeli Government, and hospitals in the Netherlands, Germany, Spain, the US, and the UK. Many of these countries have linked the attacks to pro-Russian groups. For example, pro-Russian hacktivists, KillNet, have claimed a number of attacks such as the February 2023 DoS attack on numerous German websites, including those for German airports, public administration bodies, financial sector organisations, and other private companies. Belarus also reported its railway network was disrupted by a cyberattack, allegedly as retaliation for its use in transporting Russian troops. In some cases, Australia–based operations of European organisations have been impacted.

Many cyber actors are involved in the conflict in offence and defence

The mix of state and non-state cyber actors participating in Russia’s war on Ukraine has added to an already complex cyberspace domain. While state actors were on the ‘cyber front’, particularly during the earlier stages of the conflict, there was significant activity by hacktivists from around the globe as the conflict progressed. Regardless of whether a malicious cyber actor was a state, state-sponsored, or a non-state actor acting of their own volition, the scale and frequency of malicious cyber activity during the conflict has challenged cyber defenders on all sides. For example, at least 8 variants of destructive malware were identified in the first 6 weeks of the conflict, including wiper malware designed to erase data or prevent computers from booting.

Both state and non-state cyber actors have been on the offensive and defensive. Ukraine’s networks have been resilient and have largely withstood sustained cyberattacks. Ukraine has said this resilience is due to robust defences developed following previous cyberattacks, as well as partnerships with private sector IT companies. For example, with the support of private companies, Ukrainian government data was migrated to cloud infrastructure, which assured continuity of government services. Private companies also rapidly released threat intelligence, like indicators of compromise, to assist cyber defenders to repel network attacks.

Threat intelligence that might impact Australian entities is obtained by ASD through international partners and shared through cyber.gov.au and ASD’s Cyber Security Partnership Program.

Cyber operations can cause disruption and destruction in conflict

While the conflict remains ongoing, there are many lessons Australia can learn from Russia’s war on Ukraine. The world is witnessing the destructive impact of cyber operations during conflict, or in the pursuit of a state’s national interests, and how a broad range of critical infrastructure can be disrupted as a result of malicious cyber activity. It also demonstrates the impact non-state participants can have in modern conflict. The conflict has exemplified how government and industry partnerships are critical to boosting national cyber security and resilience.

Case study 6: The CTIS community at work – KillNet

The Cyber Threat Intelligence Sharing (CTIS) platform, operated by ASD, was developed with industry, for Australian Government and industry partners to build a comprehensive national threat picture and empower entities to defend their networks. CTIS allows participating entities to share indicators of compromise (IOCs) bilaterally at machine speed. Participating entities can use these IOCs to identify and block activity on their own networks, and share IOCs observed on their own networks with other CTIS partners.

The number of partners using CTIS increased seven-fold over 2022–23:

in July 2022 there were 32 CTIS partners (18 consuming, 14 contributing)
in June 2023 there were 252 CTIS partners (165 consuming, 87 contributing)
by the end of FY 2022–23, CTIS shared 50,436 pieces of cyber threat intelligence
as of 2023, ASD is progressing a further 313 candidate organisations for on-boarding.

In March 2023, a CTIS partner shared almost 1,000 IP addresses relating to a distributed denial-of-service (DDoS) attack on an Australian organisation. The partner linked the DDoS attack to the malicious cyber actor KillNet, a well-known pro-Russian hacktivist group. Since Russia’s war on Ukraine began, KillNet’s focus had been primarily Europe; however, recent trends suggest a shift to countries abroad, including Australia and its critical infrastructure.

CTIS partner contributions help participants defend their networks, and inform ASD’s understanding of threat actors, their motives and their tactics, techniques, and procedures. This information also helps ASD to identify trends within and across sectors.

For more information on CTIS, visit cyber.gov.au and become a Network Partner. Existing Network Partners can register their interest in accessing CTIS by either clicking on the ‘Register your interest’ button via the ASD Partnership Portal, or by contacting [email protected] .

Chapter 4: Cybercrime

Profit-driven cybercriminals continually seek new ways to maximise payment and minimise their risk, including by changing their tactics and techniques to mask their actions and extract payment from victims.
Ransomware remains the most destructive cybercrime threat to Australians, but is not the only cybercrime. Business email compromise (BEC), data theft, and denial-of-service (DoS) continue to impose significant costs on all Australians.
Building a national culture of cyber literacy, practicing good cyber security hygiene, and remaining vigilant to cybercriminal activity – both at work and at home – will help make it harder for cybercriminals to do business.

Cybercrime is big business and causes harm

Cybercrime is a multibillion-dollar industry that threatens the wellbeing and security of every Australian. Cybercrime covers a range of illegal activities such as data theft or manipulation, extortion, and disruption or destruction of computer-dependant services. In 2022–23, cybercrime impacted millions of Australians, including individuals, businesses and governments. These crimes have caused harm and continue to impose significant costs on all Australians.

The Australian Institute of Criminology (AIC) found, in its Cybercrime in Australia 2023 report, that individual victims and small-to-medium businesses experience a range of harms from cybercrime that extend beyond financial costs, such as impacts to personal health and legal issues. Cybercrime remains significantly underreported in Australia. The AIC’s report revealed that two-thirds of survey respondents had been victims of cybercrime in their lifetimes.

ASD needs community assistance to understand the cyber threat landscape. Australians are encouraged to report cyber security incidents and cybercrime to ReportCyber . ReportCyber is the Australian Government’s online cybercrime reporting tool coordinated by ASD and developed as a national initiative with state and territory police. ReportCyber may link Australians to other Australian Government entities for further support.

Cybercrime in 2022–23

The number of extortion-related cyber security incidents ASD responded to increased by around 8 per cent compared to last financial year.

Over 90 per cent of these incidents involved ransomware or other forms of restriction to systems, files or accounts.

ASD responded to 79 cyber security incidents involving DoS and DDoS , which is more than double the 29 incidents reported to ASD last financial year.

Cybercrime types

Cybercrime reports by state and territory

Australia’s more populous states continue to report more cybercrime. Queensland and Victoria report disproportionately higher rates of cybercrime relative to their populations. However, the highest average reported losses were by victims in New South Wales (around $32,000 per cybercrime report where a financial loss occurred) and the Australian Capital Territory (around $29,000).

Figure 4: Breakdown of cybercrime reports by jurisdiction for FY 2022–23 Note: Approximately one per cent of reports come from anonymous reporters and other Australian territories. Data has been extracted from live datasets of cybercrime and cyber security reports reported to ASD. As such, the statistics and conclusions in this report are based on point-in-time analysis and assessment.

How criminals monetise access

Profit-driven cybercriminals continually seek new ways to maximise payment and minimise their risk, including by changing their tactics and techniques to mask their actions and extract payment from victims. Their targeting is largely opportunistic but can also be aimed at specific entities or individuals.

The professionalisation of the cybercrime industry means cybercriminals have been able to increase the scale and profitability of their activities. For example, initial access brokers sell their services and accesses to other malicious cyber actors who then use techniques, such as ransomware or data-theft extortion, to target victims. The accessibility of criminal marketplaces has also lowered the bar for entry into cybercrime, which has made cybercrime more accessible to a wide range of actors.

To gain initial access, cybercriminals may send multiple malicious links to a broad list of people (known as a phishing campaign), or scan for unpatched and misconfigured systems. Once they compromise a network, they may seek to move laterally through the network to gain access to higher-value systems, information or targets.

Cybercriminals may draw on a number of techniques to extract payment from victims, including employing multiple techniques at once – known as double or multiple extortion. While ransomware is a well-known technique, cybercriminals can monetise access to compromised data or systems in many different ways. They may scam a business out of money or goods, extort victims in return for decrypting data or non‑publication of data, on-sell compromised data or systems access for profit, or exploit compromised data or systems for future use.

Social engineering: how criminals get a foothold

Social engineering is a way in which cybercriminals can gain unauthorised access to systems or data by manipulating a person. They may do this by creating a sense of urgency or desire to help, or by impersonating a trusted source to convince a victim to click on a malicious link or file, or reveal sensitive information through other means – such as over the phone.

Phishing is one of the most common and effective techniques used by cybercriminals to gain unauthorised access to a computer system or network, and this activity may be indiscriminate or targeted. Once a victim engages with the malicious link or file, they may be prompted to provide personal details, or malware may run on their device to covertly retrieve this information. Cybercriminals may then use this information to steal money or goods, or leverage this information to access other accounts and systems of higher value.

Australians are becoming more aware of techniques dependent on social engineering, like phishing, but more can be done to build resilience:

think twice before clicking on links from unsolicited correspondence
verify the legitimacy of suspicious messages with the source via their official website or verified contact information, particularly if it is a request to transfer money or supply sensitive information. Visit the entity’s website directly, rather than via links in emails, SMS or other messaging services
report unusual activity as quickly as possible to ReportCyber and Scamwatch
educate staff on corporate-focused social engineering tactics and how to identify risk.

Explainer 5: Common cybercriminal techniques

Phishing is an attempt to trick recipients into clicking on malicious links or attachments to harvest sensitive information, like login details or bank account details, or to facilitate other malicious activity. Spear phishing is more targeted and tailored: cybercriminals may research victims using social media and the internet to craft convincing messages designed to lure specific victims.

Ransomware is a type of extortion that uses malware for data or system encryption. Cybercriminals encrypt data or a system and request payment in return for decryption keys. Ransomware-as-a-Service (RaaS) is a business model between ransomware operators and ransomware buyers known as ‘affiliates’. Affiliates pay a fee to RaaS operators to use their ransomware, which can enable affiliates with little technical knowledge to deploy ransomware attacks.

Data-theft extortion does not require data encryption, but cybercriminals will use extortion tactics such as threatening to expose sensitive data to extract payment. The added threat of reputational damage is intended to pressure a victim into complying with the malicious cyber actor’s demands.

Data theft and on-sale is when data is extracted for use by a cybercriminal for the purpose of on-selling the data (such as personal information, logins or passwords) for further criminal activity, including fraud and financial theft. Some malware known as an ‘infostealer’ can do this job for the cybercriminal.

Business email compromise (BEC) is a form of email fraud. Cybercriminals target organisations and try to scam them out of money or goods by attempting to trick employees into revealing important business information, often by impersonating trusted senders. BEC can also involve a cybercriminal gaining access to a business email address and then sending out spear phishing emails to clients and customers for information or payment.

Denial-of-service (DoS) is designed to disrupt or degrade online services, such as a website. Cybercriminals may direct a large volume of unwanted traffic to consume the victim network’s bandwidth, which limits or prevents legitimate users from accessing the website.

Ransomware is a destructive cybercrime

Ransomware remains the most destructive cybercrime threat in 2022–23 to Australian entities. ASD recorded 118 ransomware incidents – around 10 per cent of all cyber security incidents.

A quarter of the ransomware reports also involved confirmed data exfiltration, also known as ‘double extortion’, where the actor extorts the victim for both data decryption and the non-publication of data. Other ransomware actors claimed to have exfiltrated data, but it is difficult to validate these claims until data exfiltration is confirmed or the legitimacy of leaked data is confirmed.

Ransomware is deliberatively disruptive, and places pressure on victims by encrypting and denying access to files. A ransom, usually in the form of cryptocurrency, is then demanded to restore access. This can inhibit entities, particularly those that rely on computer systems to operate and undertake core business functions.

Customers may also be impacted if they rely on the goods or services from that entity, or if their data is impacted. For example, in January 2023, cybercriminals reportedly compromised the postal service in the UK, encrypting files and disrupting international shipments for weeks. In other instances, ransomware incidents have had cascading impacts, sparking panic buying, fuel shortages, and medical procedure cancellations.

ASD advises against paying ransoms. Payment following a cybercrime incident does not guarantee that the cybercriminals have not already exfiltrated data for on-sale and future extortion.

ASD’s incident management capabilities provide technical incident response advice and assistance to Australian organisations. Further information can be found in the How the ASD's ACSC Can Help During a Cyber Security Incident guide.

Case study 7: Ransomware in Australia

In late 2022, an Australian education institution was impacted by the Royal ransomware, which is likely associated with Russian-speaking cybercrime actors. Royal ransomware restricts access to corporate files and systems through encryption. Notably, it uses a technique called ‘callback phishing’, which tricks a victim into returning a phone call or opening an email attachment that persuades them to install malicious remote access software.

When the institution detected the ransomware, it shut down some of its IT systems to stop the spread, which resulted in limited service disruption. An investigation revealed that a limited amount of personal information of both students and staff was compromised. The institution notified affected individuals and reminded them to remain vigilant for suspicious emails or communication. The institution also advised all students and staff to reset their passwords and introduced an additional verification process for remote users.

An ICT manager from the institution said downtime from the incident was minimal due to an effective business continuity plan and access to regular backups, which were unaffected by encryption. After the incident, the institution began moving toward more secure data storage methods.

The ICT manager said the incident highlighted how ubiquitous data is in an enterprise environment. ‘There were no crown jewels affected, so to speak. Important data was spread across the network. This incident taught us some lessons in relation to account management, and the regular review and archival of data’.

In January 2023, ASD published to cyber.gov.au the Royal Ransomware Profile , which describes its tactics, techniques and procedures and outlines mitigations. The ransomware profile was informed by cyber threat intelligence that the education institution shared with ASD.

Sectors impacted by ransomware-related cyber security incidents

The professional, scientific and technical services sector reported ransomware-related cyber security incidents most frequently to ReportCyber in 2022–23, followed by the retail trade sector, then the manufacturing sector. These 3 sectors accounted for over 40 per cent of reported ransomware-related cyber security incidents.

Professional, scientific and technical services 17.4%, Retail trade 16.3%, Manufacturing 9.8% and 2 more

Table 5: Top 5 sectors reporting ransomware-related incidents in FY 2022–23 (ReportCyber data)

Entities should consider how a ransomware incident could impact their business and their customers. To help prevent a ransomware attack, it is important to secure devices by turning on multi-factor authentication (MFA), implementing access controls, performing and testing frequent backups, regularly updating devices, and disabling Microsoft Office macros. It is also equally important to practice incident response plans to minimise the impact in the event of a successful ransomware incident.

Business email compromise is lucrative

BEC is an effective and lucrative technique that exploits trust in business processes and relationships for financial gain. Cybercriminals can compromise the genuine email account of a trusted sender, or impersonate a trusted sender, to solicit sensitive information, money or goods from businesses partners, customers or employees.

For example, a cybercriminal may gain access to the email account of a business and send an invoice with new bank account details to a customer of that business. The customer pays the invoice using the fraudulent bank account details provided by the cybercriminal, which is often thousands of dollars. A compromised business may only detect BEC once a customer has paid cybercriminals.

In 2022–23, the total self-reported BEC losses to ReportCyber was almost $80 million. There were over 2,000 reports made to law enforcement through ReportCyber of BEC that led to a financial loss. On average, the financial loss from each BEC incident was over $39,000.

Before replying to requests seeking money or personal information, look out for changes such as a new point-of-contact, email address or bank details. Simple things like calling an existing contact or the trusted sender to verify a request for money or change of payment details can help to prevent BEC.

Explainer 6: Business email compromise advice

Organisations should implement clear policies and procedures for workers to verify and validate requests for payment and sensitive information. Additionally:

Register additional domain names to prevent typo-squatting – cybercriminals may create misleading domain names based on common typographic errors of a website, hoping its customers do not notice. Further information on Domain Name System Security for Domain Owners is available at cyber.gov.au.
Set up email authentication protocols business domains – this helps prevent email spoofing attacks so that cybercriminals cannot wear a ‘digital mask’ pretending to be legitimate.

ASD has published the Preventing Business Email Compromise guide to help Australian organisations understand and prevent BEC.

Case study 8: Scams in Australia

In April 2023, the Australian Competition and Consumer Commission (ACCC) released its Targeting Scams report . The report, which compiles data reported to the ACCC’s Scamwatch, ReportCyber, the Australian Financial Crimes Exchange, IDCARE and other government agencies, provides insight into the scams that impacted Australians in 2022. The report also outlines some of the activities by government, law enforcement, the private sector and community to disrupt and prevent scams.

The Targeting Scams report revealed Australians lost over $3 billion to scams in 2022. This is an 80 per cent increase on total losses recorded in 2021.

Investment scams were the highest loss category ($1.5 billion), followed by remote access scams ($229 million) and payment redirection scams ($224 million).

The most reported contact method used by scammers was text message; however, scam phone calls accounted for the highest reported losses. The second highest reported losses were from social media scams.

Older Australians lost more money to scams than other age groups with those aged 65 and over losing $120.7 million, an increase of 47.4 per cent from 2021. First Nations Australians, Australians with disability, and Australians from culturally and linguistically diverse communities each experienced increased losses to scams when compared with data from 2021.

On 1 July 2023, the Government launched the National Anti-Scam Centre. The Anti-Scam Centre will expand on the work of the ACCC’s Scamwatch service and bring together experts from government agencies, the private sector, law enforcement, and consumer groups to make Australia a harder target for scammers.

Hacktivists are using cyberattacks to further their causes

Hacktivism is used to describe a person or group who uses malicious cyber activity to further social or political causes, rather than for financial gain.

These malicious cyber actors, which include issue-motivated groups, are typically less capable, less organised, and less resourced than other types of malicious cyber actors. That said, even rudimentary disruptive activity – such as website defacement, hijacking of official social media accounts, leaking information, or DoS – can cause significant harm, reputational damage, and operational impacts to targeted entities.

Like cybercriminals, hacktivists may leverage malicious tools and services online to gain new capabilities and improve their ability to degrade or disrupt services for their cause.

Case study 9: Australian critical infrastructure targeted by issue-motivated DDoS

In March 2023, ASD became aware of reports of issue-motivated groups (hacktivists) targeting Australian organisations. Open source reporting linked the targeting of over 70 organisations to religiously motivated hacktivists.

The malicious activity commenced on 18 March with the defacement of, and/or DDoS against, the websites and other internet-facing services of small-to-medium businesses. This progressed to DDoS activity targeting the websites of Australian critical infrastructure entities, with multiple hacktivist groups announcing support for the campaign and publishing ‘target lists’ across a variety of platforms.

ASD received several incident reports from organisations experiencing hacktivist activity, including critical infrastructure providers. However, there was no impact on critical infrastructure operations, as only public-facing websites were affected. ASD provided advice and support to organisations, including by identifying IP addresses related to the attacks. ASD also shared indicators of compromise with its Network Partners.

In addition to ASD support, critical infrastructure providers worked closely with commercial incident-response providers and their in-house incident-response teams. One critical infrastructure provider identified through open source research that a second DDoS attack was being planned against their servers.

To prevent this attack, administrators enabled geo-blocking – where traffic from specific geolocations known to be used by the malicious cyber actor were blocked – to limit malicious traffic. This simple tactic helped the organisation avoid a second attack. As a result, the organisation did not suffer from any additional downtime.

ASD urges organisations to report all incidents – even those with minimal impact on operations – to enhance national situational awareness, especially of coordinated malicious activity. Your report to ASD could help prevent or defend against an attack on other Australian networks.

Denial-of-service operations are designed to disrupt

DoS attacks disrupt or degrade online services such as websites and email, and are another tactic used by cybercriminals and hacktivists. This technique causes access or service disruption to the victim, sometimes to pressure them into payment or to highlight a cause.

In these attacks, an online service is overwhelmed by so many illegitimate requests that it loses capacity to serve real users. DoS can also be achieved by hijacking an online service to redirect legitimate users to other services controlled by malicious cyber actors. In some instances, DDoS attacks can use huge numbers of ‘zombie’ computers or bots (hijacked by malware), to direct large volumes of unwanted network traffic to a web service.

ASD recorded 79 DoS and DDoS cyber security incidents in 2022–23, with service availability partly or wholly denied for the victim in 62 of those incidents. The remainder of the incidents had no impact on the victim. Entities who maintained situational awareness of DoS threats and proactively implemented mitigations were reportedly less impacted by subsequent DoS.

Although entities cannot avoid being targeted, they can implement measures to prepare for and reduce the impact of a DoS attack. This includes using DDoS protection services and exercising incident response and business continuity plans.

Defence against cybercrime

Both individuals and organisations can take simple steps to help build their cyber security. Many of these steps can often prevent initial access by cybercriminals.

enable multi-factor authentication (MFA) for online services when available
use long unique passphrases for every account if MFA is not available, particularly for services like email and banking (password managers can assist with such activities)
sign up for ASD’s free Alert Service
review the cyber security posture of remote workers including their use of communication, collaboration and business productivity software
implement relevant guidance from ASD’s Essential Eight Maturity Model , Strategies to Mitigate Cyber Security Incidents and Information Security Manual

ASD has published a range of guides at cyber.gov.au to support Australians and Australian organisations in building their cyber resilience, including how to defend against ransomware attacks, and how to detect socially engineered messages, phishing emails and texts.

Chapter 5: Cyber enabled data breaches

During FY 2022–23, ASD received an increase in data breach reports as millions of Australians had their information compromised through significant data breaches.
Malicious cyber actors stole data by using valid account credentials or by exploiting internet-facing applications.
Sensitive data should be deleted or de-identified when it is no longer needed or required. Organisational policies and processes should consider how to protect gathered and generated data.

Data ubiquity

Data is valuable to malicious cyber actors as data and data flows underpin almost every modern technology and digital service. During 2022–23, millions of Australians had their private information compromised through significant data breaches, and some Australians were exposed to multiple breaches.

A data breach occurs when information is shared with, or is accessed by, an unauthorised person or third party. Isolation and remediation of the breach could cost millions of dollars. The complete recovery cost is hard to quantify, but could include losses due to productivity, legal action and reputational damage. An entity’s customers or staff could experience harm from a data breach if their private information is used by criminals for cyber or other fraud or scams, including identity theft. Protecting data, particularly sensitive personal information, is vital for the safety of the community, the prosperity of business, and the nation’s security.

Explainer 7: Vital data

Organisations should consider what data is vital to their operations, and individuals should consider what data might affect their privacy.

Data can take many forms such as personal information. Personal information includes a broad range of information, or an opinion, that could identify an individual. It can encompass things such as an individual’s name, date of birth, drivers licence or passport details, phone number, home address, health records, credit information, mobile device location history, and voiceprint and facial recognition details.

Other forms of data could include sensitive financial information, corporate emails, intellectual property and research, or strategic business plans. Information associated with network telemetry and endpoint security information, or machine learning models, also generate potentially useful information which can be exploited by malicious cyber actors.

Data breach incidents in Australia

During 2022–23, many data breaches reported to ASD involved cybercriminals stealing customer personal information from organisations to support extortion activities. Organisations should be aware that a data breach could be a precursor to the destruction or encryption of data.

Of the cyber security incidents recorded by ASD during 2022–23, 150 were data breaches, making up around 13 per cent of all incidents. Compared to 2021–22, this is up from 81 data breaches or 7 per cent of all incidents. Data breaches were the third most common incident type in 2022–23, behind compromised infrastructure (15.2 per cent) and compromised credentials (18.8 per cent).

Phishing, a tactic whereby a user is induced to open a malicious email attachment or to visit a compromised website, was commonly used to steal credentials. Malicious cyber actors also obtained credentials from unrelated cyberattacks and breaches. ASD’s incident data showed an extensive network compromise almost always occurred when a malicious cyber actor successfully accessed privileged accounts.

In 2022–23, ASD responded to a number of data breaches that involved common characteristics and intrusion chains. Broadly, these incidents demonstrated either:

opportunistic intrusions involving a malicious actor exploiting a single internet-facing application or service which contained data. Actors typically used a ‘smash and grab’ technique to steal data directly from this single initial access vector
complex intrusions involving a malicious actor demonstrating a wider variety of techniques after initial access as they escalated privileges, and moved laterally seeking data to exploit. These intrusions resulted in more extensive network compromise. Generally, incidents where malicious actors successfully compromised privileged accounts also resulted in more complex intrusions and extensive incidents.

Diving deeper into data breaches

ASD conducted a detailed analysis of data breach incidents between 1 November 2021 and 30 October 2022. Analysis revealed the average amount of data reported to have been exfiltrated during a breach was around 120 gigabytes, with the highest reported amount being around 870 gigabytes. Table 6 outlines the top information types exposed during a breach.

Contact information 32%, Identity information 18%, Financial details 14%, commercial sensitive 10% and 4 more.

Table 6: Types of information stolen in data breaches Note: some incidents included the breach of multiple types of information.

Different types of information may carry different risks. For example, health information is likely to be more sensitive than contact information and will require greater protection. Table 6 indicates contact information was breached most frequently, likely because this type of data is widely collected and has increased exposure.

During the same analysis period, 41 per cent of data breaches involved malicious cyber actors exploiting valid accounts and credentials to access cloud services, local systems, or entire networks. Malicious cyber actors commonly used brute-force attacks to take advantage of simple and re-used passwords to access accounts, or used phishing to obtain credentials.

Around 34 per cent of data breaches involved exploitation of internet-facing applications. Common vulnerabilities and exposures (CVEs) were often exploited, and so was human misconfiguration of devices like unsecured application programming interfaces, or common bugs and flaws in software; for example, insecure direct object references.

To help Australian organisations, the ASD has published the Preventing Web Application Access Control Abuse advisory.

Figure 5 : Anatomy of a data breach

To steal data from an organisation, malicious cyber actors will commonly exploit online services and internet-facing devices, or penetrate a network’s perimeter using stolen or easily guessed credentials. Once inside a network, malicious actors will often attempt to escalate their privileges, move laterally across a network to find data to steal and/or other systems to exploit, and then attempt to exfiltrate data back through the network perimeter.

Stolen data for nefarious use

Different malicious cyber actors have differing motivations for stealing data. For example, cybercriminals may use stolen data, particularly personal information, as a basis for identity theft or to conduct phishing campaigns for financial gain. State actors are also interested in personal information, among other data types, although this is more likely for espionage purposes rather than financial gain. Irrespective of motivation, the impacts of data breaches on victims are actor agnostic – Australians can be exposed to harm and organisations can experience losses.

Data stolen by cybercriminals typically ends up on the dark web marketplaces where it can be shared, bought, and sold by other malicious cyber actors. For example, stolen credentials may end up with initial access brokers who specialise in dealing stolen usernames and passwords. Malicious cyber actors can also piece together seemingly innocuous information like an email address, a date of birth, or a phone number to target someone for spear phishing, fraud, or to leverage that person to gain other privileged accesses and information.

Once exposed, some data can be used in perpetuity for future crime, particularly in cases of identity theft, blackmail, or extortion. A victim’s real name and home address can be difficult to change, unlike stolen credentials which are easily updated.

ASD has also received reports of cyber security incidents in which threat actors claimed to have exfiltrated data; however, subsequent investigations have not identified evidence of exfiltration. While a threat actor’s assertion of data exfiltration may be an attempt to elevate urgency or pressure affected entities, it remains important to thoroughly investigate evidence to support or counter the claim.

Case study 10: Operation GUARDIAN

On 28 September 2022, the Australian Federal Police’s Joint Policing Cybercrime Coordination Centre (JPC3) commenced Operation GUARDIAN to coordinate efforts to protect those at higher risk of financial fraud and identity theft as a result of the Optus data breach.

Since the Optus incident, Operation GUARDIAN has expanded to include the Medibank, MyDeal, Latitude, and the Go-Anywhere data breaches. Some breaches have resulted in the exposure of personal information and sensitive data of Australians.

The purpose of Operation GUARDIAN is to monitor, disrupt and prosecute any person misusing personal information exposed as a result of data breaches. It aims to deter criminals from using data for malicious purposes and to educate the public.

Operation GUARDIAN works with the public and private sectors to search the internet and known criminal online sites to identify exposed personal information and those who are attempting to buy or sell it.

Case study 11: Awareness and impact of data breaches in the Australian community

According to the Office of the Australian Information Commissioner’s Australian Community Attitudes to Privacy Survey (ACAPS) 2023 , three-quarters (74 per cent) of Australians believe that data breaches are one of the biggest privacy risks they face today, and a quarter (27 per cent) said it is the single biggest risk to privacy in 2023.

Almost half (47 per cent) of Australians said they had been told by an organisation that their information was involved in a data breach in the prior year, and a similar proportion (51 per cent) know someone who was affected by a breach.

Three-quarters (76 per cent) of those whose data was involved in a breach said they experienced harm as a result. More than half (52 per cent) reported an increase in scams or spam texts or emails. There were 3 in 10 (29 per cent) who said they had to replace key identity documents, such as drivers licences or passports. Around 1 in 10 experienced significant issues such as emotional or psychological harm (12 per cent), financial or credit fraud (11 per cent) or identity theft (10 per cent).

Nearly half (47 per cent) of Australians said they would close their account or stop using a product or service provided by an organisation that experienced a data breach. However, most Australians are willing to remain with a breached organisation provided that organisation promptly takes action, such as quickly putting steps in place to prevent customers experiencing further harm from the breach (62 per cent) and making improvements to their security practices (61 per cent). Only 12 per cent of Australians said there is nothing an organisation could do that would influence them to stay after a data breach.

There are a range of ways organisations can protect personal information. A quarter (26 per cent) of Australians believe the most important step is for organisations to collect only the information necessary to provide the product or service. Australians view the second most important thing organisations can do is take proactive steps to protect the information they hold (24 per cent).

The OAIC commissioned Lonergan Research to undertake ACAPS 2023. The survey was conducted in March 2023 with a nationally representative sample of 1,916 unique respondents aged 18 and older. To read the full report visit oaic.gov.au/acaps .

Mitigating data breaches

Implementing ASD’s Essential Eight, and the Open Web Application Security Project (OWASP) Top Ten Proactive Controls will help protect data by minimising the risks to systems and networks, online services and internet-facing devices. At least fortnightly, organisations should use an automated method to scan for security vulnerabilities and apply timely patches or mitigations to minimise risks. Other effective controls to help mitigate data breaches include:

deploy multi-factor authentication (MFA) to mitigate stolen credential abuse
enforce strong passphrase policy to secure accounts
block internet-facing services that are not authorised to be internet-facing
immediately decommission unnecessary systems and services
configure server applications to run as a separate account with the minimum privileges to mitigate account abuse
mandate user training to recognise phishing or social engineering attempts.

Encryption can further protect data that is stored or in transit between systems. For example, sensitive data about former customers that must be legally retained should be encrypted and stored offline, inaccessible to the internet. Data communicated between database servers and web servers, especially over the internet, are susceptible to compromise and should be encrypted. Further guidance about how organisations can protect data is contained within ASD’s Information Security Manual .

The most cyber resilient organisations have a well-thought-out and exercised cyber incident response plan that includes a data breach response plan or playbook. A robust plan will help organisations respond to a data breach, rapidly notify relevant organisations and individuals to minimise the risk of harm, restore business operations, comply with relevant obligations, and reduce the costs and potential reputational damage that may result from a breach.

Organisations should include a strategy for communicating with customers in their cyber incident response plan, and consider how to protect customers from, and assist with, the consequences of a breach. For example, organisations can inform their customers whether or not hyperlinks will be used in their communications after a breach – or at all – to help them avoid falling prey to phishing attempts.

ASD has published guidance on cyber.gov.au, like the Guidelines for Database Systems to help organisations enhance database security.

Chapter 6: Cyber resilience

Cyber resilience is helping to ensure an entity is resistant to cyber threats. For enterprise, this includes organisation-wide cyber risk management and consideration of third-party risks, such as vendors, service providers, and new technologies.
Artificial intelligence (AI) has great benefits to organisations but also poses security challenges; a risk-based approach to using AI within ICT environments as per other services is recommended.
Invest in prevention, response and recovery to reduce the impact of a compromise and build the resilience of Australian systems.
Practice good cyber hygiene at work and at home. Enable multi-factor authentication (MFA), use unique passphrases, enable automatic updates, regularly back up important data, and report suspicious cyber activity.
Cooperation on a national scale is one of Australia’s greatest advantages against malicious cyber activities. Keep up to date at cyber.gov.au, and engage with ASD’s Cyber Security Partnership Program to help build the nation’s collective cyber resilience.

Digital supply chains increase the attack surface

Most entities have some component of their ICT outsourced to a third party, such as hardware supply, web and data hosting, and software-as-a-service or other enterprise resource planning tools.

According to the Australian Bureau of Statistics’ Characteristics of Australian Business data, during 2021–22, around 85 per cent of Australian businesses used ICT, and 59 per cent used cloud technology. These measures have been trending up year-on-year.

During 2022–23, ASD published a number of alerts warning Australians about vulnerabilities relating to products commonly found in ICT supply chains, like Citrix Gateway and Application Delivery Controller devices. During March 2023, ASD published an alert describing a supply chain compromise affecting multiple versions of the 3CX DesktopApp – a popular voice-over-IP application.

While an entity can outsource ICT functions to access specialist skills, increase efficiency, and lower costs, it must still manage and be accountable for cyber security risk. ICT supply chain expansion can increase the attack surface, particularly as there may be varying levels of cyber security maturity among both customers and suppliers.

A malicious cyber actor can compromise numerous victims at scale by targeting a single upstream or third‑party supplier. An ICT supply chain attack comprises 2 attacks: an initial attack on a supplier, and a subsequent attack on its customers. For example, a managed service provider (MSP) might have privileged network access to hundreds of customers or hold huge amounts of sensitive data. After compromising an MSP, a malicious cyber actor could then exploit the MSP’s privileged network accesses, or steal sensitive data to extort its customers directly. This highlights that, while an entity might have leading-edge cyber defences, its security posture will only be as strong as its weakest link, which may be in its ICT supply chain.

To conduct an ICT supply chain attack, malicious cyber actors will commonly abuse misconfigurations in devices and the trust between supplier services and customer networks, conduct phishing attacks, and exploit common vulnerabilities and exposures (CVEs). Figure 6 outlines some of the common adversary goals and techniques associated with ICT supply chain attacks.

Defeating ICT supply chain threats requires effort from both customers and suppliers. The most effective measures combine both business and technical controls conducted at the earliest stage of ICT procurement or development. While a downstream customer may have no influence over their supplier’s security posture, they can improve their own cyber security to help mitigate risks. Suppliers should prioritise the secure-by-design and secure-by-default principles to improve their own product security and therefore their customers’ security.

Customers should clearly state cyber security expectations upfront as part of any contract, such as requiring that a supplier meet particular cyber security standards. Entities should appraise their suppliers of their risk tolerances, and might want to ask how the supplier will demonstrate good security practices, justify their product’s accesses and privileges, and guarantee genuine product delivery. Entities should also consider whether their supplier may be subject to foreign control or interference.

Figure 6 : ICT supply chain threats

Australian organisations face many cyber threats, including from the ICT supply chain. Malicious cyber actors who target upstream suppliers, such as by compromising a cloud host, may be able to impact downstream customers by exploiting the trust between that supplier and its customers. An attacker could then conduct data theft and extortion activities, or other attacks like denial-of-service. An organisation’s cyber security posture is only as strong as its weakest link, which could be an entity in its ICT supply chain.

Mitigating ICT supply chain threats

Organisations can boost their ICT supply chain defences in many ways, including by implementing ASD’s Essential Eight. The most effective technical controls to mitigate risks combine both mitigation and detection techniques, and are supported by a positive organisation-wide cyber secure culture. Some controls for both customers and suppliers include:

deploy MFA to mitigate stolen credential abuse
regularly scan for vulnerabilities and update software to minimise risks from vulnerabilities
segment networks and enforce account management to isolate critical systems
correctly configure software to minimise security risks
use network and endpoint detection systems to identify malicious traffic and files
monitor logon and network logs to detect unusual activity

To help Australian organisations, ASD has published guidance, available at cyber.gov.au such as Identifying Cyber Supply Chain Risks , Cyber Supply Chain Risk Management , Guidelines for Procurement and Outsourcing , and Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default .

Secure-by-design and secure-by-default products

Secure-by-design products are those where the security of the customer is a core business goal, not just a technical feature, and start with that goal in mind before development. Secure-by-default products require little to no configuration changes out of the box to ensure security features are enabled.

Together, these approaches move much of the burden of staying secure to the manufacturers, which reduces the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues at the user end.

Entities are encouraged to prioritise secure-by-design and secure-by-default products in procurement processes, and collaborate with industry peers and manufacturers to help improve upcoming security initiatives in products. Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default , offers further advice to software manufacturers and customers.

Artificial intelligence cyber security challenges

In early 2023, AI tools were among the fastest growing consumer applications globally. Broadly, AI is a collection of methods and tools that enable machines to perform tasks that would ordinarily require human intelligence. AI tools are increasingly being used to augment human activities like sorting large data sets, automating routine tasks, and assisting visual design work.

Machine learning (ML) is a sub-discipline of AI encompassing models that use feedback mechanisms to update model behaviour. ML models are typically used to make classifications and predictions, and to uncover patterns or insights in large data sets that may be impossible for a human to spot.

Over the last 3 years, the practical applications for AI have expanded, the costs have come down, and AI tools are more accessible than ever. Australians already interact frequently with AI, as AI drives internet searching, shopping recommendations, satellite navigation, and can aid complex activities like logistics management, medical diagnosis, and cyber security. AI tools can be used to provide human-like customer responses for help desks or call centres, and can help predict upcoming maintenance for industrial equipment.

While AI has benefited the economy and society, it has also created new challenges and data security risks. As AI becomes increasingly integrated into business environments and ICT infrastructures, additional and potentially unforeseen risks could be introduced. And, like any tool, AI can be misused either inadvertently or deliberately.

In 2022, a medical research collaboration for a pharmaceutical company trained an AI model using ML techniques to catalogue thousands of molecules for therapeutic use while discarding toxic molecules. While the researchers were able to catalogue many beneficial molecules, the researchers also wanted to know how AI could be misused. So they changed the AI model to find toxic rather than safe molecules. Using open source data, their AI model generated over 40,000 potentially lethal molecules in less than 6 hours.

Security researchers have also shown how data sets used for ML can be attacked and ‘poisoned’ with anomalous data to produce misleading outputs. In 2016, Microsoft abruptly ended testing of a chatbot after a subset of its users deliberately provided data containing misinformation and abusive material, resulting in offensive text being produced by the chatbot.

Malicious cyber actors could also use AI tools to augment their activities. For example, a cybercriminal may be able to produce low effort, high quality material for phishing attacks. AI could also be used to create fraudulent deepfake content like voice and video clips, or to create malware. Security researchers have demonstrated with existing technologies that malicious actors could use AI to help orchestrate cyber intrusions.

AI tools may also challenge the protection of sensitive information. For example, AI tools that produce or summarise text may not guarantee data privacy if it is fed sensitive or proprietary information. Additionally, using sensitive information for AI models and ML may contravene privacy laws, policies, or rules in some instances.

As online adversaries can use AI tools, so too can system defenders. AI can sort through large volumes of logs or telemetry data to look for malicious behaviour, identify malware, detect and block exploitation attempts, or derive intelligence insights. AI can also help triage information and automate security tasks, so humans can focus on other problems.

Entities wanting to adopt AI tools should treat them with the same care as any other ICT service, use a risk-based approach to procurement, and consider:

if the AI tool is secure-by-design and secure-by-default, including its ICT supply chain
if there are inaccuracies in the AI tool’s model or bias in its algorithms
how the AI tool will be protected from misuse and interference (including foreign)
how the AI tool will affect the entity’s privacy and data protection obligations
how the AI tool will support, rather than outsource, human decision-making
who is accountable for oversight or if something goes wrong with the AI tool.

Explainer 8: Ethical AI at ASD

In early 2023, ASD published the Ethical AI in ASD statement, which outlines ASD’s framework of ethical principles governing AI usage. This includes:

lawful and appropriate use of AI consistent with the legislation, policies, processes and frameworks that govern ASD’s functions and protect the privacy of Australian citizens
enabling human decision-making, allowing our workforce and customers to make informed decisions based on AI system outputs, and to maintain trust in AI systems
reliable and secure AI, ensuring that technologies continue to meet their intended purpose and remain protected from external interference
accurate and fair AI mitigating against unintended bias
accountable, transparent and explainable AI allowing human oversight and control, with clear accountabilities enacted for all stages of the AI development lifecycle, facilitating appropriate and proportionate operations.

Ensuring remote work cyber security

Many organisations rapidly adopted new remote work solutions to support business continuity as a result of the COVID-19 pandemic. The number of Australian companies advertising remote work post-pandemic continues to grow, and it is clear that remote work will be an ongoing feature of many organisations and an expectation of many employees.

Some hastily implemented remote working solutions may not have fully considered cyber security implications. For example, bring-your-own-device policies are popular with organisations, but could introduce additional information management risks to corporate networks if not appropriately managed.

During 2022–23, ASD recorded extensive corporate network breaches that stemmed from employees conducting work from compromised personal devices. In 2022, US company LastPass suffered a data breach due to credentials being stolen via keylogger malware installed on the home computer of one of its employees.

Remote work often relies on employees using their own devices like home computers and internet routers, which usually have limited security features and less secure default settings when compared to enterprise products used in corporate environments. Internal corporate networks could be exposed to the internet directly via a remote employee’s home router, if that home router is misconfigured. Adding to the risks, employees may not regularly update their personal devices or use anti malware software, may access dubious websites or use illegal software, or may have failed to change the default credentials of their devices.

Malicious cyber actors are known to compromise common small-home-office products and internet-of-things devices to steal sensitive information, target corporate networks, or to enslave them into botnets for distributed-denial-of-service (DDoS) attacks.

Organisations should consider how cyber security mitigations for remote solutions are implemented, maintained, and audited. Organisations should also verify that policies are in place to ensure staff know how to securely use systems, and to ensure compliance with legal obligations like the protection of sensitive data.

ASD has published a number of guides at cyber.gov.au including G uidelines for Enterprise Mobility , Remote Working and Secure Mobilit y and Risk Management of Enterprise Mobility (including Bring Your Own Device) .

Explainer 9: Working from home and cybercrime

The Australian Institute of Criminology’s Cybercrime in Australia 2023 report examined whether working from home was a risk factor for cybercrime victimisation. Small-to-medium business owners who transitioned to working from home due to public health measures associated with the COVID-19 pandemic were 1.4 times as likely to be a victim of identity crime and misuse, 1.2 times as likely to be a victim of malware attacks and 1.3 times as likely to be a victim of fraud and scams.

There are various reasons that moving to remote working may have increased the likelihood of cybercrime victims. For a business working remotely, home internet connections may be less secure, devices may no longer be protected by corporate security controls or routine maintenance, and there may be a tendency to store or share sensitive work information on unsecure personal devices.

Cyber security through partnerships

The speed with which cyber threats spread and evolve means that no single entity can effectively defend against all threats in isolation. Cooperation on a national scale is one of Australia’s greatest advantages against malicious cyber activity.

It is vital cyber security incidents are reported to ASD to help build a national cyber threat intelligence picture, which better supports Australian organisations and individuals through informed guidance and mitigation advice. There are many other ways in which Australian organisations can engage with ASD.

ASD’s Cyber Security Partnership Program enables Australian entities to engage with ASD and fellow partners, drawing on collective understanding, experience, skills and capability to lift cyber resilience across the Australian economy. ASD’s Cyber Security Partnership Program is delivered through ASD’s state offices located around Australia.

An ASD Network Partnership is available to organisations with responsibility for the security of a network or networks (either their own or on behalf of customers) as well as academic, research and not-for-profit institutions with an active interest and expertise in cyber security. An ASD Business Partnership is available to those with a valid Australian Business Number. Individuals and families can sign up to the ASD Home Partner Program.

By strengthening our ties with agencies like ASD and broader cyber security partners within the transport and logistics sector, the Toll Group is proud to contribute to building resilient supply chain capability in Australia and around the world. ASD’s partnership, training, and participation in industry forums have been of tremendous value in promoting strong cyber security practices and cooperation across government and critical services, which our teams continue to benefit from. – Toll Group

The National Exercise Program (NEP) helps critical infrastructure and government organisations validate and strengthen Australia’s nationwide cyber security arrangements. The program uses exercises and other readiness activities that target strategic decision-making, operational and technical capabilities, strategic engagement and communications.

The Critical Infrastructure Uplift Program (CI-UP) assists Australian critical infrastructure organisations to improve their resilience against cyberattacks, with a focus on critical infrastructure assets and operational technology environments. As an intelligence-driven program, CI-UP focuses on improving the cyber security of critical infrastructure in a range of areas, including:

enhancing visibility of malicious cyber activity and awareness of vulnerabilities
enhancing the ability to contain and respond to an incident
furthering culture and cyber maturity.

The Cyber Threat Intelligence Sharing Platform (CTIS) shares indicators-of-compromise in real‑time, within a growing community of Australian government and industry partners. CTIS also supports community partners to share their threat intelligence. Co-designed with industry, CTIS alerts security operations centre analysts to threats targeting Australian organisations.

AARNet has been engaged with the CTIS project from its inception and has seen firsthand the value of industry and government partnerships for threat intelligence sharing. By sharing information, the breadth and depth of our visibility of unwanted cyber attention is much greater. – AARnet

The Australian Protective Domain Name System (AUPDNS) is an opt-in security service available to all federal, state and territory government entities to protect infrastructure from known malicious activity. Information from AUPDNS directly assists ASD’s mission to build a national cyber threat picture, which in turn is shared with ASD partners, including individuals, businesses, academia, not-for-profits, and government entities.

The Cyber Hygiene Improvement Programs (CHIPs) track and monitor the cyber security posture of the internet-facing assets of entities at all levels of government. CHIPs also conducts High-priority Operational Tasking (HOT) CHIPs scans when potential cyber threats emerge, such as newly disclosed vulnerabilities. CHIPs builds visibility of security vulnerabilities across governments and provides notifications to system owners.

Figure 7: ASD’s program highlights

Through ASD’s Cyber Security Partnership Program, Australian organisations can draw on the collective understanding, experience and capability of the community to lift Australia’s cyber resilience. ASD Network Partners bring their insights and technical expertise to the community to collaborate on shared threats and opportunities.

Explainer 10: Incident response to stay ahead of adversaries

There is an actor behind every cyber security incident, and each actor will have different intent and capability. For example, state actors are usually focused on long-term goals in opposition to Australia’s national interests, whereas cybercriminals are generally focused on short-term financial gain. Additionally, the techniques different actors use will vary due to their risk appetites for being detected. For example, cybercriminal actions are often ‘loud and public’, as opposed to state actors whose intent is to usually remain undetected for long periods.

Customising the incident response method ensures the best outcome for impacted organisations. For example, during a cyber security incident, ASD can provide immediate incident response advice and assistance to support impacted Australian organisations. ASD can also work closely with commercial incident response partners in support of an incident.

If the incident is likely the result of a state actor, ASD may offer a more detailed approach such as a comprehensive digital forensic technical investigation to ensure comprehensive remediation.

Public communications on an incident may also differ. An immediate public statement may be required in some incidents. However, there is a need to balance public statements with remediation efforts – particularly when a state actor may be involved. If a state actor is responsible, a public statement could cause the actor to ‘lay low’, impacting a defender’s ability to detect the actor – including tradecraft or accesses that may help them to remain on an organisation’s network.

ASD’s tailored approach to incident response is consistent with industry best-practice, and highlights the importance of public–private partnerships to stay ahead of Australia’s cyber adversaries.

ASD’s ACSC Incident Response

ASD’s incident management capabilities provide tailored incident response advice and guidance to Australians impacted by a cyber security incident. ASD is not a law enforcement agency or regulator; however we work closely with these agencies if needed.

Report a cybercrime or cyber security incident

Report at cyber.gov.au/report or call the 24/7 Australian Cyber Security Hotline on 1300 CYBER1 ( 1300 292 371 ).

Cybercrime reports are automatically referred directly to the relevant state or territory law enforcement agency.

Cyber security incidents

All cyber security incidents should be reported to ReportCyber. An incident does not have to be a confirmed compromise to be reported and could include:

denial-of-service (DoS)
scanning and reconnaissance
unauthorised access to network or device
data exposure, theft or leak
malicious code/malware
phishing/spear phishing
any other irregular cyber activity that causes concern.

For ASD to help you effectively, we may request:

indicators of compromise
memory dumps
disk information
network traffic captures.

How ASD can help

ASD will provide you with immediate advice and assistance such as:

tailored information on how to contain and remediate an incident
advisory products to assist you with your incident response
linking you with other Australian Government entities that may further support your response such as the Australian Federal Police, or Department of Home Affairs through the National Cyber Security Coordinator and the Cyber Security Response Coordination Unit
we may also link you to other government partners like IDCare, ScamWatch, or the e-Safety Commissioner.

How your reporting matters

ASD uses information from your report to build our understanding of the cyber threat environment. This understanding assists with the development of new and updated advice, capabilities, techniques and products to better prevent and respond to evolving cyber threats. Some of these products include:

advisories published on ASD’s Partnership Portal
alerts published on cyber.gov.au
quarterly Trends and Insights reports
the ASD's Cyber Threat Report.

Your confidentiality is paramount

ASD does not share any information provided by you without your express consent. Only information about the incident is captured when you report.

Figure 8: ASD’s support to Australians

During 2022–23, ASD monitored cyber threats across the globe 24 hours a day, 365 days a year, to alert Australians to cyber threats, provide advice, and assist with incident response. ASD’s ACSC is a hub for private and public sector collaboration and information-sharing on cyber security, to prevent and combat threats and minimise harm to Australians.

ASD’s advice and assistance is for the whole economy, including critical infrastructure and systems of national significance, federal, state and local governments, small and medium businesses, academia, not-for-profit organisations and the Australian community.

Cyber resilience for all Australians

The average Australian household has well over a dozen internet-connected devices and this number is growing. The explosion of remote and hybrid work has also seen corporate networks extend into Australian homes. While growing digitisation and virtualisation of services may have improved consumer convenience and boosted business productivity over the last 3 years, it has also increased the cyber risks for Australians.

Every Australian should practice basic cyber security hygiene to help protect themselves from online threats. The most effective cyber defences are also some of the easiest to use and fastest to setup. The top things Australians can do are:

At cyber.gov.au, ASD has published a range of simple how-to guides for all Australians, including children and seniors, that explain how individuals and families can improve their home cyber security.

Australians are encouraged to report cyber security incidents and cybercrime to ReportCyber , or by calling the Australian Cyber Security Hotline on 1300 CYBER1 ( 1300 292 371 ). The hotline is available 24 hours a day, 7 days a week.

Act Now, Stay Secure

ASD provides tailored cyber security guidance to protect Australia against evolving cyber threats. The Act Now, Stay Secure cyber security awareness-raising campaign identified key cyber threats to individuals and small-to-medium businesses, and highlighted ASD advice and tools to help improve the audience’s cyber security posture. Over 2022–23, the campaign:

reached a potential audience of more than 490,000 Australians and achieved over 11,500 engagements, such as likes, shares, and comments through social media
was amplified by 170 stakeholders across government, industry, non-profit sectors, and peak body associations, who shared campaign content to their channels
attracted over 30,000 visitors to the cyber.gov.au website, resulting in nearly 73,000 page views of campaign content and cyber security guidance
bolstered content delivered at 15 tailored events by ASD state offices.

Monthly cyber security themes were developed to promote planned or new ASD guidance, tools and products to enhance the cyber posture of Australian individuals and small-to-medium businesses. The themes for 2022–23 were:

REDSPICE is the most significant single investment in ASD’s history and will equip ASD to ensure that Australia is best prepared to respond to the strategic environment. Commencing on 1 July 2022, ASD scaled existing services and introduced new intelligence and cyber capabilities to enhance Australia’s cyber defences.

To help achieve this, in FY 2022–23, ASD opened new facilities in Brisbane and Melbourne, and received over 26,000 job applications across Canberra, Melbourne, Brisbane and Perth. ASD also:

undertook innovative first-of-type ‘cyber hunt’ activities on the most critical government and critical infrastructure networks
engaged over 175 new customers onto the Cyber Threat Intelligence Sharing platform to improve machine-speed cyber threat intelligence sharing across government and industry
deployed over 25,000 new host-based sensors to customer networks to build increased visibility of emerging threats to Australia’s most critical systems
established a secure design and architecture team to provide advice to major government information and communications technology projects
expanded ASD’s national incident response footprint and 24/7 defence operations capability, including additional upgrades for the Australian Cyber Security Hotline (1300 CYBER 1) and ReportCyber, and a new incident response team in Melbourne
improved the resilience of critical infrastructure through a number of uplift activities to increase cyber security maturity across Australian industry.

About the contributors

ASD manages or uses a number of unique datasets to produce tailored advice and assistance for Australian organisations and individuals. Not all cybercrimes lead to cyber security incidents, and the statistics in this report are from 2 distinct datasets: cybercrimes reported to law enforcement through ReportCyber, and cyber security incidents responded to by ASD. Data has been extracted from live datasets of cybercrime and cyber security reports reported to ASD. As such, the statistics and conclusions in this report are based on point-in-time analysis and assessment.

Cybercrime and cyber security incidents reported to ASD may not reflect all cyber threats and trends in Australia’s cyber security environment.

ASD encourages the reporting of cyber security incidents and cybercrimes to inform ASD advice and assistance to vulnerable entities, and enhance situational awareness of the national cyber threat environment.

Defining cybercrimes

In Australia, the term ‘cybercrime’ is used to describe both:

Cyber dependent crimes, such as computer intrusions and DoS attacks, directed at computers or other ICTs.
Cyber enabled crimes, such as online fraud, identity theft and the distribution of child exploitation material, which can increase in their scale and/or reach through the use of computers or other forms of ICTs.

The ASD glossary provides definitions for terms used in this report and other ASD publications and can be viewed at: https://www.cyber.gov.au/learn-basics/view-resources/glossary .

Thanks for your feedback!

COMMENTS

Artificial intelligence for cybersecurity: Literature review and future
Artificial intelligence (AI) is a powerful technology that helps cybersecurity teams automate repetitive tasks, accelerate threat detection and response, and improve the accuracy of their actions to strengthen the security posture against various security issues and cyberattacks. ... Specific cybersecurity use case of primary study for AI ...
AI in cybersecurity an introduction and case studies
An introduction to AI in cybersecurity with real-world case studies in a Fortune 500 organization and a government agency. Despite all the recent advances in artificial intelligence and machine learning (AI/ML) applied to a vast array of application areas and use cases, success in AI in cybersecurity remains elusive.
Artificial Intelligence (AI) Cybersecurity
AI-powered risk analysis can produce incident summaries for high-fidelity alerts and automate incident responses, accelerating alert investigations and triage by an average of 55%. 1 The AI technology also helps identify vulnerabilities and defend against cybercriminals and cyber crime. AI models can help balance security with user experience ...
Artificial intelligence in cyber security: research advances ...
In recent times, there have been attempts to leverage artificial intelligence (AI) techniques in a broad range of cyber security applications. Therefore, this paper surveys the existing literature (comprising 54 papers mainly published between 2016 and 2020) on the applications of AI in user access authentication, network situation awareness, dangerous behavior monitoring, and abnormal traffic ...
The Role of Machine Learning in Cybersecurity
Skip 1INTRODUCTION Section 1 INTRODUCTION. With the rising complexity of modern information systems and the resulting ever increasing flow of big data, the benefits of Artificial Intelligence (AI) are now widely recognized. Specifically, Machine Learning (ML) methods [] are already deployed to solve diverse real world tasks—especially with the advent of deep learning [].
Role of Artificial Intelligence (AI) in Cybersecurity
AI in cybersecurity reinforces cyber threat intelligence, enabling security professionals to: Search for characteristics of cyberattacks. Strengthen their defenses. Analyze data—such as fingerprints, typing styles, and voice patterns—to authenticate users. Discover clues as to the identity of specific cyberattackers.
Top Three Use Cases for AI in Cybersecurity
Artificial intelligence systems can help detect zero-day malware, ... 49% of executives think artificial intelligence is the best tool to counter nation-state cyber attacks. ... "Endpoint security is an excellent case study," said Steve Carter, co-founder and CEO at Nucleus Security. ...
Roles and Challenges of AI-Based Cybersecurity: A Case Study
After designing a matrix to analyze the case study, the study concludes nine important roles for AI-based cybersecurity distributed over the three phases. Three roles are in the prevention phase ...
The Role of Artificial Intelligence in Cybersecurity
In this series, we introduce emerging technologies that will accelerate enterprise transformation in 2021. This second entry discusses the growing importance of artificial intelligence (AI) within the cyber realm. In case you missed it, the first briefing on machine learning operations (MLOps) is here.
Investigating the applications of artificial intelligence in cyber security
Artificial Intelligence (AI) provides instant insights to pierce through the noise of thousands of daily security alerts. The recent literature focuses on AI's application to cyber security but lacks visual analysis of AI applications. Structural changes have been observed in cyber security since the emergence of AI. This study promotes the development of theory about AI in cyber security ...
Cybersecurity Deep: Approaches, Attacks Dataset, and Comparative Study
The case study defines DL techniques for cybersecurity attack detection systems. ... Deep Learning (DL) describes a family of artificial intelligence (AI) derived from artificial neural networks (ANN) (Sarker et al. Citation 2020). However, ... We show a broad summary of cyber security applications from deep learning approaches. In this study ...
Cybersecurity and AI: The challenges and opportunities
As Artificial Intelligence (AI) advances rapidly, so does its potential to be used in cybercrime. This problem is particularly acute as the world faces a 3.4 million-person shortage of cybersecurity professionals. AI can also be a powerful tool to combat cyber threats — but it must be harnessed responsibly and securely.
Insights Into the Use Cases of AI in Cybersecurity 2023
In Aberdeen's recent study on The State of AI in 2023, we found that all three of the traditional use cases for AI in cybersecurity are prevalent:. Pattern recognition: illustrative examples include filtering out noise, minimizing false positives, and freeing up cybersecurity analysts to work on the most relevant threats.; Process automation: illustrative examples include analyzing and ...
Artificial Intelligence in Cybersecurity: Use Cases & Future
December 26, 2022. In recent years, artificial intelligence (AI) has become essential in cyber security. As the threat environment has evolved, so has the need for AI services and cyber security solutions to help organizations defend against new and increasingly sophisticated attacks. Cybersecurity is a complex and ever-changing field, and AI ...
AI in Cyber Security: Top 6 Use Cases
Use Сases of Artificial Intelligence in Cyber Security. According to Forbes, 76% of enterprises have already prioritized AI and machine learning in their IT budgets, indicating the widespread recognition of AI's value. Here are some key advantages of integrating AI into cybersecurity: Use Case 1: Threat Detection and Prevention
Current trends in AI and ML for cybersecurity: A state-of-the-art survey
Display full size. The results of this survey suggest that the integration of artificial intelligence (AI) and machine learning (ML) into cybersecurity systems is a promising direction for future research and development. However, it is also important to address the ethical and legal implications of these technologies.
(PDF) Enhancing cybersecurity: The power of artificial intelligence in
The ever-evolving cyber threats that target IoT networks and devices have made AI a powerful tool in the fight against them [35]. One of the significant benefits of AI in IoT cybersecurity is the ...
AI
The primary objective of this topical collection is to bring forward thorough, in-depth, and well-focused developments of artificial intelligence technologies and their applications in cyber security domain, to propose new approaches, and to present applications of innovative approaches in real facilities.
Artificial Intelligence in Cybersecurity
The Future of AI in Cybersecurity. AI-use in cybersecurity systems can still be termed as nascent at the moment. Businesses need to ensure that their systems are being trained with inputs from cybersecurity experts which will make the software better at identifying true cyber attacks with far more accuracy than traditional cybersecurity systems.
Machine learning in CyberSecurity
Machine learning is an application of artificial intelligence (AI) that provides systems the ability to automatically learn and improve from experience without being explicitly programmed. Machine ...
Study of Artificial Intelligence in Cyber Security and The ...
AI models need specialized network safety guards and assurance innovations to counteract hostile AI, ensure AI security, and safeguard cooperative learning. We examine the intersection between AI and digital security based on these two vantage points. Today, artificial intelligence is a commonplace occurrence.
Review Study of the Impact of Artificial Intelligence on Cyber Security
Data breaches, identity theft, and data espionage are all consequences of cyber-attacks, which harm millions of individuals and organizations. Due to a lack of cybersecurity personnel with up-to-date data, as result, new security concerns develop as technology improves. Human interaction is just insufficient for attack analysis and suitable reaction; similarly, the support of senior experts ...
What should an AI ethics governance framework look like?
Here's a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest.
2024 Cisco Cybersecurity Readiness Index
Despite this, only 3% of organizations are assessed as having a Mature stage of cybersecurity readiness in 2024. Additionally, 71% of organizations fall in the two least prepared categories. The Cybersecurity Readiness Index provides a comprehensive view of what organizations need to tackle, in order to address the security challenges of the modern world. We found that the evolving threat ...
ASD Cyber Threat Report 2022-2023
Through case studies, the report demonstrates the persistence and tenacity of these cyber actors. It shows that these adversaries constantly test vulnerabilities in Australia's cyber ecosystem and employ a range of techniques to evade Australia's cyber defences. ... Artificial intelligence cyber security challenges. In early 2023, AI tools ...