Artificial intelligence (AI) has grown increasingly prevalent in cybersecurity headlines. Whether framed as a useful technology or a sophisticated adversary, the industry is always almost always talking about it — but is something about AI security being overlooked? 

Here, Security magazine talks with John Watters, CEO and Managing Partner at iCOUNTER, about managing the risks associated with AI adversaries. 

Security: Tell us about your background and career. 

Watters: Since we’re talking cybersecurity, let’s start with iDEFENSE. I bought the company in 2002 as an investor rather than an operator, then subsequently became CEO. As the first commercial cyber threat intelligence vendor, we established the first global zero day acquisition program and created the ‘Responsible Disclosure’ process driving software companies to accelerate their patch creation and rollout schedule. This was ground breaking and the initiation of the bug bounty world we live in today. We sold the business to Verisign in 2005 when I retired the first time.

In 2007, I founded iSIGHT Partners and took cyber threat intelligence to the next level opening global research centers and constructing the foundation of the cyber intelligence industry today. We enumerated and tracked global adversaries by objective, their associated Tactics, Techniques, and Procedures (TTPs), and the machine-readable Indications of Compromise (IOCs) that our customers could correlate against their security alerts. Customers use these correlated alerts to drive patch prioritization, configuration, detection rule development/deployment, and to initiate hunting for the associated threats across their company. After we were acquired by FireEye, merged with Mandiant, and ultimately became part of Google in 2022, our intelligence collection and analysis continued to expand creating a world class cyber intelligence business documenting almost every visible threat in the world.  

My work helping pioneer the cyber intelligence industry was done as my belief that what we built at iSIGHT/Mandiant/Google could never be replicated.  After retiring, I continued to invest in cyber security companies — one being Apollo.

Then, the world changed almost overnight as industry embraced AI like never before and we set out on creating efficiency in every walk of life, from search to coding to financial analysis.  Adversaries always embrace innovation at a pace well in advance of defenders and the AI surge is no different. The world has seen just the tip of the iceberg in terms of adversary innovation through their use of AI for impersonation, advanced phishing spears, etc. What the world has not seen is what we have seen at Apollo for the past 5 years — the rapid acceleration of AI-enabled adversaries to select targets, conduct reconnaissance to define security gaps, and build highly customized attack methods to exploit those security gaps.  

As I sat on the Boards of different companies, and served as a venture partner at a couple of venture capital firms, it became clear to me that the most dramatic shift in the cyber threat landscape was happening right in front of my eyes — and the unique intelligence capability at Apollo had anticipated this change and built a robust intelligence collection capability over the past five years specifically focused on this problem. It was time to get back in the game and support the industry in this new era of AI-enabled adversaries, which will reshape the entire cybersecurity landscape and materially reduce the effectiveness of traditional cyber intelligence. That’s why we’ve launched iCOUNTER.

Outside of my role in the cybersecurity industry, I’m also the founder, director and President of the STAIRS Program, a non-profit organization supporting inner-city education, since 2000.

Security: AI has increased the speed and sophistication of cyberattacks. In today’s cyber threat landscape, how can organizations remain protected? 

Watters: Today, AI-enabled attackers of all types are rapidly shifting their focus and targeting specific companies, leveraging AI capabilities to dramatically reduce the time and cost of selecting and conducting reconnaissance to profile a target. Once attackers fully understand a target’s environment, including its security controls and specific gaps, they leverage AI to create ‘zero-day TTPs.’ As I mentioned before in terms of why I’m getting back in the game, traditional cyber intelligence is increasingly becoming marginalized in an AI-enabled adversary threat environment. 

Why?

Today’s cyber intelligence relies on adversary reuse of TTPs and IOCs by actor groups which will rapidly become obsolete. Let me explain. The ‘Anti-virus’ industry determined that if you discovered a new virus, you could build an ‘Anti-virus’ signature to counter further infection for the next customer. Then, what happened? Adversaries used polymorphic viruses and defenders were protecting against a virus that would never be used again. Then customers began to extend their perimeter and find the infrastructure that the malware/viruses were launched from. Here comes Fast Flux leveraging rapidly changing infrastructure to obfuscate malicious activity. Then, with respect to malware, the industry created rules to prevent infection from malware that was used against it — you can imagine what happens next. By 2015, 80% of all malware we say at FireEye was seen the first time; i.e., polymorphic malware.  

Now, as the threat intelligence industry continuously documents and alerts on every new actor/TTP/IOC used in the world, adversaries are beginning to leverage AI to generate ‘Zero Day TTPs.’ At the Museum of Modern Art, they have an AI-powered art installation called “Unsupervised.” They fed over 200 years of art into an LLM that now generates a brand new piece of art every 30 seconds. 

Are you seeing a trend?  

Adversaries can simply tune a large LLM with every TTP ever used before in order to create Zero Day TTPs that have never been seen before. Meanwhile, traditional cyber intelligence providers report on what has been seen before. You can see the trend that has been in place for more than 20 years in the cybersecurity industry. Except this one is here to stay, and this trend is accelerating at an extremely alarming rate.

Security: What vulnerabilities do security leaders tend to overlook when securing against advanced cyber threats? 

Watters: AI is enabling the creation of zero day TTPs so the actual attack methodology and tools are brand new and precision built to compromise a specific target company. In this scenario, the intelligence on what’s been seen before goes out the window and an increasing number of victims become “Patient Zero”. More on that later. Defending against this reality will require a new approach from defenders and a very agile intelligence capability to support them.

Zero-day TTP’s present a new challenge for cyber and fraud defenders by circumventing their existing controls. The threat intelligence frontier has shifted from humans vs. humans to machines vs. humans. Ten years from now, the battle will be fought with machines vs. machines. Zero-day TTP’s makes every cyber defender what I referenced earlier as Patient Zero in an age when they’re conditioned to protect against what’s been seen by others.  

Today, there are very few “Patient Zeros” as almost every attack that you see has been seen before. In a very short period of time — say five years — almost every attack will be seen for the first time.

Security: How should organizations prepare for the next five years of AI-enhanced cyber threats? 

Watters: Traditional security approaches of updating defenses to combat general threat tactics are no longer sufficient to protect sensitive information and systems. To effectively defend against AI-driven rapid developments in targeted attacks, organizations need more than mere actionable intelligence — they need AI-powered analysis of attack innovations and insights into their own specific weaknesses that can be exploited by external parties. 

Security: Is there anything else you’d like to add on the topic that we haven’t covered? 

Watters: Adversarial innovation is at an all-time high today and we plan to match their speed. Our own use of AI is what fuels our capability to act with speed and precision to enable our customers to enhance their counter threat capabilities to divert, deflect and defend against a new breed of adversaries. It will take quite some time for traditional cyber intelligence companies to shift operating model providing iCOUNTER with a substantial competitive advantage.