Sergey Nivens - stock.adobe.com
Hackbots biggest cloud security risk, slashing attack times to minutes
With cyber criminals using automated tools to steal data in minutes, organisations must focus on runtime protection and automated responses to combat the rising threat from AI and misconfigured cloud assets
Bots and automated tools have become the biggest security risk in the cloud, with cyber criminals taking the lead in applying automated decision-making to steal credentials, move funds and carry out other malicious activities.
That was according to Sergej Epp, chief information security officer at Sysdig, who noted that while few threats are completely automated at this stage and mostly attack misconfigurations, they are slowly being developed to deliver more advanced attacks, such as installing cryptominers or moving laterally between systems.
This automation has led to a dramatic reduction in attacker dwell times, which are typically measured in days. In contrast, an automated attack has been known to exfiltrate data within five minutes, said Epp.
He predicted that attacks would become increasingly automated, with existing “hackbots” improving as they are updated to use newer large language models. This creates a challenge – cyber security specialists know what needs to be done to protect their organisations, but the question is whether they can take the necessary actions quickly enough.
Epp believes there will also be a long tail of attacks against “companies under the cyber poverty line” that lack the resources to take adequate defensive measures.
He suggested the necessary steps that parallel the evolution of endpoint security measures, starting with the creation of an inventory of all cloud assets and identifying any misconfigurations, of which there will likely be plenty.
The next step is to prioritise and fix these issues. However, since daily scans are not enough to meet real-time threats, this process of asset inventory and vulnerability identification must be repeated constantly. Finally, organisations should adopt a cloud detection and response system to identify and react to abnormal activity.
Pressure to adopt AI
The problem is compounded by business pressure to quickly adopt AI, but Epp said most people get AI security wrong because they focus on the models, when it’s about the infrastructure.
He noted that with over 1.8 million models in Hugging Face’s library, organisations cannot simply trust them, as traditional scanning does not work on opaque models. In addition, there is currently no technical solution to prompt injection attacks, and firewalls are ineffective as the network traffic associated with AI is probabilistic rather than deterministic.
Epp warned that these attacks are not limited to situations where an attacker has direct access to a chatbot. A malicious prompt could be concealed within a shared document or a PDF invoice that is uploaded for processing.
The solution, he said, is to treat AI workloads like any other cloud workload by applying best practices for runtime security.
Fundamental principles such as assuming a breach has taken place, zero trust and defence-in-depth still apply, but they must be augmented with a runtime security agent in every container to detect improper settings or activities, such as application programming interfaces with excessive privileges or attempts to move outside the container.
Although security operations centres have the necessary data, the challenge lies in getting the right subset of that data to the right agents to enable the correct actions. Obstacles include talent shortages and the time needed to develop the required software.
Read more about cyber security in APAC
- Proofpoint is expanding its footprint in APAC, aiming for growth of up to four times that of its global business as it responds to a threat landscape supercharged by AI and cryptocurrency.
- Qantas is investigating significant data theft of personal information for up to six million customers after a third-party platform used by its call centre was compromised.
- Singapore non-profit organisation HomeTeamNS suffered a ransomware attack that affected some servers containing employee and member data, prompting an investigation and enhanced security measures.
- Gil Shwed, Check Point’s co-founder, discusses the company’s focus on AI-driven security and his commitment to remaining an independent force in the cyber security market.
The ephemeral nature of the cloud, where 60% of containers run for less than a minute, makes automation essential. Collecting security data from these containers is not easy, and Epp said it is probably impractical to store more than 20% of the available data.
The critical question is which 20% to collect. Sysdig’s approach, according to Epp, is to take a top-down view. He conceded this is not easy but said the company’s extensive Kubernetes background makes it possible, noting that founder and chief technology officer Loris Degioanni created the open-source container security tool Falco, on which the Sysdig platform is built.
While most security operations still rely on people to analyse data and take action, Epp said the Sysdig Sage AI analyst translates data into real-time recommendations. He positioned the company as leading the journey to autonomous cloud security, though he acknowledged that a fully autonomous system requires a high degree of trust that it will not break anything.
This reveals a key asymmetry. For cyber criminals, the cost of an AI-triggered mistake is low – it might reveal their presence or simply mean they have to try again. For defenders, however, mistakes can be costly in both financial and reputational terms. Unintentionally taking down a major online bank or retailer, for example, would make headlines and lose business.
“We need to speed up the adoption of security controls,” said Epp. “To go fast in business, we need to go fast in security as well.”
Read more on Hackers and cybercrime prevention
-
![]()
Sysdig launches open source cloud security community
By: Adrian Bridgwater
-
![]()
Sysdig delivers integrated cloud security AI analyst
By: Adrian Bridgwater
-
![]()
SentinelOne vs. CrowdStrike: EPP tools for the enterprise
By: Karen Scarfone
-
![]()
Sysdig: A new arms race on the evolving battlefield of cloud security
By: Adrian Bridgwater
