AI in cyberdefense: Learning from threat actors' playbooks

1. Upscaling

Threat actors complement their existing skill sets with AI to execute cyberattacks more rapidly, creatively and evasively than ever before. The technology benefits attackers of all levels -- those with basic skills use AI to craft more potent attacks, while advanced threat actors use it to become faster and launch more complex digital crimes. 

McMullen said defenders should also expand their abilities by putting AI to work. He said the AI models that defenders train will be more adept at identifying threats, containing intrusions and protecting systems.

2. Target selection

Threat actors who conduct phishing and deepfake operations frequently use AI to research both those whom they intend to impersonate and their victims. For example, an attacker might train an AI agent to scour the web and learn the personal details and communication style of an authority figure, enabling the attacker to effectively mimic that authority figure.

Criminals aren't the only ones who can benefit from this highly targeted AI-assisted research. Security professionals should deploy AI agents to both learn what information is available to potential attackers and to unearth facts about those same threat actors.

McMullen recommended setting up RAG pipelines, which enhance large language models by grounding responses in specific external data. For example, he suggested creating custom threat intelligence feeds to continuously monitor for PII breaches involving key executives and potential targeting vectors. RSS feeds, AI-generated scripts, web crawlers, ISAC feeds and CVE feeds are all tools at the security professional's disposal. Those same tools can be directed outward by directing AI research agents toward known threat actor groups.

3. Attack obfuscation

Attack obfuscation is becoming increasingly common, McMullen said. "This is threat actors using AI to hide their modus operandi for attacking."

Defenders can use similar techniques to trick attackers, he said. For instance, he suggested that security professionals make AI-generated synthetic data to keep threat actors busy, then monitor activity to learn attackers' TTPs. Authentic-looking honeypots, test ranges, look-alike tools, fake websites, bogus vulnerabilities and dead-end backdoors can all send attackers on wild-goose chases while revealing valuable information about them to security staff.

4. Automating tasks

Attackers often use AI to perform tedious tasks, McMullen said. For example, to conduct living-off-the-land attacks, persistent threats, automated kill chains and other cumbersome steps.

Security teams, too, can delegate many of the less glamorous aspects of cybersecurity defense and risk mitigation to AI agents, he said. Tracking threat actors, offensive testing, security simulations and call center governance can be handled by AI, so security leaders can dedicate more time to innovation and business outcomes.

While threat actors have proven AI's offensive potential, defenders also have the blueprint to level the playing field. By upscaling capabilities, sharpening target intelligence, deploying deception at scale and automating the mundane, security teams can transform from reactive guardians into proactive adversaries. The best defense might just be understanding how attackers think, adopting their playbook and turning it against them.

Richard Livingston is an editor with Informa TechTarget's SearchSecurity site, covering cybersecurity news, trends and analysis.