Augmenting Offensive Security Operations with AI

Transcript

1. Augmenting Offensive Security Operations with AI Daniel C. Marques, MSc.,

   CISSP

2. DISCLAIMER The views and opinions expressed in this talk are

   my own and do not necessarily represent those of my employer. These slides are provided for educational purposes only and are not to be relied upon as professional advice.

3. Daniel C. Marques @0xc0da

4. None

5. Vulnerability Analysis Breach & Attack Simulation Penetration Testing Red/Purple Teaming

   Offensive Operations Programs These pillars have different goals and serve various purposes.

6. TYPICAL. CHALLENGES Time consuming Quickly expanding attack surface Tools lack

   context and produce too much false- positives

7. Scalability, flexibility, context-aware actions

8. Systematically approach your tasks, workflows, and systems icons designed by

   freepik Identify workflows Breakdown tasks Organize tools & data sources Note expected outcomes

9. Leverage LLM capabilities in areas where they are more effective

   Summarization to generate reports Domain-specific problem solving Reasoning to help with planning

10. SIMPLIFIED TEST WORKFLOW Test Recon Report Fix Validate OK! Close

    LLM LLM LLM
11. None

12. https://www.usenix.org/conference/usenixsecurity24/presentation/deng https://www.mdpi.com/1424-8220/24/21/6878 POTENTIAL ISSUES Long-term memory loss Lack of focus

    or diving too deep Hallucinations and inaccuracy LLMs are not the ultimate solution and results may vary.

13. “(…) The quality of a model’s response depends on the

    following aspects (outside of the model’s generation setting): The instructions for how the model should behave; the context the model can use to respond to the query; and the model itself.” - Chip Huyen, AI Engineering

14. https://www.anthropic.com/engineering/effective-context-engineering-for-ai-agents “(…) One of the most common failure modes we

    see is bloated tool sets (…) curating a minimal viable set of tools for the agent can also lead to more reliable maintenance and pruning of context over long interactions.”

15. Recon Report Infrastructure Deployment App Scanning Exploitation Orchestrator Data sources

    Specialized Agents

16. Recon agent Objective: Continuous target identification Recon Methodology Tools Data

    collection Data sources Eyewitness Shodan Decision making Analysis and classification Storage Context

17. Collect TTPs Interpret commands Create test cases Execute test cases

    Collect telemetry Generate report You can transform your workflows to continuously execute repetitive tasks
18. None

19. Test cases Instructions

20. COMPLEX WORKFLOW

21. Footnotes and Sources ⭐⭐⭐ DELETE IF NOT NEEDED ⭐⭐⭐

22. Different triggers may allow you to test continuously and interactively

    Runs every 24 hours Ad hoc runs

23. Do test runs to test and use the results to

    improve the output First attempt Test run Reviewer

24. PEOPLE IN THE LOOP WILL DRIVE QUALITY

25. 10 files 6/10 worked immediately 3 files 1/3 worked immediately

26. IDEAS WORTH SPREADING Do not blindly trust input and output

    Somebody might be watching These models are tools, not the holy grail

27. Context matters; don’t overlook it. 01 02 03 You may

    still need to perform some cleanup work. Consider your OPSEC and jailbreaking effort Key Takeaways

28. Thank You! Check my LinkedIn for slides and demos.

29. Credits • Androids and building blocks - AI-generated with human

    touch-up • Icons designed by freepik • Men looking at the code on the board - Photo by Mikhail Nilov - https://www.pexels.com/photo/men-looking-at-the-code-on-the-board- 7988747/