Cybersecurity blog header

Are criminals already using AI throughout the Cyber Kill Chain?

- Ciber 4 All Team
The presence of AI throughout the Cyber Kill Chain poses a huge challenge

The use of AI throughout the Cyber Kill Chain increases the ability of malicious actors to launch cyberattacks against companies

Millions of professionals and companies utilize artificial intelligence systems in their daily operations. AI is enabling companies to automate a wide range of actions that previously required time and effort.

No one can deny the advantages in terms of productivity and profitability that Artificial Intelligence brings, including in areas such as cybersecurity.

However, the security risks associated with AI cannot be ignored, nor can the potential for harmful use of this technology to launch attacks against organizations.

Just as millions of professionals use AI systems to improve their productivity, malicious actors use these same technologies as a weapon to take their attacks one step further. The challenge for companies is clear: AI amplifies the scale, speed, and sophistication of cybercrime.

In fact, cybersecurity experts are already warning about the use of AI throughout the Cyber Kill Chain, that is, in the life cycle of a cyberattack.

How can companies and cybersecurity experts tackle the challenge posed by the use of AI throughout the Cyber Kill Chain?

1. The 7 phases of the Cyber Kill Chain

The Cyber Kill Chain is a framework developed by Lockheed Martin, one of the world’s largest defense contractors, to facilitate the investigation, prevention, and management of security incidents.

Thus, through the Cyber Kill Chain, cybersecurity experts can systematize the actions and phases of attacks. This is similar to the MITRE ATT&CK framework, which facilitates the understanding and analysis of the techniques, tactics, and procedures of hostile actors.

What do we mean when we say that criminals are using AI throughout the Cyber Kill Chain? They are taking advantage of this technology when implementing all phases of an attack:

  • Reconnaissance.
  • Armament.
  • Distribution.
  • Exploitation.
  • Installation.
  • Command and control.
  • Actions.

In fact, some researchers have confirmed the use of AI solutions to conduct reconnaissance on victims, escalate privileges within corporate systems, hide the presence of malware, or steal data.

Furthermore, research in forums on the Dark Web has shown that threat actors are interested in using AI throughout the Cyber Kill Chain, from gathering intelligence on victims to the ability to persist undetected, to creating texts and resources to carry out fraud or create deepfakes.

2. AI has revolutionized the world of fraud

In recent times, there has been an increase in alerts about fraud using Artificial Intelligence.

Malicious actors are using generative AI systems to write truthful messages in any language or create deepfakes of sound, images, and video to impersonate individuals and companies and deceive their victims.

If the person responsible for the company’s financial management receives a video call from the CEO ordering them to make a transfer… Why would they distrust the veracity of the order?

The general public is increasingly distrustful of the emails, text messages, and calls we receive. This poses a problem for actors who use social engineering techniques to commit digital fraud against citizens or attack companies and public administrations.

However, the use of AI to create extraordinarily realistic deepfakes makes it difficult for citizens, professionals, and entrepreneurs to detect that they are victims of fraud.

In fact, the use of AI throughout the Cyber Kill Chain means that it is not only used in the distribution phase, but that this technology can also be used to gather all the information available about the victim on the internet and create a precise profile of them. To what end? To make the fraud extraordinarily accurate and the chances of success very high.

Artificial intelligence can be used maliciously to launch attacks against businesses and citizens

3. Malware developed with AI

At the end of 2024, the first citizen of Japan was convicted for developing ransomware that made malicious use of generative AI. A few months earlier, a campaign of attacks against German industries had been detected in which a dropper was used whose code had been generated using Artificial Intelligence.

These and other events have confirmed the warning issued by the UK’s cybersecurity agency, the National Cyber Security Centre (NCSC). The NCSC has noted that AI will have a significant impact on the effectiveness of cyber operations, particularly in the rise of ransomware attacks.

In fact, OpenAI, the company behind ChatGPT, the world’s most famous generative AI, has acknowledged that it has dismantled dozens of operations in which criminals abused this AI to develop malware, evade detection by organizations’ security systems, or commit fraud.

Using AI to develop malware is a further step in leveraging AI throughout the Cyber Kill Chain, making it a key player in the weaponization phase.

4. The emergence of malware that uses AI to carry out attacks

Malicious actors will not be content with writing malware using AI systems and will go further in the use of AI throughout the Cyber Kill Chain.

Without going any further, this summer, Ukraine’s CERT announced that an advanced persistent threat group linked to Russia (APT28) had used LameHug malware to attack Ukrainian public agencies. What is the key element in this case? LameHug uses a large natural language model (LLM) to generate real-time commands that are executed on compromised Windows systems with the aim of stealing data.

This is why cybersecurity experts are warning about the use of AI throughout the Cyber Kill Chain and not just in its early stages.

Similarly, in August, the proof of concept for the PromptLock ransomware was discovered, which is based on AI, specifically an open-weight model from OpenAI.

The ransomware would be capable of generating scripts in real time to perform actions such as analyzing the infected system’s files or encrypting and exfiltrating data (which would be the last phase of the Cyber Kill Chain).

In both cases, the malware interacts with the AI through an API.

Cybersecurity is essential for addressing the use of AI throughout the Cyber Kill Chain

5. What does the use of AI throughout the Cyber Kill Chain entail?

What we have just outlined shows that the use of AI throughout the Cyber Kill Chain can make the threat landscape faced by companies and public administrations more complex and challenging:

  • Malicious actors without extensive knowledge or resources can launch highly sophisticated targeted attacks.
  • The use of AI throughout the Cyber Kill Chain can accelerate the development of attacks. This means that very little time elapses between the reconnaissance phase and the achievement of objectives, making it more difficult to detect and respond to a security incident in its early stages.
  • Malicious operations carried out with AI can adapt more quickly to the defensive measures deployed by organizations. This means that companies must invest more in cybersecurity, and the experts in charge of defending them must continually innovate to stay ahead of malicious actors.

In short, the use of AI throughout the Cyber Kill Chain will compel companies and public administrations to enhance their security strategies to prevent highly complex attacks that can cause significant economic, operational, reputational, and legal damage.

6. How can companies deal with the use of AI throughout the Cyber Kill Chain?

Faced with the use of AI throughout the Cyber Kill Chain, companies must invest in advanced cybersecurity services:

  • Threat Hunting. Proactive investigation of threats using AI throughout the Cyber Kill Chain is critical. Threat Hunters are able to detect advanced threats, analyze the latest techniques and tactics of malicious actors, and implement a proactive approach, assuming compromise scenarios, to anticipate attackers and detect incidents even before a security event has occurred.
  • Red Team. Along with Threat Hunting services, it is essential to have Red Team services. In fact, the two feed off and enrich each other. The intelligence generated by Threat Hunters on malicious actors and their TTPs enriches Red Team exercises, as it allows for the design and execution of 100% realistic scenarios. In turn, the work carried out by the Red Team accelerates the continuous learning process of Threat Hunters and allows them to be at the forefront of issues such as the use of AI throughout the Cyber Kill Chain.
  • Incident response. With the increase in malicious operations and the greater capacity to launch sophisticated and rapid attacks, it is critical to have a proactive incident response service. Why? Every second counts. Suppose thorough preparation has been done, and action can be taken as soon as the incident is detected. In that case, the chances of limiting its impact and expelling hostile actors with maximum diligence are increased.

The relationship between AI and cybersecurity is already proving beneficial, for example, in the development of UEBA systems that are capable of identifying suspicious behavior and events through data analysis.

However, we must also bear in mind that applying AI across the entire Cyber Kill Chain is one of the major challenges we will face in the coming years. That is why it is essential to redouble our efforts in cybersecurity and help defensive teams to deploy innovative solutions continuously.