In the aftermath of Black Hat USA, Ariana Lynn, Principal Analyst at The Fast Mode spoke to Dan Woods, Global Head of Bot and Risk Management at F5. Dan explores F5’s participation at the event, key security trends and new threats posed by artificial intelligence (AI).
Ariana: How was this year’s Black Hat? Can you share F5’s highlights at the event?
Dan: As a cybersecurity professional, Black Hat USA is one of the events I most look forward to attending - both for the chance to meet with customers, and to walk the show floor and see what vendors are saying. It’s a good opportunity to see what’s on the minds of industry practitioners, as well as what cybersecurity marketing departments think will resonate most with them.
So what did the landscape look like this year in Las Vegas? More than ever, it was about bots and generative AI, and how attackers are finding new and different ways to deploy them.
Ariana: What were some of the key takeaways for the security industry?
Dan:
AI and Bot-Driven Fraud is Personal - This isn’t purely a technical issue for those of us in the trenches. The big, earthshaking threats posed by bots and AI tend to dominate the headlines: toppling governments, sabotaging pipelines and electrical grids, and other major attacks of that nature. These are obviously real concerns, but they are rare. What’s much more common are the attacks that aren’t reported. I’m thinking of the individuals who lose their savings due to phishing and fraud, and the suffering that follows. People who are living paycheck to paycheck can lose access to healthcare, their homes, their families, and even their lives.
Who’s Most at Risk? - The elderly remain a prime target for phishing and fraud, but increasingly so are young people. More than 80% of monthly active users in virtual environments are under 18, and there’s significant potential for bots to conduct social engineering on them. As Sam Altman of OpenAI has said, children will soon have more AI friends than human friends. This should scare us. Criminals can do tremendous harm by using bots to infiltrate people’s lives at a vulnerable age - whether they are children, or seniors.
AI is Great at Social Engineering - Maybe the biggest use case for AI as a tool for cybercrime is making social engineering attacks more effective. Using AI technology, one bad actor can socially engineer millions of people - and they have the power to be very persuasive. We already see this with phishing emails that lack the typical signs recipients use to spot phishing: spelling, punctuation, and grammar mistakes. Today, most email and phone fraud is done in impoverished countries by people whose first language isn’t English. Using tools like ChatGPT eliminates human error, resulting in fraudulent email messages with perfect spelling and grammar. We can expect the same with phone fraud and even video chat, as deepfakes become more convincing and easier to create.
AI Can Hear You Typing - In a recent study, researchers found that an AI tool was able to decipher text by listening to audio of a person tapping on a laptop keyboard. The AI could make out what words were being typed with 95% accuracy when the sounds were recorded with a nearby smartphone. When trained on keystrokes recorded using Zoom, the AI achieved 93% accuracy. The results indicate that side channel attacks via off-the-shelf equipment and algorithms are practical - though it's arguably simpler to use social engineering to trick someone into giving you their password. However, in a world where a smartphone with a microphone or some other remotely-activated listening device (such as Amazon Echo) could be nearby and active, we should keep this use of AI on our radar.
When Bots are Your Biggest Customer - What company wouldn’t want to see their product sell out on the first day? However, while the executives are clinking champagne glasses in the boardrooms their customers are seething - because those eagerly anticipated items were sold to bots and then resold online at a huge markup.
This is a major problem in online retail, from concert tickets to limited edition sneakers. We saw this recently at F5, where I work: sneaker bots were disrupting the launches of new products from PUMA North America, disappointing customers and taking the site down for hours at a time. We helped them mitigate the attacks and enable a better experience for their loyal fans, enabling the launch of several high-demand shoes without automated traffic degrading site performance.
Us vs. Them - As we’ve seen in recent election cycles and ticket buying fiascos, bots continue to disrupt how organizations approach their online customer experience, presence, and security strategy. What started as a tool to support the early days of the internet has morphed into an epidemic of misinformation, fraud, and fake online traffic. Solutions and education to help mitigate AI and bot-driven attacks were everywhere at Black Hat USA this year. The question is, were attendees paying attention? We’ll find out when we come back next year.
Dan Woods is the Global Head of Bot and Risk Management at F5. Prior to F5, Dan spent more than 20 years with local, state, and federal law enforcement and intelligence organizations including the FBI and the CIA. After earning his BSE in computer systems engineering, Dan joined the CIA as a cyber operations officer. Dan then joined the FBI as a special agent where he investigated cyber terrorism and other cyber-enabled crimes. Dan finished his career in public service as the assistant chief agent for the state attorney general in Arizona. After leaving government service, Dan joined Silicon Valley start-up Shape Security. Dan joined F5 when F5 acquired Shape Security in Jan 2020.
