Episode 147
Listen to this episode on
Episode Transcript
Speaker 1 00:02
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:11
Welcome to CyberSound. I’m your host, Jason Pufahl, today joined by the principal of our pen testing practice, Dylan Marquis. Dylan, thanks.
Dylan Marquis 0:22
Yeah, thanks for having me.
Jason Pufahl 00:24
So I feel like it’s podcast after podcast nowadays talking about sort of AI, but certainly it’s kind of top of mind. And it’s the thing that we keep getting asked about, just in general, how are you using it from a work and efficiency standpoint, but just as often, it’s, well, what risks does it pose? And to date, I think a lot of t…
Speaker 1 00:02
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:11
Welcome to CyberSound. I’m your host, Jason Pufahl, today joined by the principal of our pen testing practice, Dylan Marquis. Dylan, thanks.
Dylan Marquis 0:22
Yeah, thanks for having me.
Jason Pufahl 00:24
So I feel like it’s podcast after podcast nowadays talking about sort of AI, but certainly it’s kind of top of mind. And it’s the thing that we keep getting asked about, just in general, how are you using it from a work and efficiency standpoint, but just as often, it’s, well, what risks does it pose? And to date, I think a lot of the conversations have been much more around to the data privacy and data protections. But now all of a sudden, maybe not quite all of a sudden, because three months, six months seems like an eternity in this space today. But we’ve got, AI has capabilities, cloud in particular is one of them where it can do essentially sourcing the vulnerabilities at just like a traditional sort of bug hunter. And so I think we’re starting to see a change there where less technical people, maybe even you might even argue non-technical people can start to do vulnerability hunting for undisclosed vulnerabilities to make it easier to deploy ransomware and make it easier to compromise potential threats. So I kind of really wanted to dig into that a little bit today. And I know with you really thinking, pen testing, kind of all of the time, this is near and dear to your heart. So kind of open it up a little bit, if you could spend a minute on Mythos and kind of what some of these risks are today.
Dylan Marquis 01:58
Sure. So, I mean, Mythos is a new kind of Frontier model from Anthropic that’s gained a lot of kind of notoriety in the past, say three or four weeks. And so, I mean, mainly, it’s closed to the general public. It’s only available to large, let’s say large companies that currently work with Anthropic. And what it’s really purported to be really good at is identifying bugs in code and then writing exploits against it. And it’s found some, there was some presentations around it. And it’s found some very interesting things, some very old bugs that have existed in some popular software for, I mean, even decades. So some security researchers, particularly one that works with Anthropic, Nicholas Carlini, spoke about the potential for, you know, sort of exponential growth in current models. And also along with it, the exponential growth of identifying zero days. So there is certainly like an interesting, let’s say, thought experiment to be had, an interesting discussion to be had around what happens if all of a sudden these models start to become a vector for introducing the zero days to the security environment. And what does that look like? And how do we combat it? And how does the relationship or the balance between attackers and defenders start to change? So it certainly is an interesting question. And I think it’s kind of posed a lot of interesting discussions and certainly a lot of hot takes.
There’s a lot of strong discussion around whether it’s hype or whether, you know, fears are founded and how much so. So, you know, certainly something I think would be interesting to dive into today.
Jason Pufahl 03:44
So you segueed a little bit into that talk. And, you know, I think Mythos is one component, but he actually wasn’t using it, right? He wasn’t really demonstrating Mythos. He was using tools that are available to everybody in Claude, right? The Claude Code platform.
Dylan Marquis 04:03
Yeah, yeah, he was looking at Claude Code and Opus 4.6. I believe.
Jason Pufahl 04:07
Yeah, I think that’s what.
Dylan Marquis 04:08
You know, is currently widely available and now they’re on 4.7. But definitely, I think the kind of exponential, super linear growth they’re seeing in identifying bugs is interesting. And I don’t want to overstate it because there’s a lot of back and forth with security researchers. Some of these bugs are found by, you know, limited open source models that anyone can download right now. It is an interesting discussion to have about the capabilities of Frontier models versus open-source models. But I think the main takeaway that I got from Nicholas’s talk was, which is particularly good, was that this is an ever-growing problem and it’s not going to go away, regardless of Mythos or the next big LLM advancement. It’s something that I think security practitioners have kind of been calling attention to for the past few years. And he was really bringing it to a head. And I think now it’s gaining kind of the media publicity and along with it, some hype from Anthropic and other things that, you know, are good for Anthropic, but not necessarily ring perfectly true with the rest of the community.
Jason Pufahl 05:17
Yeah, and I mean, that’s the difficulty right now with a lot of the AI in general is wading through, you know, facts versus, you know, promises or fiction. And, you know, so with Mythos, that was a kind of a contained, it’s essentially a contained system where, you know, it’s not openly available. It’s got some constraints on it. It demonstrates potentially some of its capabilities, but it’s not widely, it’s not like widely available. And, you know, what its success, like if you can spend a second on like what, you know, what was the big success that sort of generated all the buzz around it?
Dylan Marquis 05:57
That’s still not fully known. There’s certainly been a few consortiums or research kind of research groups that have done some research against it. It definitely is an advancement in terms of creating these exploits and finding bugs in code. But I’m not sure that there’s, you know, a sort of single smoking gun that says that this is definitively, it might be the next step, but not that it’s a massive jump in capability.
Jason Pufahl 06:28
And so then the Claude Code piece, with a little creativity seems pretty able to replicate you know, the skills of a, you know, I’ll say a reasonably good programmer, right? I mean, it really, as long as you prompt it properly, it goes and finds libraries, it develops code, it runs, it runs for you, right? It’s really capable.
Dylan Marquis 06:56
Yeah, absolutely.
Jason Pufahl 06:57
So I’m curious how much you’re using, like how effective do you find it?
Your background, you’re a good programmer, you know, so knowing what you can do, how do you leverage Claude Code to help you maybe day-to-day in some of the pen testing that you might be doing or just in general, if you need to do, you know, kind of write a module for something?
Dylan Marquis 07:19
So we absolutely use it for development tasks. It’s been extremely helpful. I have used it to varying degrees and more so recently as it becomes more capable.
But I think it’s absolutely useful tool if it’s like an account not using a calculator these days. I think it’s kind of mandatory piece of kit for every developer. Granted, some developers may leverage AI tooling more than others, but I think it really is extremely helpful to, you know, start out projects to work through and push through a lot of features that can be, you know, gleaned by an AI and quickly written.
They’re being able to do larger and larger projects as time goes on. So, you know, in general tasking. So I would say that it becomes more useful every day. But, you know, and we use it pretty heavily for a lot of little projects and some of our larger ones. So it is extremely helpful in terms of coding and then in terms of actually offensive tooling and things that we use. We are interested in kind of mimicking the capabilities of Threat Actors.
Our whole job is simulating that. So it is important that we are using it to some extent. We like to use it for additional coverage to check into things and get a broader picture of environment to kind of raise things that we might kind of not otherwise surface, kind of understand vulnerabilities in the environment a little bit better. But we don’t, it’s not, we’re not doing fully automated pen tests. We still like to have, and I’ll say it’s the same thing with the coding as well. Keeping a human in the loop is important for us.
I know that there are a lot of researchers that are saying, you know, more and more that that’s becoming less of a, that’s becoming less of a thing. However, I disagree, at least for the purposes that I’m currently employing them at. I think that having a security engineer trained operator is helpful to point them in the right direction to kind of gain some, you know, perspective and kind of allow them to do their best work. So, but we use them for wide ranging tasks. However, we don’t ever really lean on them. It’s more of just another tool for our toolbox.
Jason Pufahl 09:31
So, you know, mostly because I’m curious, can I ask how good is the code typically? Like, do you find that once it’s produced, you really need to do kind of a bunch of editing to fix it or to clean up mistakes maybe that it made, or maybe to make it a little bit more effective, or is it generally once you iterate through what you needed to do, it produces it kind of right the first time?
Dylan Marquis 09:57
It all depends. Definitely shorter projects are, you know, I’ve seen some pretty clean code when there’s a very specific intent, or when it’s contained, or even when you can provide examples, which is the more information it has, the better it performs.. But I mean, I’ll fall back on it depends. Some larger projects, it can kind of misunderstand. I’ll definitely say it helps to have a code development design background to kind of lead it into, you know, specific things that it should do, give it ideas, and kind of dictate more how it’s writing. But I’ve seen it write fantastic code. I’ve seen it write, you know, kind of mediocre code, and sometimes even bad code. So, it’s all depends on the skill of the operator, and, you know, and the kind of task it’s given. So, it does have to be kind of fed things. But again, getting better and better each day. So, you know, each day we’re excited to see kind of the next model that comes out, and what it’s capable of doing. And so far, I would say good results. You know, fairly secure code, and for the most part, and definitely effective. It does get some small projects written pretty quick, and gives us capabilities that we might not otherwise have. So, it is a helpful tool.
Jason Pufahl 11:20
Yeah, I mean, it’s kind of the fundamental challenge of AI, not to segue too much, but that’s, you know, in my opinion, the fundamental challenge, which is, you know. I’ve developed small projects with it, and I don’t have a programming background. And so, I’m in a spot where I feel like, well, it does what I need it to do. I have no idea if the code, particularly if the code is secure, if it’s well written. And in a way, you know, for the smaller things that I’ve done, I don’t care that much. But it’s that, you know, it’s that problem with AI, where you, in some ways, if you don’t have the background in the space that you’re kind of, you’re working in, you just have to blindly trust it’s doing what it’s supposed to be doing.
Dylan Marquis 11:56
Yep, and that may add to the problem we’re talking about before. It’s sort of the exploits is that we have, now, I’m sure you aren’t pushing your code into production, where it can be picked up by the internet, but I’m sure others are. And so, that becomes a kind of compounding problem, too, and kind of increases the problem, you know, the attack surface, generally, for companies and for individuals as well.
Jason Pufahl 12:24
Right. You know, honestly, I found the process of developing something kind of interesting, because it produces, and then it ultimately doesn’t do exactly what you want. So, you have to say, hey, can you do this, make this change, or you modify it this way? And it’s always so, like, cooperative. Oh, yeah, I totally see where I missed doing that thing. I’m going to do this, and then I’m going to implement it, and you’re going to see the end result. And at the end, you’re like, well, I didn’t still quite get there. But it’s such a pleasant interaction all the time, and it’s so agreeable that you don’t mind working with it.
Dylan Marquis 13:00
They are very cooperative.
Jason Pufahl 13:03
So, I’m interested. Vulnerability, sort of vulnerability identification, is probably going to get faster, especially as professionals start to utilize these tools more. And then, potentially, threat actors look for things and don’t disclose those vulnerabilities. And you see this on a day-in, day-out basis. My gut instinct is the defensive position for folks who are in the space, working for companies, is get a good vulnerability management program in place. It seems like, I think we’re 160 podcasts deep, I feel like we’ve mentioned vulnerability management for the last five years. And yet, it’s still sort of the same, still one of the same main fundamental things that we tell people to do. So, one, I’m curious, do you agree with the statement that vulnerability management practices sort of remain really important? And is there a change in that?
Dylan Marquis 14:05
I would definitely agree. I mean, that’s just one of those solid pieces of security or foundational pieces of security guidance. But I think the discussion we had earlier with the exponential, potential exponential growth or super linear growth of AI, ability for AI to perform tasks, potentially identifying large numbers of zero-day vulnerabilities, I think that it just becomes that much more important. So, having a solid, the ability to mitigate these vulnerabilities as they arise is extremely important from automation or even just internal processes and practicing those processes to make sure that you can’t, like, if you’re an organization, you can identify a zero-day comes in on a piece of equipment that you have, that you can roll that out, that you can test and ensure that mitigations are in place and verify. And then, follow up with whatever, augment documentation and kind of all the standard things that you’d see in DR playbooks or other types of disaster playbooks.
There should be a playbook for a zero-day vulnerability coming up.
Jason Pufahl 15:12
Yeah. So, I think that’s a useful way to frame it because you’re advocating less, although I know you think it’s important to do traditional vulnerability scanning, but really what you’re saying is when something’s identified and there’s probably risk now that more zero-days sort of get published, that you’re in a position to quickly sort of address those, right? That you’ve got the infrastructure in place to quickly address them.
Dylan Marquis 15:38
Absolutely. And I mean, you’re right. Ensuring that you’re capable of auditing is also extremely important. So, vulnerability assessment, attack surface management, those all become much more important because you want to be able to identify it and whether you’re vulnerable in the first place and confirm that, and then also to audit after the fact to ensure that it’s mitigated. Yeah.
Jason Pufahl 15:59
So, maybe the last thing I want to close on is, do you mind spending a second on Glasswing? Because I think that feels a little bit more now like the traditional big companies rallying around a problem, right?
Dylan Marquis 16:16
Yeah. I mean, that’s exactly what it is. So, just to kind of give a quick overview on what Glasswing is, it’s essentially the project to, as you mentioned, Jason, like identify vulnerabilities in large pieces of software that everyone’s using.
A lot of the companies involved are like Palo Alto, Microsoft. Actually, I’m not sure about Microsoft.
Jason Pufahl 16:37
Yeah. I think AWS, Amazon for sure.
Dylan Marquis 16:41
Yeah. So, it’s a way to help identify supply chain, potential exploits, exploitation in the supply chain or vulnerabilities in the supply chain that might be exploited by zero-day exploits being developed. It kind of gives them to be on the leading edge of identifying that before a threat actor does. I think it’s a good idea. Absolutely. I think it’s certainly important that someone is kind of sounding the rally cry here because it is that’s kind of been staring us in the face, security practitioners in the face for a long time. And I don’t think it’s gotten much attention. So, it is good that something like Project Glasswing is bringing that attention to the space. That said, it’s Anthropic behind it. So, they definitely have some vested interest in making it a big deal. So, I would say that I think it’s a really good initiative. I think that things like this need to exist and should continue to grow and evolve. It’s unfortunate that’s currently only open to trillion dollar companies, but hopefully that will expand out as things mature. I mean, there’s always a period of growing pains and understanding the problem space that needs to occur before everyone can kind of lump in and really provide lots of security research and an entire ecosystem that will likely have to kind of pop up to support this.
Jason Pufahl 18:14
Yeah. And you’re right. There’s a lot of positive publicity in the narrative around the responsible use of AI and in making sure that we’ve got protections around it in spite of the fast growth. And of course, there’s almost the AI arms race in a way, right?
Dylan Marquis 18:34
And it’s not to say it’s not worth doing. It’s just to say that you always have to take everything with a measure, kind of make sure that your understanding and generated fear from this is proportionate to what is likely. And what’s likely is that there’s a lot of hype going around. The end result that we see in a few months may not be as shocking and as disruptive as it’s currently being outlined to be.
Jason Pufahl 19:12
Yeah, that’s fair. But I guess at the end of this, we make the recommendation all the time that people have good vulnerability management practices in place. That doesn’t change, regardless of whether there’s a seismic shift in the threats that come out as a result of AI, or if they remain sort of the same, we still see zero days all the time. We still see companies that actually can’t remediate them expeditiously because they’re not prepared. That preparedness is always important.
Dylan Marquis 19:45
Yeah. The fundamentals are the fundamentals for a reason. So I mean, really drilling that in and vulnerability management practice is one of those fundamentals. It helps you prepare for what might come in the future. And AI is just accelerating what is possible. So, again, emphasis on the fundamentals is my personal take on it. It’s what I recommend to everyone.
Jason Pufahl 20:11
Fair enough. All right. Well, as always, we kind of kept this within time today, so I’m happy about that. But I appreciate everybody who listened. And I certainly hope that you got a couple of takeaways from this and found some general value. So thanks for listening, and Dylan, thanks for joining.
Dylan Marquis 20:28
Thank you.
Speaker 1 20:30
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant, stay resilient. This has been CyberSound.
