Winning Against AI-Based Attacks Requires a Combined Defensive Approach
The Rise of Offensive AI
In recent years, the landscape of cybersecurity has been dramatically transformed by the advent and evolution of artificial intelligence (AI). Adversaries have mastered the use of offensive AI to innovate attack strategies that are increasingly sophisticated and difficult to detect. Recent reports from Google’s Threat Intelligence Group have highlighted how adversaries are now leveraging Large Language Models (LLMs) not only to conceal code but also to generate malicious scripts on the fly, allowing malware to evolve in real-time and evade traditional defenses.
- November 2025: Anthropic unveiled what it termed as the “first known AI-orchestrated cyber espionage campaign.” This operation integrated AI throughout all stages of an attack, from initial access to exfiltration. Notably, these tasks were predominantly executed autonomously by the AI itself.
- Another recent trend involved click-fraud-related attacks utilizing steganography techniques to conceal malware within image files. These malicious software payloads trick users into deploying them on their devices.
- Adversaries have also found ingenious ways to circumvent advanced security measures such as anti-virus (AV) systems. They do so by combining social engineering tactics, intermediary attack strategies, and SIM swapping methods. For example, a threat actor called Octo Tempest managed to disable various security products and automatically delete email notifications from victims.
Sophisticated Attack Tactics
One of the more notorious variants observed in 2023 was used in Microsoft’s Volt Typhoon campaign. This operation was carried out by Chinese state-sponsored actors who employed “living off the land” (LoTL) techniques to evade endpoint detection. They accessed unmanaged network edge devices, such as SOHO routers and IoT hardware.
- In April 2024, a group known as Blockade Spider launched ransomware attacks through compromised systems found within the enterprise networks. They masked their activities by routing malicious traffic from a cable modem in Texas rather than directly from China.
New Challenges Posed by Remote Work
The increasing prevalence of remote work has introduced new vulnerabilities into cybersecurity landscapes. The reliance on Virtual Private Networks (VPNs) to support these environments poses both opportunities for exploitation and challenges for defenders. Without adequate visibility, compromised endpoints can propagate malicious payloads within the corporate network unnoticed by traditional security solutions.
- Additionally, attackers now exploit unmanaged devices found in the periphery of networks—such as routers, printers, or IoT equipment—and leverage their vulnerabilities to gain initial access points. Sophisticated adversaries are adept at blending different domains to maximize their reach and maintain cover during attacks.
The Need for a Combined Defensive Approach
Given these evolving attack vectors, it has become evident that traditional Endpoint Detection and Response (EDR) systems alone cannot effectively counteract the capabilities of sophisticated AI-based threats. A combined defensive strategy encompassing Network Detection and Response (NDR) alongside EDR is thus essential. Network Detection and Response platforms excel at monitoring network environments for anomalies indicative of potential breaches, whereas EDR systems focus on detecting malicious activity happening within individual endpoints.
- When deployed in tandem, these tools offer a more comprehensive view of security threats.
The Future of Defense
Advancements in AI are not solely confined to offensive capabilities; they also present new challenges for defenders. As AI becomes increasingly integrated into various cybersecurity functions and attack methods evolve, the importance of a coordinated defense strategy has never been clearer. For example, Corelight’s Open NDR Platform leverages multi-layered detection approaches including behavioral and anomaly detections.
- This platform can identify novel attacks that exploit vulnerabilities in legacy security solutions.