Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
Crowdstrike 320×100
TM RedHotCyber 970x120 042543
Le Security Operations al tempo dell’Artificial Intelligence

Le Security Operations al tempo dell’Artificial Intelligence

Redazione RHC : 1 November 2025 09:30

By Vicki Vinci, SOC Architect – International at Fortinet

The most significant technological trend of recent years is undoubtedly the advent of Artificial Intelligence, especially its generative component (GenAI). Putting aside for the moment considerations about its market adoption, it’s undeniable that this evolution has brought about a series of very significant changes in the security world.

Vicki Vinci, SOC Architect – International at Fortinet

Let’s try to analyze some use cases on which the security industry and the community have tried to focus more attention:

  1. How AI is used by attackers
  2. AI in the activities of those who must defend
  3. How GenAI solutions can be attacked
  4. Ways to protect LLM engines

Starting from the first example, there is no doubt that the possibility of using GenAI tools has greatly facilitated the attackers’ task on many fronts:

  • The ease of creating malicious code capable of bypassing traditional defenses implemented by organizations
  • Support for the improvement of phishing campaigns with increasingly refined texts and faithful replicas of messages and portals actually used by users
  • The integration of the native LLM functionalities to support various attack campaigns by automating and optimising the phases starting from Reconnaissance, Weaponization, up to Installation, Command and Control (C2) ending with Actions on Objectives

At the same time, those whose mission is defense are supported by solutions capable of:

  • Accelerate Triage capacity while also increasing its depth of detail
  • Produce SecOps solution components (playbooks, connectors, etc.) in a simplified manner and always in the direction of codeless development
  • Implement specific automated recognition, containment and remediation activities through AgenticAI solutions

For this set of options to be implemented, one of the key elements is the availability of an LLM engine (whether public or private), which inevitably becomes the target of potential attacks. The availability, integrity, and confidentiality of content are jeopardized both individually and jointly, depending on the methodologies used.

In this regard, the modus operandi that we see being implemented by Threat Actors most frequently are:

  • Volumetric and qualitative attacks on computing resources intended for the use of the LLM (DdoS)
  • Prompt injection to build biases that produce hallucinations by the LLM engine or mass-query activities to extrapolate the information contained
  • “Traditional” attacks to target the infrastructure components involved in providing the service (network, compute, application layer)
  • Unauthorized access to private LLM engines via compromised credentials or improperly secured network access

Ultimately, the cybersecurity industry has stepped up to contribute to the defense of this increasingly crucial component of our digital economy. Mapping the types of attacks mentioned above, the solutions driving the market are:

  • GSLB, Waf and CNAPP solutions
  • Deep Inspection products that decouple the user session from the access on the front-end component of the LLM engine, DLP and monitoring tools
  • Firewalling, API protection tools
  • Unified SASE, ZTNA, MFA, and Network Segregation

In each of these use cases, the introduction of Artificial Intelligence tools has radically changed the quality level as well as the timeframes associated with the various phases of the attack. While human intervention was previously still a key component in some stages, today many of these activities can be delegated to machines that can both accelerate and parallelize tasks, shortening their timeframes and multiplying their volumes.

Given these premises, it becomes mandatory to provide Blue Teams with tools that can counter new attack methods, balancing both their timing and quantity. The ultimate goal is to provide analysts with the most detailed information possible, minimizing the time it takes to analyze and decide on countermeasures, when they haven’t already been implemented automatically.

As attackers increasingly leverage technology (in addition to social engineering techniques) to elevate their operations to the scale of “machine time,” defenders must also adopt strategies and tools that allow them to respond within the same timescale. Minimizing dwell time will increasingly make the difference between a successful attack and excellent response and containment capabilities.

For further information on this case, please visit the dedicated page.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli