PRESENTED BY
Cyber AI Chronicle
By Simon Ganiere · 24th November 2024
Welcome back!
Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.
Table of Contents
What I learned this week
TL;DR
Staying ahead of vulnerabilities, especially zero-days, is a race against time—one most organizations struggle to win. This week, I dive into how AI can transform vulnerability management, helping you identify and prioritize threats faster than ever. Discover a practical, agentic workflow that automates tracking and contextualizing vulnerabilities from the CISA KEV list, complete with actionable insights to reduce response times.» READ MORE
The geopolitics of AI are still running at full speed. In its latest report, the U.S.-China Economic and Security Review Commission (USCC) has raised concerns about China's advancements in Artificial General Intelligence (AGI). This includes a recommendation for a National AGI initiative, akin to the Manhattan Project, to accelerate US development of AGI technologies. The US has already implemented export restrictions of high-end AI chips to China over the past two years. Chinese companies seem to be bypassing those restrictions using cloud providers. The nomination of Howard Lutnick, a known China hawk, as the Commerce Secretary by president-elect Donald Trump is most probably going to spice up the situation.
Microsoft has announced a slew of AI products during Microsoft Ignite 2024, include a voice cloner, an AI dev platform called Azure AI Foundry, Copilot Actions, etc. You can find a summary from Microsoft here. Gemini now has memory as well (but you need to be a paid subscriber). Perplexity launches a feature that offers e-commerce recommendations, as well as the ability to place an order without navigating to a retailer’s website.
Meanwhile the cyber security world is true to itself…and surprise surprise we have a new round of zero days targeting edge devices with this week Palo Alto Networks as the start of the show. Rest assured Fortinet was not far behind with the exploitation of an unresolved security flaw in Fortinet’s FortiClient for Windows.
Leveraging AI to Identify Zero-Day and Actively Exploited Vulnerabilities
If you work in cybersecurity, you’ve probably faced the frustrating, almost paradoxical challenge of keeping up with vulnerabilities. Just when you think you’ve patched one, three more appear—often faster than your team can act. Sound familiar?
This is part two of our mini-series on vulnerability management. In part one, we laid the groundwork, highlighting why traditional approaches struggle to keep up with today’s threat landscape. Here, we’ll take it further by exploring how AI can provide real-time context on zero-day and actively exploited vulnerabilities, helping you move faster and smarter. Part three will dive into the vendor landscape, showing how AI-powered tools are transforming vulnerability management and helping you make informed choices.
Imagine this: a zero-day vulnerability is discovered on Monday, and by Thursday, it’s being actively exploited across thousands of systems globally. For most organizations, the gap between discovery and response is far too wide. Let’s explore a practical solution: an agentic workflow I’ve built to tackle one of the biggest challenges in vulnerability management—tracking and contextualizing vulnerabilities from sources like the CISA Known Exploited Vulnerabilities (KEV) list. With AI, we’ll automate this process to provide actionable insights faster than ever.
The Reality: Why Zero-Day Vulnerabilities Are Your Biggest Headache
Vulnerabilities, especially zero-days, aren’t just technical nuisances; they’re significant business risks. In 2023, over 70% of vulnerabilities tracked by Mandiant were zero-days actively exploited before patches were even available. This means threats often arrive before you even know they exist.
The time-to-exploit for critical vulnerabilities has shrunk to just days. Attackers are moving faster than ever, leaving manual processes and periodic scans in the dust. To respond effectively, you need real-time intelligence—and that’s where AI steps in.
Moving From Data to Insight: The Role of AI
Traditional vulnerability management often feels like drinking from a firehose. Sources like the CISA KEV list provide invaluable data but only tell part of the story. The real challenge lies in answering key questions:
Which vulnerabilities are actively being exploited?
What’s the broader context, including threat actors and known exploits?
While manual research can provide these insights, it’s time-consuming. Automating this process with AI saves time and gives you a strong starting point. Here’s an example of what an enriched output might look like:
Here’s an example of what your enriched output might look like:
Figure 1: Example of output (executed on the 18th Nov)
Let’s break down how you can generate this kind of output using an agentic workflow.
The Workflow: AI-Powered Vulnerability Contextualization
This workflow automates two key tasks: extracting vulnerability data and enriching it with actionable insights. Here’s how it works:
Step 1: Extract Vulnerabilities From the CISA KEV List
The CISA KEV list is a goldmine of information, but manually sifting through it is time-intensive. Instead, we use a script to pull the latest entries automatically. Here’s the code:
def get_KEV(days):
url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
cutoff_date = datetime.now() - timedelta(days=days)
response = requests.get(url)
kev_data = response.json()
recent_vulnerabilities = [
vuln for vuln in kev_data['vulnerabilities']
if datetime.strptime(vuln['dateAdded'], '%Y-%m-%d') >= cutoff_date
]
return recent_vulnerabilitiesThis script fetches the latest vulnerability data and structures it for analysis, giving you a clean list of CVEs with descriptions and dates.
Step 2: Enrich Data With AI-Driven Context
With the raw data in hand, the next step is to enrich it using AI. This involves two agents working collaboratively:
Researcher Agent: Gathers detailed information on each CVE, including descriptions, impacts, and known exploits.
Analyst Agent: Synthesizes this data into concise, actionable reports.
Here’s how the agents and their tasks are defined:
def create_researcher():
return Agent(
role='Cybersecurity Researcher',
goal='Find detailed information about recent CVEs such as description, impact, affected systems, known exploits, mitigation and threat actor.',
backstory="You are an experienced cybersecurity researcher focusing on understanding the impact and potential exploits of CVEs. You have a significant experience in analyzing CVEs and have a knack for understanding the potential exploits and impact of these vulnerabilities. ",
tools=[search_tool],
model=MODEL_NAME,
verbose=False
)
def create_analyst():
return Agent(
role='Cybersecurity Analyst',
goal='Analyze and summarize CVE information',
backstory="You are a skilled cybersecurity analyst capable of synthesizing complex information.",
model=MODEL_NAME,
verbose=False
)
def create_research_task(cve):
return Task(
description=f"Research the CVE {cve['cveID']} and find detailed information about its impact, affected systems, and any known exploits.",
agent=create_researcher(),
expected_output="A detailed report on the CVE including its description, impact, affected systems, known exploits, mitigation, threat actor and references (link to articles)."
)
def create_analysis_task(cve):
return Task(
description=f"Analyze the information gathered about CVE {cve['cveID']} and create a concise summary including key points and recommendations.",
agent=create_analyst(),
expected_output="""A concise summary of the CVE with key points and recommendations. The structure of the report has to be the following:
- Title (e.g. CVE-2024-38856: Apache OFBiz Incorrect Authorization Vulnerability)
- Description (e.g. couple of sentences to describe the CVE)
- Impact (e.g. couple of sentences to describe the impact)
- Affected Systems (e.g. list of system / application implicated)
- Known Exploits (e.g. couple of sentences to describe what the exploitation of the vulnerabilites)
- Mitigation (e.g. list of key mitigations but avoid basic recommentation like password change, awareness and training, etc.)
- Threat Actor (e.g. description of the threat actor if it known. If the threat actor is not known just say it)
- Resources (e.g. link to various articles and links)
. You output only html where the section title are in bold formatted text. do note add any things like ### or ** or :"""
)Streamlining the Process With a Web Interface
To make this workflow user-friendly, I wrapped it in a simple web interface. The interface allows users to input CVEs and view enriched reports directly. Here’s a snapshot of the interface:
Figure 2: Example of web interface
Why This Matters: Real-Time Prioritization
This workflow transforms vulnerability management from a reactive process into a proactive, intelligence-driven strategy. By combining structured data from the CISA KEV list with AI-driven enrichment, you can:
Prioritize effectively: Focus on vulnerabilities actively being exploited.
Act faster: Reduce time-to-response with automated analysis.
Make better decisions: Align mitigation efforts with real-world threat context.
What’s Next?
This workflow is just the beginning. In part three of this series, we’ll explore the AI-powered tools transforming the vulnerability management space. From automated scanning to real-time patching, we’ll cover how to evaluate these solutions for your organization’s needs.
Ready to take the first step? Implement this workflow and share your experiences!
SPONSORED BY
Learn how to make AI work for you
AI won’t take your job, but a person using AI might. That’s why 1,000,000+ professionals read The Rundown AI – the free newsletter that keeps you updated on the latest AI news and teaches you how to use it in just 5 minutes a day.
Worth a full read
Anton’s Alert Fatigue: The Study
Key Takeaway
Alert fatigue's persistence indicates a deeper systemic issue in cybersecurity operations.
Integration and automation are crucial for managing increasing alert volumes in SOCs.
The fear of missing real threats drives up false positive rates, complicating detection.
Effective alert management requires diagnosing the root causes of alert fatigue.
Enrichment and automation enhance alert quality, reducing analyst workload.
Human fatigue in SOCs can be alleviated by delegating more cognitive tasks to AI.
Cross-industry insights, such as those from SREs, can enhance SOC efficiency.
Federated alerting improves triage by routing alerts to the appropriate personnel.
SOAR and AI offer potential solutions but require proper implementation and tuning.
Sharing insights and solutions can collectively improve cybersecurity alert management.
Homeland Security: Framework for the Safe and Secure Deployment of AI in Critical Infrastructure
Key Takeaway
AI deployment in critical infrastructure requires robust safety, transparency, and collaboration.
The Framework emphasizes a multistakeholder approach to secure AI's potential.
AI's role in infrastructure presents both opportunities and security challenges.
Critical infrastructure's reliance on AI necessitates strong cybersecurity measures.
Collaboration between public and private sectors is key to responsible AI use.
AI's transformative potential must be balanced with ethical and security considerations.
Civil society's involvement ensures AI systems reflect community values.
The Framework aims to align AI development with human-centric values.
Protecting civil rights is central to equitable AI deployment.
Proactive measures are vital to harness AI benefits and mitigate risks.
Research Paper
Understanding the Efficacy of Phishing Training in Practice
Summary: The study finds that current phishing training methods offer limited practical value in reducing phishing risks.
Published: May 2025
Authors: Grant Ho, Ariana Mirian, Elisa Luo, Khang Tong, Euyhyun Lee, Lin Liu, Christopher A. Longhurst, Christian Dameff, Stefan Savage, Geoffrey M. Voelker
Organizations: UC San Diego, University of Chicago, UC San Diego Health
Findings:
No significant correlation between annual training completion and reduced phishing simulation failures.
Embedded phishing training shows only a small reduction in failure rates.
Most users spend minimal time on training materials, leading to low engagement.
Interactive training shows some improvement, but overall effect is small.
Final Score: Grade: B, Explanation: The study is rigorous and empirical but limited by data accessibility and modest novelty
Wisdom of the week
Unlike the brain, the stomach alerts you when it’s empty
Contact
Let me know if you have any feedback or any topics you want me to cover. You can ping me on LinkedIn or on Twitter/X. I’ll do my best to reply promptly!
Thanks! see you next week! Simon