The AI Security Institute (AISI) has issued a strong recommendation for organizations to reinforce their focus on foundational cybersecurity practices. This comes in light of the recent evaluation of Anthropic’s latest artificial intelligence model, known as Claude Mythos Preview.
Last week, Claude Mythos Preview attracted significant media attention when Anthropic announced that it had successfully identified thousands of zero-day vulnerabilities dating back many years. This revelation suggested that the model could uncover previously unseen weaknesses within systems, raising alarms among cybersecurity professionals.
In response to this groundbreaking achievement, Anthropic launched Project Glasswing. This initiative allows participating technology vendors to leverage the capabilities of Mythos Preview for the purpose of identifying and addressing these vulnerabilities. Despite assurances from Anthropic that the model would not be made publicly available, there remains a palpable anxiety regarding the possibility that it may eventually fall into the hands of malicious actors.
The AISI’s evaluation of Mythos Preview indicates that the model represents a significant advancement over earlier frontier models in an environment where cyber capabilities continue to evolve rapidly. In a detailed statement, the institute revealed that during controlled assessments, Mythos Preview was able to autonomously execute multi-stage attacks on vulnerable networks, discovering and exploiting weaknesses without human intervention—a task that would typically take cybersecurity professionals many hours.
The institute constructed a 32-step corporate network attack simulation to assess the model’s effectiveness. This simulation encompassed a wide range of activities, from the preliminary stages of reconnaissance to the complete takeover of the network. While Mythos Preview managed to solve the simulation in three out of ten attempts, it successfully completed an average of 22 out of the 32 steps across all attempts. The AISI noted, however, that better performance might be achievable with enhanced computational resources.
Despite these encouraging results, the AISI introduced important cautions. The organization pointed out that the environment used for testing differed significantly from actual operational settings. “Mythos Preview’s success on one cyber range indicates its capability to autonomously attack small, vulnerable enterprise systems where network access has been gained,” the institute explained. However, testing ranges usually lack features typically found in real-world scenarios, such as active defenses and defensive tools, as well as repercussions for actions that would usually trigger security alerts.
As a result, the AISI expressed uncertainty about whether Mythos Preview would be effective against well-defended systems. The organization intends to address these gaps by simulating more secure environments in future evaluations, incorporating endpoint detection and real-time incident response capabilities.
While these developments unfold, the AISI strongly encourages cybersecurity teams to bolster their fundamental protections. The institute emphasized that its testing indicates that Mythos Preview can effectively exploit systems exhibiting weak security postures, a trend likely to continue as more AI models are developed with similar capabilities. As part of its conclusion, the AISI underscored the significance of adhering to foundational cybersecurity practices. This includes regularly applying security updates, maintaining robust access controls, implementing sound security configurations, and ensuring comprehensive logging of system activities.
Additionally, the AISI suggests that organizations explore the integration of AI technologies to drive significant enhancements in defensive strategies. In a joint blog published alongside the National Cyber Security Centre (NCSC) on March 30, the AISI elaborated on how AI can revolutionize cybersecurity. Specific advantages highlighted included:
– The reduction of the attack surface through rapid system scans, identifying misconfigurations and vulnerabilities, assessing exploitability, and delineating complex attack paths.
– The improvement of threat detection and investigation processes via the triaging of alerts, analysis of diverse log patterns, and the generation of concise summary reports for security analysts.
– The automation of response actions to cybersecurity incidents, which includes blocking unauthorized traffic, quarantining suspicious processes, and revoking user access promptly.
In summary, the ongoing developments in AI, particularly with models like Mythos Preview, bring both opportunities and challenges to the cybersecurity landscape. The urgency placed by the AISI on revisiting and reinforcing cybersecurity basics, as well as the potential for AI to enhance defenses, underscores the need for proactive measures in an increasingly complex threat environment. Organizations are thus encouraged to remain vigilant and adaptable in their cybersecurity strategies to better safeguard against emerging vulnerabilities.