Neural Codec Language Models and the SOC
“Yes, won't that be grand -- the computers will start thinking, and people will stop.”
- Dr. Walter Gibbs, TRON
In the rush to accept, condemn or question the use of artificial intelligence the usual pundits have stepped up to have their say. The challenges range from people who are for the use of it, against the use of it in any form, and those who are simply afraid and hiding in their basements with their transistor radios, biofuel generators, and homemade EMP weapons. While there is a place for all in our glorious future the classic truth of the matter remains: any new technology will quickly and decidedly be adapted for use in crime.
Recently we watched Ethical Hacker Rachel Tobac use an array of tools to clone a person’s voice and use that voice to request PII by way of a phone call[1]. Using common tricks like caller ID spoofing combined with AI voice cloning and good old fashioned social engineering the target never knew what hit them. Shortly after the panic hit the streets and ended up in my lap at the door of the Hunter Strategy SOC.
In these enlightened days we all are highly aware of the daily, if not hourly attacks against both people and businesses for valuable information. From cold call leads to fraudulent activity, it’s rare to find a person who has not met Nigerian royalty, had a frank discussion about their car warranty, or been asked to buy some gift cards as a favor to a coworker. Because of this, I adapted my security briefing for all Hunter employees to include how to easily spot these scams. With the advent of AI based voice cloning I not only had to once again rewrite my classic briefing, but I also had to create new policy and procedure for the Hunter SOC.
The SOC is a unique target because it has a multi-layered attack surface. It is open twenty-four hours a day, relies on voice & data communication for operational instructions, employs people on different shifts during the day, and despite the best policy and procedures, often runs out of coffee. To this we can add that the SOC is often the entry point for people starting out in their information security career. They have stepped through the looking glass onto the front lines of defense. Many of them still use the word ‘cyber’ unironically. Given this, how should one proceed to secure your SOC from well planned and executed attacks? First, let’s have a quick but non exhaustive look at the attack surface of the SOC:
- Vulnerable to phone and email attacks
- Vulnerable to social engineering attacks
- Vulnerable to management unavailability
- Vulnerable to inexperience and lack of company knowledge
- Vulnerable at unusual times and dates (late nights, holidays)
With good planning and preparation from the CISO to the SOC manager to the SOC lead, the SOC analysts are in most cases well protected and prepared for attacks that focus on these vulnerabilities, but where does this stand with the advent of AI voice cloning? Let’s explore!
- Education
Any SOC analyst worth their caffeine will know deep down in their hearts that the odds of the CEO of the company asking them to run off to Walmart to buy fifty gift cards, hand over a password, or give out the gate code are pretty much zero. This is true regardless of where the request comes from. It could be an email, phone call or voicemail. Voicemail is included as a newer technique of social engineering. Calls are placed in a manner that is directly sent to voicemail or to otherwise take advantage of the phone system to bypass any chance of a person answering and leaving a voicemail message with a number to call or other nefarious instructions. To counter this a SOC analyst has the following training:
A SOC analyst is trained and confident to make decisions concerning sensitive requests and understands that they will never “get in trouble” for asking for verification. They are protecting both the company and the client.
A SOC analyst has the proper reference materials and training to understand both the company and the client calling tree and who is authoritative for the request at hand. This is an integral part of the client runbook.
A SOC analyst has the proper training to understand what makes a sensitive request and when a request requires extra scrutiny and management notification before execution.
A SOC analyst is trained and tested on a regular schedule on the most up to date policy, procedure governing methods of attacking in both the technical arena as well as the social engineering arena. This includes unannounced drills where attacks are made by authorized security personnel to ensure that policy and procedure are followed.
- Policy and procedure
Because the SOC is a sensitive location that can effect change on both a technical and business continuity level, there are policy & procedures in place to ensure that any actions taken are understood and authorized as well as to detect attempts to social engineer the SOC. Also,
This includes but is not limited to the following:
A phone tree and management available on call 24/7. When in doubt a SOC analyst can reach out with a phone call to get management approval prior to taking an action they feel is questionable.
Procedures to identify management or client management individuals that relies on pre-established authentication methods and does not rely on weak or vulnerable systems such as caller ID or “Don’t you know who I am?!” intimidation attacks. This includes one or more of the following methods in combination:
Callbacks: When a call comes into the SOC with a sensitive request, the SOC analyst will take down the information of the requestor then terminate the call. Next, they ensure that the caller is authorized to make the request, then, utilizing the established call tree, call the requestor back to verify their request.
One Time Pad: When a call comes into the SOC with a sensitive request, the SOC analyst will utilize a one-time pad authentication system in which predetermined key words or phrases are stored securely in the SOC and which authorized individuals will have in their possession. Once used, the word or phrase is stricken from the one-time pad and not reused. The one-time pads can also be issued on a regular basis (monthly, biannually, etc.). Historically one-time pads are extremely difficult to defeat with technology and are only vulnerable to physical attacks such as theft.
Even with all of these in place and more, the question becomes how does a SOC analyst prepare for the advent of AI based attacks against the safety and security of the SOC? Even the best AI based attack methods are vulnerable to specific scrutiny:
- Listen to the voice carefully. Does the voice use the proper inflection on words in a sentence? Do the words seem choppy or spliced together? As part of training present the “My voice is my passport verify me” scene from the movie Sneakers as an example [2]. Was there a distinct ‘beep’ at the beginning of the call? Are there unusually long pauses, or do you hear phrases repeated often like “can you repeat that?”, or “I’m sorry I didn’t catch that” repeated far too often. This and other indicators can alert a savvy analyst to a robotic caller.
- Does the request make sense? One of the most common mistakes in a verbal attack are grammatical mistakes or confusing past, present, and future tenses. Other mistakes like identifying the caller as being from non-existent government entities like “The United States of America Collections Department”, or the “Internal Tax Revenue Department” (yes, I have personally heard these!).
- Don’t be afraid to apply a Turing test. Say something out of scope of the conversation or unexpected to test the caller and see how they respond. My personal favorite is to use the phrase from Monty Python’s Flying Circus “My Hovercraft is full of eels.” A robotic system, no matter how well programmed, will be ill equipped to address that statement!
- Check your SOC shift logs. Have there been other calls or attempts like this in the near past? Remember one of the first rules of SOC operations is “Document, document, document.” Share the information of the call with the rest of the SOC across all shifts to ensure that everyone is on the same page and attack campaigns can be easily identified.
While the advent of AI based attacks is a new tool in the toolbox of the adversary, a well-trained, savvy, and supported SOC analyst will tilt the odds in favor of the attack failing. This combined with a defense in depth security program will give your SOC, your business, and your clients an edge in an extremely competitive world and an internet that still resembles the American wild west stories of old.
Like the motto of the Hunter Strategy SOC reminds us about internet attacks, “Non Si Sed Quando”, or “Not if, but when.”
Frank Clark is a security engineer with Hunter Strategy, a disciple of Ray Semko & his D.I.C.E. briefings and an alumnus of The Dorsai Embassy charitable organization. His experience in security operations includes stock market trading floors, DOD, DOE and NNSA facilities over a 25 year career still in progress.
[1] https://twitter.com/RachelTobac/status/1660432071003881474
[2] https://www.youtube.com/watch?v=n5GzlOpf3KA
Contact Us
contact@hunterstrategy.net
