Analysis: From myth to vulnopocalypse and what really needs to be done now

Contents

Anthropic's Mythos and the comments and analyses surrounding this (non-)release are dominating the security scene – and rightly so: we are currently in the midst of a singularity that IT security has not seen in the past 10 years. However, this also produces hype that distracts from the actually important things. Not least because Anthropic has decided to use the whole thing primarily as a PR booster for its interests. That's why I want to take a step back and soberly analyze what the problem we are facing actually is – and what follows from it for the steps now necessary.

First of all, the issue is not Anthropic's Mythos. Other LLMs could also have found the security vulnerabilities uncovered by Mythos; Anthropic's current lead is not relevant given the emerging development. Nor is it that attackers suddenly have new, never-before-seen capabilities that we are powerless against. Our issue is this: LLMs now have the ability to independently find real security vulnerabilities in software. However, they cannot (yet?) fix them themselves, and even if they could, these fixes would not have reached the user anytime soon. In other words, finding and exploiting security vulnerabilities can be fully automated and scaled up on an industrial scale. Fixing these vulnerabilities, on the other hand, still requires a lot of human involvement and will therefore proceed significantly slower for the foreseeable future.

The impending “Vulnocalypse”

And all of this will get much, much worse, very quickly. Existing bug-fixing capacities are already being pushed to saturation, while the ability to find new bugs will continue to increase for the foreseeable future. Because this is currently still in a very early phase. This immediately leads to the conclusion that a time is coming when AIs will find many more bugs than can be fixed. Every system that is accessible to attackers will be vulnerable; it will be attacked, and there will be an unprecedented number of security incidents. How long this phase will last and what comes after, I will discuss later. What is important now is what can already be derived from it. The most important thing:

The situation is acute, and anyone responsible for IT security should act immediately and prepare for it.

This can no longer be talked away, and “waiting and seeing” will lead to foreseeable disasters. The measures now urgently required fall into the following areas:

• Accelerating update/patch cycles
• Reducing the attack surface
• Improving resilience and defense in depth
• Preparing for the worst-case scenario – or rather, the worst-case scenarios, because there won't be just one
• Preparing for re-commissioning after an incident

Yes, exactly – this is nothing new. All of this could have been recommended exactly the same way six months ago – and in fact, I did. This is partly because AIs have not yet uncovered any novel vulnerabilities. Whether this will remain the case is another exciting question that I'll save for later. But everything that Mythos & Co. currently finds could have been discovered by a human six months ago. Only the probability for each individual finding was so low that we could somehow muddle through with many compromises. With this in mind, we have accumulated a large amount of security debt over many years. And it is now due. That is, in the next six to twelve months – to give a concrete figure. And it will be very bitter.

The overdue reorientation

Therefore, it is now high time to prepare for it. That is, to re-evaluate the measures listed above from this perspective and to place them on the agenda for the coming months with high priority. The hype surrounding Mythos can even help here. Even management may have heard about the emerging AI vulnerability storm and the need to prepare for Mythos. This provides starting points for submitting your proposals for reevaluating IT security.

These will almost inevitably also demand the use of AI, because only with its support can the necessary speed be achieved in the implementation and processing of new processes. But much can also be done entirely or largely without AI. And that is not less important – quite the opposite. Because how to robustly integrate AI into the update/patch cycle, for example, is not yet really clear. We can currently only hope that the IT security industry, together with AI companies and software developers, will find and provide practical solutions. This is where Anthropic's Glasswing, OpenAI's Aardvark, and countless innovative projects from AI startups like AISLE and ZeroPath come into play.

The role of AI

But even more important now are the classic security basics that we have neglected for far too long. For measures such as segmentation, least privilege, MFA, or monitoring with deception, and so on, there are already proven concepts and guidelines. Therefore, I would prioritize such solid security foundations even higher and implement them more quickly than future-oriented, truly AI-driven processes.

Despite all the Cassandra calls, I see the role of AI in IT security as more positive in the long term. Because it's not like we currently have a well-functioning overall concept – quite the opposite. It has been creaking and failing at all corners and ends for years. In the long term, I hope that we will reach a state where defenders benefit more from the capabilities of LLMs than attackers. Because fixing bugs ultimately scales better than exploiting them with real-world exploits. And that makes it realistic for software and the IT built on it to become largely secure and resilient. But we are talking about a time horizon of several years – and a long way, with many unknowns and numerous possibilities to go completely wrong. In other words, “The situation is hopeless but not serious.”

This analysis was originally written by Jürgen Schmidt for the exclusive newsletter of heise security PRO, where he analyzes the IT security world for corporate security managers every week:

(ju)