The Dark Side of AI: Hacking with AI and Exploiting AI Security Flaws

are you seeing a rise of AI used in attacks what's  happening in the real world not like what's in the   movies but you know what are you seeing and  is AI actually being used for offensive for   hacking etc? The data is out there I I've seen  recently with slack like using customer data   even if you're paying to you know train the AI  uh they didn't even ask for permission they just   used it so from a privacy point of view AI bit  of wild west it feels like from a cyber security   point of view it seems really worrying any hope?  There's hope there's absolutely hope whenever   it comes to security a lot of security-minded  organizations are trying to figure out what is   going to be the guidance for not only today but 3  months from now 6 months from now a year from now   and so [Music] Hey everyone it's David Bombal  coming to you from Cisco live with a very very   special guest Omar welcome. Thank you so much for having  me here. Great to have you here you're very very   well known in the industry I believe 27 books at  the last count right? Yes sir I used them to raise   my monitors so they're perfect for that. I don't  believe that for a moment you've written books on   all kinds of topics perhaps you can give us like  a quick overview of some of the books that you've   really enjoyed writing or that are very popular  that people have given you feedback on but I mean   27 and you're writing new books as well I believe.  Yes sir it's it's it's not overnight I'm sure all   right it's been been at Cisco for 25 years and I  started to contribute to some books before that   it's a wide spectrum from certification books  to books that are now used in University and a   few related to how emerging Technologies like  AI is impacting pretty much everything cyber   security, networking, programming and so on. So I  know some of the books that you've written like  

uh PenTest+ you've also done Cyber Ops for Cisco  and you've done some CCIE security books as well   right? Yes sir the uh CCIE the exam that  you're required to pass in order to get your CCNP   yeah and CCIE yeah. And more recently another  AI cyber security book is that correct? Yes sir   actually I just published two uh about the same  time, one was with a very good colleague of mine   from the Oxford University his Miss Pitar yeah and  um that one is around securing AI implementations   a little bit more from a high level as a m  fact I'm working on one that is a little bit   more in depth right and my joke in those books  is that by the time that I press the first key   they become obsolete that technology is changing  but it gives you a blueprint yeah of how to look   into uh how AI is impacting the Technologies,  what are the tools that are necessary for you   to make sure that you're securing AI correctly  and also how to use AI for security right so you   have the two dimensions of using AI for security  but also securing AI. What I do for Cisco mostly   is a little bit of both but also looking into  the security of the AI implementations across   the whole portfolio. I need to a because I think  a lot of people will be interested in this are   you seeing a rise of AI used in attacks because  I mean the one that we always know is deep fakes   or you know videos with uh Tom Cruz or you know  things like that but perhaps you can show you   know tell us what's happening in the real world  not like what's in the movies but you know what   are you seeing and is AI actually being used for  offensive for hacking etc? The short answer is yes,   yep the longer answer is is beyond the fakes is  beyond the traditional social engineering attacks   right that's what I call more of the attacks  of the 2023, 2022 interesting um the new waves   that people are seeing nowadays is different  officiation techniques okay and where attackers   and if if you think about AI is abstracting  a lot for people, so the way that you program   the way that you interact with the computer is  changing. So nowadays you have non-technical  

people that can use you know libraries like  LangChain, Llama index and lot of obstruction into   the things that you don't have to have a PhD in  data science to then use AI for something that   something can be to create a new phone, creating your exploit, create a new occlusion technique look for   vulnerabilities the perfect example of that that  is beyond research last year to to catch the eye   of my organization I did a workshop and I cloned  the 12,000 security advisories at the time in   GitHub and then what is in the security advisory  well a link potentially to a GitHub pull request   yeah what is in a pull request? A commit. What is  in a commit? A diff. What is in a diff the   code that was vulnerable yeah and the code that  of course you know it has the fix if I put that   into a model and say hey tell me what are the best  ways for me to create an exploit of course if you   ask ChatGPT is going to block you yeah there's a whole  bunch of on sensor models that you can send that   out so of course for my demonstration I uh I was  showing you know how in some cases you know will   hallucinate it will give you some very generic  cross-site scripting you know always just script text   but in some other ones you know opens your eyes  and then you can ask of course what are the CWEs   the Common Weakness Enumerators the root cause of  the vulnerability Y and explain it to a developer   so they can do not commit the mistake or you  can actually do that to another model so make   it better which is a different conversation but  you know I digitize my voice so you know it will   be a little bit real so the de fake was there  fast forward a couple of months now I'm seeing   you know very early indicators of and I will not  say early indicators we're definitely seeing some   um evidence that attackers actually using these  techniques of course to create exploits yeah and   especially in third party software in open source  yeah that's the reason of you know the big push   for supply fly chain security and you know the  whole Asom uh you know movement and and so on   so so yeah you know it's it's a combination  of many different areas and where attackers   are leveraging the ease of use of the technology  and also combining the different techniques for   another example is reconnaissance I was going to  ask you about that yeah open source intelligence   right forget about active reconnaissance just  open source intelligence getting information   from certificate transparency or from H shown  or from you know social media and so on if I   vectorize that information so in other words  you know create beddings on different things   that I can gather from uh different places put  into a vector database like like ChromaDB, Pinecone PGVector the whole bunch of them right and  then create you know agents with you know prom   templates and agents with line chain or Llama  index and so on now I have an army of people   doing reconnaissance for me and profiling   in an individual or a company while I sleep yeah   that's a significant difference of what we're  seeing nowadays of not only the potential but   you know of course the the capabilities of of  these newer technologies to accelerate attacks.   So that's is that escalating you seeing more and  more of those kind of attacks. It will continue   to escalate yeah it's unfortunately that that's  the we also have to think about how we reinvent   literally reinvent incd response yeah for some of  these a lot of the the techniques will be the same   right but a lot of them will be different and I'll  give you a couple of examples that be great one   is remediation yeah what is remediation of a model  is it pull in the plug yeah right uh you don't put   the plug in BGP right you bring down the internet  but as you become um reliant and and you rely on   this technology the remediation will be a little  bit different yeah but then the other one is for   Y in an AI model forensics will be a little bit  different right and there's a lot of metrics for   accuracy for bias and and and so on for security  not a lot of them exist so if I'm an attacker and   I manipulate weights and so on there may be things  that we're missing from a forensic capability so   that's an area of research the other one is  a really big one is reproducibility yeah if I   get a prompt and I give it to a model to your rag  implementation and so on it may be that with the   same prompt with the same context of the data you  may get different results yeah right so whenever   somebody comes to you and say hey investigate  this new vulnerability cross ey request fery   service ey request fery n or SQL injection  you typically have a set of instructions of   click here put this payload you know basically the  recipe of an exploit for this new implementation   even if you give that prescriptive thing and  the same prompt you may get different results   and if an attacker is manipulating things  behind the scenes it can do a lot of ausc   on the actual attacks against the AI system  itself yeah are you finding that attackers   are using their own open source AIS they're  also using like ones that they can just pay   for that are available H there's an assumption  that it's going to be used in both right yep um   I cannot sugarcoat it right I mean that just  the Dual nature of Technology yeah if I use   uh CLA or GPT y or Mistral an attacker is  probably using it faster better than you   know cheaper um it is it is reality yeah and then  also the definition of an attacker right criminals   to scam people versus nation state yeah against  the critical infrastructure yeah the other thing   is AI comparing the models inference and and so  on and all these systems that we're putting now   together they're becoming critical infrastructure  yeah it's like um you know back in the day we we   looked at the security of routing and networking  and and we still do right I mean that that's you   have to worry about that plus plus yeah so um  you looked at you know bgb for example we just   talking about it right so how to secure these  implementations and make sure that there's no   route manipulation attacks now you have to  think about the critical infrastructures   inference coming from a specific model whether  it's chat GPT your you so the attacks against that   infrastructure while they use you know the same  technology to attack you y that's something that   we also have to figure out you know as a industry  right but going back to your question related to   them using a specific models yes if you ask CH GPT  to create an exploit they have really good guard   rails right to prevent that you can bypass that  with prompt injection you know and even indirect   prompt injection attacks you know embedding  some prompts in a PDF for example a lot of them   White Rabbit Neo is a perfect example and I  know there's a company now but it's an open   source model is uncensor and there's plenty of  them out there that people are fine-tuning and   then taking you know those guard rails out or  not putting any guard rails to then be able to   create an exploit to them be able to actually do  you know x y and z y if that is somebody like me   right she or ethical hackers imagine the very  res sourceful attackers you know the ones that   actually a lot of money and infrastru so for  sure you know that that's that's an area of   concern yes so we've got AI being used to attack  but obviously AI is being used to protect but I'm   just thinking about opportunities for everyone  who's watching we definitely don't want any of   the people watching to become black hat we want to  steer them on the right path so there are a lot of   opportunities right to help companies secure AI  absolutely so can perhaps you can talk about that   there are tons of opportunities in there so one  thing that I always recomend commend is go beyond   the model okay it's not securing just the model  and even regulation I'm not going to go into the   regulation technical but in the in the technical  aspect of it a lot of people are focusing in the   models you know uh model theft attacks which we  have to pay attention to but now as we try to   build systems that then are using multiple models  yeah we're introducing a lot of security you know   deficiencies that's a good way to put it it is yes  that are security 101 yeah for example if you're   familiar with retrieval augmented generation  everybody's talking about this right you use your   data your sensitive documents you use an embedding  model you know something like C here or open eyes   you know embedding models and there's plenty of  them out there you're converting your data your   text your you know PDFs Etc into numbers basically  put them into a vector database that embedding   model in some cases they're licking information  at of the corporation exactly and then people are   putting guard rails just into the inference model  right the other one is as every company every   sector is asking their people how can we use AI y  to accelerate the things that we have yeah whether   it's security collaboration Etc and a lot of  people are experimenting yeah and as I mentioned   these things are getting abstracted in the way  that even non-technical people are playing with   that that they have never thought about access  control yep list privilege yep and so on there   are other areas of focus on where now that we're  moving to an agent based era y right so using more   agents instead of chatbots and co-pilots how can  we determine what is the required privilege to an   agent because pretty much everything is running  as a roote nowadays yeah and um that is pair to a   human or to an application yeah because these are  now Emeral entities that are going to spun up you   know based on specific criteria and it's not only  about rag prod using a tool getting data from an   API and so on and then they will disappear right  and you have the your personas so that's another   area that we should focus on how do we have the  appropriate Access Control mechanisms how we   have the the basic oneone L privilege applied to  these systems plus the more sophisticated attacks   you know how can we detect if a weights in a model  has been manipulated and the bigger one is supply   chain security right if you look at huging face  if you're not familiar with huging face tell us   biggest platform think about like the GitHub y  of models yeah and hog face is the one that is   is being mentioned the most yeah there are others  right tensor flow has one and so on but definitely   huging phas if you look at huging phas early  this year I'm not talking about you know you   know the way back machine that you can go back  so if you go back and use the way back machine   and look at huging face in the beginning of the  year was probably something about 300,000 models   I haven't checked today but definitely last week  as I was giving a presentation about it it was   650,000 plus right wow so if you look at it you  know amazing I love it technolog is moving so   fast and and so on in some cases it's scary but uh  always uh optimistic of Technology a lot of those   models actually the majority of them have used  very insecure framework like pickle right and   you saw you know couple of months ago 100 models  being taken down from hugging face because real   life attackers manipulate them so now imagine if  you're a software developer I found out about you   know a specific model because of a research paper  oh I want to try this it's in hogging pH yeah oh   there's a new version because this person says  that it's you know better examples Etc I grab   it I put that into my infrastructure Y and what  I can actually do so that supply chain security   is really tough of mind right and even even if  you look at inventory that's a bigger one most   companies don't have a good way to do inventory of  their implementations yeah and U even so I sit on   the board of Oasis is a standards organization  I'm the chair of this thing called the common   security advisory framework U we use machine rual  of security advisories and try to modernize the   way that we do you know vulnerability management  so on and um a lot of the conversations in there   is how can we secure this supply chain right with  ass bombs you know software build materials get a   good inventory if you look at AI models luckily  now there's a lot of progress in there but a few   months ago I'm not talking about years months ago  we didn't even have a good way to even capture the   inventory of a model and people may think well  it's the same as an sbom because it's software   uh you have you know ESP bones for quite some  time spdx is a um a standard for that another   one is Cyclone DX from OAS so you have a good way  to inventory uh the list of ingredients that make   up software in an AI model it's a little bit  different it's beyond that you have to worry   about the sbom but you also have to worry about  the training environment that the model was uh   trained on yep also if that is manipulated or  it's not approved by a company that's another   thing that you want to worry about the one  is what is the data AI is not AI without   data that you use to train or fine tune or rag  you know there's always the three elements you   train from scratch super expensive you know  only a few companies you know like Cisco and   you know and the the rest you know are doing  that fine-tuning a little bit more accessible   still requires expertise and and infrastructure  and raging yeah and um so looking not only the   model but the whole system again what is the  data what is the purpose of the implementation   what is the training environment and then all the  auxiliary libraries like L chain and so on that's   part of the traditional esom so spdx in the Linux  Foundation they just released they're about to   release 3.0 that includes and profile for uh AI  bombs right and um I work with a company called   manifest yep that uh we we looked at you know  they they they're pretty well known in the s bomb   and we looked at you know what are the minimum  requirements that you should have in inventory   and then we also fed that back to spdx and Linux  foundation and also OAS to Cyclone DX so now um   within weeks you're actually going to see these  uh standards now supporting at least a good way   to have an inventory of U of AI implementations  yeah sounds like a bit of a wild west right it is   Wild West yeah it is it's it's worrying because I  think it's you mean we you we've been in this game   for a while the um it's this everyone wants to go  to the cloud now everyone wants Ai and everyone's   jumping on this and that's a that's a really good  observation many many many people have asked me   is this just Cloud again yeah right uh or even is  the cloud dead because it's expensive you know I'm   not going to go into that but but is this another  Cloud do I have to worry about from security from   another Cloud the your answer is no okay what  one of the big differences of this technology   is that everybody is now becoming accessible to  everybody yeah like you said non-technical people   non-technical people I I'll give you an example  this is kind of behind the scenes Cisco and so I   sit in an organization called security and Trust  we are pretty large organization so you have the   product security inent response team I Bel I used  to belong to that team CER the traditional inent   response team within the company yeah then we  have The Insider threat team a very big offensive   security team that we're tasking to find zero  day vulnerabilities in Cisco products and yeah   and services and other uh entities and this is not  Talos this is be Beyond Talos yeah and then um and   a whole bunch of other you know forens six teams  Etc it's a pretty big organization about close to   a th000 people Y and um within there kind of like  my carrot was I want to do an ation challenge this   is last year and everybody has to play with AI  y whether you're at pm at intern you know and   so on I made a little competition right and even  though we have a function that is dedicated you   know for AI security and everything but I want it  for everybody to truly understand and think about   how this technology can impact everything that  we do yeah from doing forensics analysis into a   machine to do an evaluation evaluation we call  it evaluation but like a pen test or red team   you know and how we augment that to programming  how we can create better tools and so on a lot   of people they open my eyes I was joking that  if I have three teams it would be amazing and   we had 27 teams you know 70 people participating  Etc and what I was seeing is that non-technical   people they were not afraid y to using these  Technologies watching a video follow through   putting l chain you know in a way and ask asking  the questions that we all should have been asking   10 years ago what embeding model should I use  it's like oh wow we don't have a strategy for   that let me actually you know assign people to  that most Vector databases don't even support   encryption right crazy so it's my fact I was even  talking here about how to secure Vector databases   I just published a paper about it but again Vector  databases is a newer type of databas is not new   uh basically whenever you convert texts or images  into numbers you put them a store that you can do   similarity searches yeah many methods on that and  then you have retrieval you know that's does the   word retrieval augmented Generation Y retrial  method reranking techniques Etc that you get   the data provide some context and you reduce the  likelihood of hallucinations yeah very attractive   for many people yeah if I vectorize again from  certificate transparency information in ENT to   my security policies examples of vulnerabilities  and so on I can then accelerate provide better   support to an engineer that is either programming  or fixing a vulnerability yeah these are other   examples you know or potentially even do a pull  request automatically plenty of use cases and a   lot of these non technical people were putting  into the asking the questions and the main value   at and the benefit was for the security people  you know for us yeah to and again these are also   security folks but you know non technical roles  asking these questions that again should have   been asked 10 years ago in the industry y not at  Cisco y right the whole industry um so it's very   fascinating on how this of course is impacting  you know many different areas around technology   and um you know Healthcare and so on and how we  should look at securing those implementations as   well I mean to me it looks really Bleak like  wild waste the data is out there I I've seen   recently with slack like using customer data  even if you're paying to you know train the AI   uh they they didn't even ask for permission they  just used it so from a privacy point of view AI   bit of wild west it feels like from a cybercity  point of view it seems really woring any hope   there's hope there's absolutely hope um there are  a lot of organizations across the industry that   are asking the same questions good whenever  I've been blessed in my career that if I'm   fixing a vulnerability again using the bgp example  because top of my head for some reason sometimes   I have been on the phone more with juniper yeah  than even Cisco trying to figure out the the how   to solve it yeah and then give the information to  Cisco and then do a coordination of vulnerability   you know disclosure and so on you know for many  years now I'm seeing the same whenever it comes   to security a lot of security-minded organizations  are trying to figure out what is going to be the   guidance for not only today but three months from  now six months from now a year from now and so   on a lot of that guidance unfortunately has been  more around regulations and so on but we're moving   outside of that right that we're trying to see  how these new best practices or the assisting best   practices apply to these Technologies and creating  Frameworks about it so um I'm blessed to be part   of the board of Oasis and uh with anthropic  Microsoft Nvidia Intel IBM of course Cisco uh mic   oft we're all creating a Consortium for securing  AI right and of course we're collaborating with   nist with uh other agencies like cisa the NSA and  so on and we're we're putting a lot of guidance   in the industry but how to operationalize that  guidance and create sample reference architectures   and so on one of the original contributions  is Google's the open siif it's a open secure   AI framework change the name for the coalition  because it got uh donated to Oasis or the IPR   got transitioned and that's the foundation we kind  of rebooting that right modernizing even though it   was created a few months ago right and you may  think that oh my god modernizing of something   that yeah but is is creating a framework on how  fast we can create this guidance as technology   evolves yeah right and then examples of that give  you the the the perfect example right now what is   an AI vulnerability yeah all right what is an AI  security vulnerability yeah in many cases you're   saying okay so if a prompt injection is one for  sure you know easy yeah H but prompt injection   if you think about me chatting with a chat bot and  saying that Omar is ugly does this blah blah blah   who's the victim of that the person that is doing  yeah the so is that a true vulnerability or not   yeah but what if I have a far World co-pilot yep  or you know an HR system that I can give a resume   you know that's a typical example you give a rume  with an indirect prompt injection so a prompt   within the PDF with white funds that the human  cannot read but the machine can read and then do   some action or a firewall co-pilot that then I can  inject some type of configuration or ofus skate   a configuration and then manipulate the system  right that absolutely is a an AI vulnerability but   there's a lot of talks about an AI vulnerability  or security vulnerability versus bias ethics and   and we're also trying to get those taxonomies  out of the way uh so everybody will be somewhat   in the same page Y and then truly understand how  we should address all of them right we definitely   should address them but what security teams should  be prioritizing what your AI governance and legal   teams should be prioritizing and working together  really more closely than ever and it's not because   of regulations and everything else but it's  because of the whole AI governance within   the organization I'm talking about inventory right  really knowing what your people are using where it   goes you know what technology goes into products  into the applications that you have whether again   you're a Cisco of the world or um anthropics of  the world or Health Care System right so so that's   the the scope of the charter of that organization  that's great from an industry point of view right   I'm really glad to hear that but let's bring  it back to the individual yeah if I want to   ride this wave I always recommend everyone rides  the new wave and AI is that Wave It's the hype it   feels like in many cases at the moment what's your  advice if I'm a young person or I want to get into   this field what would you advise people to do yeah  so one thing even outside of AI whenever people   ask me hey kind how can I get started in ethical  hacking always my guidance was to space yourself   technolog is moving fast yeah fast forward until  now technolog is moving a lot faster y don't get   overwhelmed right uh think about what are again  the non technical people asking questions that   the really hardcore technical people should have  asked 10 years ago y right so look how this is   affecting the work that you do what are the things  yes the way that we can communicate with computers   and the we use computers will change the way that  we program computers now it's been augmented it   will also will change but how that technology you  know you you have to always have some fundamental   knowledge of how this works yeah the human in the  loop is crucial nowadays yeah and yes there's some   technical works that will evolve right I'll  give you a good example many people whenever   they start in cyber security they start in a  security Operation Center in a sock yeah right   the immediate or the the question that I get all  the time immediately whenever I talk to the young   folks and so on should I even go to that yeah  am I going to get replaced if I go into that and   the short answer is no right hey it is evolving so  tier one analyst and again I'm going to give you a   real life example not by the book tier one analyst  right now in my organization is working with a   Jupiter no and of course this plong of the world  and everything else but you know you're going to   get augmented and we have been doing this before  the CHP era and so on with traditional machine   learning and and uh what you're seeing is that  the level of a tier one is becoming a tier two   yeah because uh also the way that you learn is  accelerating faster yeah the way that I learn   now is is significantly different than before yeah  and also has to adopt augment you know having your   tutors Etc but looking into how can you de develop  a program in place that you don't get burned out   right again Technologies you know will continue to  change but it's somewhat actionable to look at the   preium right on how AI is solving some of those  problems a lot of people actually trying to get   AI and find the problem to in of looking at the  we do need a lot of people technical people that   really can spot the fod versus reality yeah that  can also be augmented you know with AI start uh go   beyond the model go beyond chpt try to understand  you know how this technology can interact with   other systems what are vector databases where  how dimensionality of data uh works you know so   for an AI model to actually do something right um  and then of course you know um if you're going to   ethical hacking how somebody can manipulate this  yeah if you're going more into instant response   how can I use the technology or an attacker can  use that to ofus skate you know these Technologies   and then how how do I do forensics better faster  and and so on and unfortunately it's going to be   using AI right yeah this augmenting using AI  especially in this concept I don't know if you   have heard of constitutional AI right tesc so  constitutional AI was a concept anthropic you   know had probably two and a half years ago and  he basically using AI to monitor AI right uh   after they introduced that um a lot of people  thought about okay this is good of looking at   a model observing a model can I use AI to observe  the rest of the system right and uh the answer is   yes and of course you know Cisco has technology  and that like modific and and so on but looking   like if you're getting started looking on how the  techniques of doing instant response monitoring   how um things that AI potentially have gaps that  will never ever ever you will always have to have   some type of human in the loop yeah you know  as people are developing programs I will I will   definitely you know encourage you your newcomers  because it's very very overwhelming to look at   those areas right and then of course you still  have to have the foundations networking was not   going to go away you know as a matter of fact it's  going to evolve but the technology will continue   to to start with the fundamentals in there even  programming is a very hot topic of is it going   to get replaced and so on if you are not familiar  with the underlying technology on how even AI may   be constructing something who's going to defend  who's going to be able to do forensics who's going   to be able to actually do truly instant responds  after something is manipulated right so I don't   think that you know security and programmers and  everything is that is definitely change and look   into the way that how technology changes and how  those roles but the fundamentals always are going   to be there right so do you is it still the same  as in the past go and do uh CCNA or network plus   can you perhaps give us like just a sort of like  a a road map if you've got like just I'm starting   at zero like what would I do if I started today  cuz I want to jump in this wave right I don't   want to like everyone I don't want to like spend  10 years getting to a certain level I want to try   and do the quick way like the I would say the hack  hack hack the way so have you got like sort of a a   road map that I can follow yeah yeah absolutely so  typically it all depends on the role right is so   broad let's but let's focus on red teaming perhaps  or like hacking I like that I like that so if you   are thinking about ethical hacking definitely you  have to have a foundation of networking yep do   you have to pass a CCNA to actually go in there  probably not yeah but CCNA will definitely give   a blueprint yeah and for me what certifications  do uh in many cases is is create a blueprint and   push me that I have some achievement that I can  say okay you know this is something that I'm now   can I apply yeah most companies you are evolving  into like requiring a specific certification and   so on but at least that gives you a a really good  blueprint yeah so of course you know in the case   of networking CCNA you know is is the de facto uh  other ones you know related to ethical hacking uh   a lot of people try to jump from like C8 to OSP  yeah you know pays yourself probably something   like pentest plus yeah to get you the the whole  methodology of hacking yeah and in some cases even   the non-technical aspects of the ethical hacking  in real world you have to deal with scope and uh   you know the things that will keep you out of jail  and in business right so those certifications will   actually provide you that and then you know from  there you pace yourself to the ocps of the world   and there so many of them as a matter of fact um I  have a repository we can make it available that we   have tons and tons of certifications and and what  I um always say is that look at the blueprints of   the certification they're free you don't have to  actually pay you know if a blueprint is asking   the same concept two or three times that's  something that you have to prioritize yeah for   sure yeah right so that's a fundamental outside  of networking even though programing is going to   change you have to have some of a foundation on  how applications actually are created yeah even   if it's augmented by a python the typical you know  even for data science python how I got started and   this is all a little bit of a personal story  great I didn't get started with the AI thing   because of the CH GP er um a few years ago a good  friend of mine is no longer a Cisco we wanted to   uh do automated trading like literally we wanted  you know but here we are I'm still here so I was   not that successful in doing right which I'm glad  about myself so but I I I went to a program you   know two-year program with Harvard but it was  a mini competition we looked at the blueprints   of things you know of course there was no  certification just of machine learning at the time   but we're looking at what are the fundamentals  that I need yeah at the time was R everybody was   programming in R and looking at to how we can do  back preparation and and how we can do a little   bit more again all predictive you know models and  um and then apis with like interactive brokers   Etc right so that pushed me to then look at the  fundamentals not of how you know machine learning   was actually revolutionizing things what are the  things that I need to know from a programming   perspective right that is applied to that use  case right in that case it was automated trading   again that was many years ago a lot of that still  applies here right whether is generative Ai and   and so on and now of course python libraries make  it so much easier but I would say go and try to   figure out what are those libraries doing behind  the scenes yeah and especially if you want to go   into security especially if you want to go into  ethical hacker and especially if you want to mimic   what a real attacker is actually doing y right  looking at the limitations of the technology and   also the power of the technology yeah right uh  but I I think that that will be my guidance to   people that are getting started is there a AI  cyber security type SE or is it do I read your   book that that you've published what cuz that's  the piece that seems to be missing right CU we   talk about the basics but how do I do the AI cyber  piece you will see a flow of you know uh training   and uh certifications being as matter of fact  Cisco just announced an AI uh certification uh for   security currently as of today again may change  tomorrow they're not that many right but what   you're seeing is that assisting certifications and  assisting programs whether it's for inant response   for non-technical things like Risk um management  and governance and so on they're starting to   incorporate AI into it so how to use um even a  GPT a very basic me GPT for accelerating uh the   threat hunting and then getting information from  the M attack framework for example and what you're   seeing the certifications evolving the some of  the assistant certifications evolving to include   those topics so it is inevitable that they will  become domains yeah within a certification and   task for somebody to then probably be augmented  by Ai and then knowing what you know lanen can   do or or the library of the 2025 right yeah  because it's going to continue to evolve so   you're going to see yes new certifications current  certifications evolving and even the way that we   do training right even though we're talking about  books and everything else in the way that I learn   I use books for blueprints yeah and then since  information is changing so fast I create my own   scripts to actually get papers get of course AI  to summarize the papers if it's related to cyber   security I get a you know very basic alert you  should read this on the Saturday because it's   very overwhelm and this changes so fast and then  you know you create that type of framework on   okay yes this is new research but the areas of  security are the same exactly what we were just   talking about earlier a lot of security oneone  things that are being omitted because people are   experimenting so um yeah cyber security I I will  not say that it's going to get obsolete it's going   to get more complicated it's probably going to  be more demand for cyber security than than the   opposite Omar unfortunately they're chasing us  we got to end I could keep you here for hours   thanks so much absolutely really appreciate it  so for everyone who's watching please connect   I'll put Omar's links below if you've got any  questions put them in the comments below hopefully   we'll get you back for more more interviews  absolutely thanks so much thank you [Music]

2024-07-23 15:16

Other news