Real Impact of Claude Mythos ft. Dr. Byrd x Aniket | Ep 9

— Hello and welcome to another episode of the cybersecurity podcast. This is Aniket Ambekar and I have Dr. Bird with me. Dr. Bird, welcome to another episode.

Hey Aniket. Hey everyone. Thanks for joining us for another episode talking about technology. I'm always excited to join you Aniket. Hey, awesome. So this time we are going to talk about the talk of the town, the Mythos, Claude Mythos, the model that really changed the way people have been looking at AI as an opportunity to now looking at it like a serious threat. It all began just a few weeks ago and uh once people learned about his capabilities, then they have been quite curious about it. Dr. Bird, what is this Mythos and why is it so mysterious?

Yep. Aniket, that's a great question. When we start conversations, I like to level set with people and talk about the state of technology and even the state of AI. And I ground that conversation with a basic foundation of technology, people, and business. So when we think about technology, remember these are the tools, the machines, the system. They can be tangible, our devices, our smartphones, our tablets, and they can be intangible. Our software, our hardware, our platforms. Yes. — People are the interaction, the doers of the work. And business is about the advantage, using technology to gain advantage. Now when it comes to the LLMs and in particularly Mythos, we were have been having conversations around vulnerabilities and vulnerability exploitation. And vulnerabilities are the flaws and weaknesses in technology and security systems that, you know, allow for the criminals to, you know, exploit. And that's really the in a nutshell. And what we've been having conversations around is that, "Hey, if you're running software, hardware that's end-of-life, you know, vulnerable software that threat actors can access and deploy an exploit, then, you know, you have a challenge. And what that's really speaking to is the foundation of our cyber programs. Yes. Asset categorization, asset management, whether that be people, servers, devices, our networks. Making sure that we're implying and employing those best practices to understand the technology, work with our vendors, do the appropriate scanning, and implement the patching and patch management, the remediation of the vulnerability. Absolutely. But, despite of doing all this, how is it that this new Mythos, what is this Mythos all about?

Well, again, you know, Mythos is an LLM that has these advanced capabilities to identify vulnerabilities within technology. So, Anthropic, as we've discussed, has been utilized in the government in different various asset aspects. — Yeah. And it has these capabilities, you know, from offensive and defensive cyber perspective. Right. In addition to the, you know, having the government application, it has commercial applications as well. Right. — So, whether it's Mythos or OpenAI or DeepSeek, you know, these LLMs are becoming more advanced and sophisticated, and they have the ability to detect and identify vulnerabilities within the ecosystem. And true. you know, it is onerous on us as tech, you know, professionals, whether it's cyber or CIOs or CISOs, to understand, you know, how to mitigate these risks.

And I often tell, you know, people to couch and organize your organization into the foundational frameworks that really make sense, so you aren't overwhelmed by the newest technological advancements or challenges from the offensive or defensive side. We ground ourselves through the cybersecurity framework, where we understand what our organizations are doing to protect, detect, respond, and ultimately govern security risks and controls. And uh the NIST has a new cyber AI profile that talks about secure, defend, and thwarting, preventing cyber attacks. And that really couches into the conversations that we started around technology, business, and people, right? And it addresses all of those neatly. Any thoughts, Aniket?

Yeah, I think the same model or this entire all of these models, this entire problem, can be looked at it from two different perspectives. One perspective is from the users, the companies that are purchasing the tokens for these and then deploying them in the organizations. And they are using it uh variety of purposes, like security testing. Uh people used to spend two to three weeks performing a penetration test. Yes. Identifying vulnerabilities, and people have had jobs that specialize in this. But now, because uh model like Mythos has got so many capabilities from a technology perspective, being in a also the ability to find or build exploits to exploit that vulnerability that it has found. Which means from a user perspective, they are going to get a lot of benefits. From the providers perspective, that's a different angle all together. Nowadays, as Claude came up with this model, there are a lot of other providers as well who have been saying, "Hey, we have something similar, but we just did not get it out yet because we thought it might not be too safe. " And now that Mythos is out and there is this entire project Glasswing around it, other providers are also launching similar things.

So, is it possible to say that in the future we can see AI or AI models that are being seen as a deterrent? That, "Hey, you can't really attack this company. We know they've got this kind of a model that's already going on over there. " Yeah, I think that's a interesting idea and I think you can see a technology definitely as a deterrent. You know, as these large corporations, the tech providers, you know, all have these capabilities on the offensive and defensive side, it often drives capitalism, you know? Uh from our standpoint, from the users, from the customer, the client standpoint, you know, we have to make sure that we are taking the appropriate actions to secure what we can. Whether that's in the platform where we have this shared environment, right, with our cloud providers and things of that nature, or our on-prem uh providers, right, our on-prem ecosystem. Which has, you know, our really responsibility to manage and mitigate the vulnerabilities from that standpoint. So, there's a lot of different facets and perspectives on how your network, your enterprise, your organization is architected, whether you're in the cloud, right, on platform kind of shared responsibility model, or on-prem. And what's really unique that the Project Glasswing brings to light is, you know, we have the 16 sectors of the critical infrastructure, whether that's the oil and gas, whether that's transportation, the airline companies, the bus companies, and everyone doesn't

have the same robust technology cyber team to defend. — Yeah. Right. — Right. So, the challenge becomes how does the smaller shops, right, the smaller organizations, the small transportation companies or the hospitals or the clinics that rely on technology to provide services, products, goods. How do they defend themselves? And that's why the notion of patch management and understanding what's in the ecosystem, what's in your enterprise, and having that relationship with vendors to say, "Hey, I can patch and mitigate, you know, what I have in place. " That's a great starting point. That's true. Because I talked about two perspectives earlier, and you emphasized on that just now, that using these the companies should connect this with their existing cybersecurity framework. Don't think about this as an alien problem that we don't know how to solve. — Exactly. — It's just another cybersecurity problem, and we solve it the same way we have been solving problems so many years until now. Exactly. Now, there's a third

angle as well, because the tool access is as much as it is or it could be with the defenders. It can also be with the offenders, the hackers, the dark web forums, or even the even the criminal gangs that have been or the organized cyber crime units that have been performing a lot of ransomware activities. If you if one of them gets access to something like a mythos, the amount of ransomware attacks that we would see in a year is simply going to shoot up. And that's the potential risk. And that also brings me to another point as in what about responsible development? If the companies know that this kind of functionality is way too enhanced, can't they put some guardrails around it?

Yeah, I think so. You know, there's so many facets. Every angle we look at, there's multiple facets. So, if you're talking about from a software development company, if I'm a startup company and I want to produce a new application, a web service, I can certainly use, you know, the AI tools, whether it's, you know, Mythos, whether Well, Mythos in particular is not, you know, available, right, for public dissemination. But if I'm using, you know, any of the Open AI platforms, what have you, I can use that to scan my code to reduce the tax surface. If there are gaps and vulnerabilities into dependencies and libraries that create vulnerabilities, I can hopefully mitigate that on the front end. From the tech provider's standpoint, you know, sure, it is onus on them, the large companies, to put guardrails in place. And you start to see that in some of the social media applications and things of that nature, the algorithms that are there to protect, you know, young people, to protect seniors from things that are just disinformation, false truths and things like that is also generated from these LLMs. There's so many different facets and perspectives that we could, you know, pivot, have a discussion, and there's offensive and defensive and responsibilities from each angle, each, you know, viewpoint. That's right. And so, from a learner perspective, imagine one of our learners who is doing the cybersecurity program from Johns Hopkins University, they're looking at this podcast. What are What should be their key takeaways when it comes to a threat emerging as Cloud Mythos?

Mythos? Uh well, I would tell them to ground themselves in the foundation of our course material. Understanding your landscape. What is your technology ecosystem? And that's asset management. It's founded in this conversation that I started around people, technology, right? And the organization. Once you get a handle on those things, basic cyber hygiene, when you're onboarding technology, what does that look like? Are you having conversations with your tech providers to understand who's responsible for you know, the management, what that cycle looks like, patch management, that interaction, controlling data, access controls, resetting default passwords, credentials. Those are the cyber hygiene things that we've talked about throughout the course as Aniket articulated. And that's what we can do to reduce the attack surface from the Mythos perspective. Asset management is also important. And then understanding how technology works, you know, is so important as well. So, you know, that's a lot happening, but you know, understanding and being inquisitive around technology, doing the continual reading and learning is how we all stay abreast in this changing dynamic landscape. That's right. There is one addition that I would like to make to this list, Dr. Byrd, and I completely agree with you. Starting with asset management, knowing what you protect and how are you protecting it, and putting that risk management perspective on top of that, that's going to give you a really good visibility and make security more predictable. Yes. Now, that additional point that I wanted to mention was imagine uh like Okay, let me rephrase that. Before the pandemic, everybody assumed that a pandemic is a really distant possibility. We are not going to experience that. But, that changed overnight. This cloud mythos is also a similar threat, which earlier people had not really considered to be probable. But, now that we have seen one model capable of some extreme things, one or other every company who's doing a risk assessment from an AI perspective, they should look at this possibility. What if tomorrow, let's say, chat GPT or OpenAI has a different model that has some extreme capability? How are we going to perform the risk assessment against that? What kind of policies or what kind of procedures can we have to protect your crown jewels against an intrusive AI model? Would you agree?

Yep, I agree 100% and you said something that was really critical we don't talk about enough, but policies, right? Yeah. — Policies are the foundation for good governance, right? Yes. — For good management in any organization. Yeah. — Governance and policies sets the rules and regulations so you don't have the shadow AI existing because you know that your security teams, your security, your CIO, your technology teams are evaluating technology from a data protection, from a security protection standpoint before things are onboarded, right? Yes. — So, you Yes. just don't have, you know, individuals within the organization that may have good intent Mhm. uploading, downloading software that's unapproved, uh losing, you know, access to uh you know, sensitive information, proprietary information within your organization. Absolutely. Yeah. All right. So, Dr. Bird, um today we discussed a lot of points about mythos being a deterrent. We talked about organizations sticking to the foundational aspects like the cybersecurity framework and continuing to use that as the primary tool to deal with any situation or any incidents that may happen in the future. Any closing notes before we finish or end this episode? Hey, remember to stay active with your learning and interaction with your tech providers to understand what the new capabilities are and have fun with it. You know, as Aniket articulated, this tech landscape is constantly changing and that's what is exciting about technology and cybersecurity. Yep. And as Dr. Bird mentioned, keep learning and keep practicing. Keep your eye on the network. Keep an eye on what's happening in the news. So, read the cybersecurity news every day and you're going to learn immensely. Thank you so much, Dr. Bird, for joining us for another episode on cybersecurity and we would all meet everyone in the next episode of the great cyber podcast. Thank you so much. This is Aniket Ambekar signing off. Hey, thank you, Aniket. Thank you, everyone. Thank you all. Bye. —