Mythos Implications

Mohammed Faruq

2 min read
Share
Mythos Implications
Screw AI. More Nature.

I was asked to look into the implications of Mythos Preview. I wrote this about 2-3 weeks ago and procrastinated publishing it. Yesterday, Fable 5 and Mythos 5 were released so it might change anything/everything I’ve written (hopefully unlikely). I’m going to publish this anyway and update this post retrospectively. I still think this is all valid to some extent.

What is Mythos?

Mythos Preview is a general purpose LLM by Anthropic. They claim it is especially strong in finding software vulnerabilities with thousands of “high severity” or Zero Days already found across many OS’, software and code bases. It is claimed that the model is a step forward in security research and is able to do the following:

  • Identify vulnerabilities
  • Exploit chain construction to exploit said vulnerabilities
  • Proof generation of exploitable vulnerabilities

In their release blog post, Anthropic claim Mythos found all sorts of vulnerabilities, old and new, with exploits. Some of these were found by non experts using the model without human intervention.

What does this mean for Cyber Security?

Naturally, the question for Cyber Security Teams is what does this mean for Cyber Defenders? Are we now at a huge disadvantage to attackers? How should we respond to Mythos and other similar LLMs?

There are some things we should note:

  • Many security researchers have commented that some of the vulnerabilities found and talked about the most by Anthropic are almost never exploitable. Why would anthropic highlight those so much?
  • Researchers who have used the model have also commented that the systems they have tested the model on themselves have a range of security protection levels. E.g. weak security posture with security tooling found in most enterprise systems absent. This highlights the need for basic security principles to be applied in the first place e.g. defence in depth, logging, regular updates etc.
  • Yes, there is clearly a step forward in vulnerability-finding capabilities by AI models, but in the vulnerabilities found by Mythos Preview, the Zero days and Exploits are not new in technique. This means that existing mitigating defences would still be sufficient.
  • The speed and volume of vulnerabilities found is clearly higher than previous models. However, exploit developers are able to exploit vulnerabilities within a day even before AI.
  • Is the answer to patch faster? Patching without testing often introduces more problems than solving them. If you skip or rush testing, you are likely to introduce more vulnerabities/bugs.

How should I respond and adapt?

  • Clearly, there is a need to sharpen our focus on Vulnerability Management as a Cyber Security Function. Our day to day priorities should reflect this.
  • SME resources are needed. We need real people looking into this stuff. Validating, contextualizing, making judgements.
  • Ensure Security principles are being applied
    • Defence in depth
    • Identifying critical systems
    • Comprehensive logging
    • Regular security updates
    • Robust Access controls
  • Application Control should be part of any Cyber Security programme, if it's not already. This will allow monitoring and control of what runs on the estate, mitigating the risks of Shadow IT and unauthorized tooling introducing security holes.
  • Move away from end-of-life software, ASAP.
  • Automate identification and remediation of vulnerabilities where possible.
  • Automate Vulnerability management workflows e.g. ticketing, reporting.
  • Review patching cycles and identify where improvements can be made, SAFELY, I repeat, safely without breaking things.
  • and more stuff.

Read more