BRSL Weekly Brief
Your weekly brief on current events from the Berkeley Risk and Security Lab.
BRSL Weekly Brief
Mythos, AI, and Behind the Scenes of Cyber Sabotage and fast16
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
On today's episode, BRSL Senior Research Scholar Dr. Sarah Shoker talks with Gabriel Bernadett-Shapiro, Distinguished AI Research Scientist at SentinalOne about AI, Mythos, and understanding cyber sabotage.
Welcome to the Berkeley Risk and Security Lab's podcast, The BRSL Weekly Brief, where we bring you the latest information on current events from our lab experts. Today, we're going to be talking about mythos and how AI is changing the cybersecurity landscape. I'm the Communications Manager, Vivian Bossieux-Skinner here with BRSL senior research scholar Sarah Shoker and Gabriel Bernadette-Shapiro, distinguished AI research scientist at Sentinel Labs. Welcome to the podcast. Could you both start off by introducing yourself and your work in this area?
Sarah Shoker:Thanks so much for having me again, Vivian. So, I think you did the intro actually pretty well, but maybe to add a little bit of color, I focus mostly on AI and conventional military applications with a special interest in human AI interaction, which means I am not a cybersecurity expert. So, I'm very glad, glad that Gabe is joining us today.
Gabriel Bernadett-Shapiro:Yeah, hi, I'm Gabriel Berndette Shapiro, researcher at Sentinel Labs, and you know, for the past couple years, been focused on cyber risks, model capabilities, and kind of like how we think about the landscape now, that's kind of seems to be changing underneath us.
Vivian Bossieux-Skinner:Can we talk a little bit about what mythos is, and kind of set the scene for the context of today's conversation? Why it's important to talk about right now.
Sarah Shoker:Yes, so Mythos is Anthropic's latest model, and what's notable about Mythos is that, unlike most of the frontier models that we've seen in the past few years, Mythos has not actually been publicly released. It has been released on a limited basis to a consortium of cybersecurity firms under the moniker of Project Glasswing, and the rationale behind this limited release is that it is, according to anthropic, a very capable model, and could potentially alter the cybersecurity landscape as we understand it, and so this limited release allows this consortium of companies to essentially play catch up, patch certain vulnerabilities without enabling malicious actors, but I don't know, Gabe, if you want to add on to that.
Gabriel Bernadett-Shapiro:Yeah, I think I think it's really interesting that we finally have a model that the labs decided not to release. You know, we've heard for years that these things are getting more capable and more dangerous, and you know, oh, they're they're so dangerous that we really feel weird about releasing this one, but we're going to release it anyways, because we want to, you know, hit our release deadlines, and you know, this one really stands out because you know Anthropic is kind of putting a line in the sand and saying, hey, like, we, we really think that this is a dangerous capability. We don't want everybody to have it immediately, you know, which is exactly what you, which you just said. I think the for practitioners in this space, getting getting access to these models, and then being able to see how they stack up, not just in relationship to the previous generation, but also in relationship to the models and the harnesses that they've been developing, so you know there's there's folks who have said that the the mythos model is is good, but it's it's equivalent to having, you know, the Opus 4.6 I think, and and a really good harness, or you know, additional context, or you know, GPT 5.5 and additional context, so the, you know, the capabilities are kind of jagged on the frontier. We don't, we don't really know exactly, exactly where they match up.
Sarah Shoker:Yeah, for our listeners, actually, I think it might be useful to explain what jagged capabilities actually mean for those who aren't super, super enmeshed in this space, basically, if I, you know, if I can summarize it, it's that they are not as capable equally across all domains. So, when we say that Mythos is uniquely capable, as it relates, you know, as it relates to cybersecurity tasks, that does not mean that it would be capable, I don't know, and say, like, financial, financial tasks, though. I just read today, in fact, that the financial domain is the, is the next domain that Anthropic intends to tackle. So, we'll see what happens there. But, yeah, Mythos is uniquely capable in cyber security.
Gabriel Bernadett-Shapiro:Well, you know, the crazy thing about the domain specificity, too, is even within that domain, you know, you're tackling something like vulnerability research, right? So, mythos is saying, hey, like, we can like find and exploit vulnerabilities and static codes, they're reading the code, they're saying, okay, looks like there's a bug here, maybe it's exploitable, let's dig into it, and then they find the bug, and they're able to validate it, but even within that just zoomed in capability, there's still a lot of jaggedness. You still see, like, oh, it's finding some bugs but not others, it's good at this class of bug but not this class of bug, and you know when we make these kind of like, like these labs come out with these like big the. These big swings, and you know, we're all rooting for them. We're all like, yeah, like we want you to take big swings, but at the same time, the interpretation of that is sometimes like, oh, this model is capable of hacking everything, and it's like, all right, let's put that into context, right? It's capable of finding vulnerabilities, that is one niche area of a huge discipline that encompasses all of cybersecurity, and so we just have to like take a step back as practitioners sometimes and put that into perspective to say, okay, like this is really cool, this is so useful and helpful, but it really is just one piece of the puzzle, and phone finding is fairly niche too, so it's it's interesting to see that this is a place not just where anthropic is focused, but where all of these labs are pushing towards.
Sarah Shoker:Yeah, I'm curious, actually, in terms of you mentioned it's an, it's a niche area in cybersecurity practice. I was just curious, how you know, if at all, has the release of mythos altered your day to day? Are you thinking about your job a little bit differently? Are your colleagues thinking about their job a little bit differently? What has practically changed in organizations?
Gabriel Bernadett-Shapiro:That's a great question. The every the thing is, is like we're watching software, like the concept of software development shift under our feet, so in the security space we're looking at that, and we're like, oh, okay, this is all changing really quickly, and then we see these like individual tasks that we might have that we might previously have been like, oh, that's pretty hard hill to climb right there, like I asked a specialist to come in and do that, and suddenly you're like, that's actually a model capability, that's an API call away, so the way that I think industry has been broadly thinking about this is create trying to identify what are the evaluations they can run the same way a lab might run evaluations to determine model capability, each individual organization is going to run an evaluation to say, okay, well, how good is the model at this thing that we do? And, like, okay, it kind of sucks at this, but it's really good at this thing. So, they're like, okay, well, that is now just API calls, and we'll spend tokens on that, and we'll silverline humans for this. So, they're day to day, people are shifting their workload from these kind of like mundane tasks that they might otherwise have been caught up in, or just have to do, because it requires some form of human decision making or cognition, where now they're just like, no, no, no, no, we batch those and send them off, and then we wait for them to come back, and in the morning we just kind of hit the ground running. The one thing I will say, though, is even with those processes, and I think this is kind of like the promise that AI is yet to fulfill. Nobody is working less now, everybody's work is much faster, and there's much more of it. So, yeah, we get a huge bump in capabilities from some of these models, but it's not like we all have more free time, I was promised some more free time, I believe.
Sarah Shoker:Well, I think this is sort of the, this is the historical, I think this follows the historical trend of techno technological innovation, right? It does not actually, well, it creates space, but that space is filled with more work, right? So that has, I think, typically when we, when we've fought for shorter work weeks or the weekend, that has resulted from political processes not necessarily as an automatic consequence of a new technology being introduced into the workspace, per se, I don't think our salvation is going to be in a product, it's going to be in political process, and you know, democratic input is that's my, that's my hot take, I'm pro democracy, I say, I say bravely,
Gabriel Bernadett-Shapiro:Yeah, I, for one I'm rooting for the AI overlords, you know..
Vivian Bossieux-Skinner:How much concern is there around, because you're mentioning that these models are becoming more and more capable? Is there a lot of concern in industry about that, or is it kind of more like thinking of it as a tool?
Gabriel Bernadett-Shapiro:Yeah, I think there is legitimate concern, you know. People see, I think more from a business perspective than from people saying, like, oh my god, everything is hackable now. The thing that people need to realize is we are adversaries are drowning in access. They always have been. They like that's not the bottleneck for them. So when a new model comes out that promises to be able to find more vulns and software, that's not necessarily a huge uplift for adversaries, like they already have a bunch of owns and software, they already have those capabilities, they're there, the what people have been reacting to, I think, in the market, and just like in the industry in general, is that they see these. These jobs and these positions and these things that they're, they're good at, suddenly change to be like, oh, like an AI model does that, it does it better than, like, it wrote a better yarn rule than I could write, like, no, and they don't, you know, that people have this like negative reaction, and that's then it's scary, it's scary to see something that comes along and it's like, well, 70% of the value that this company was providing is suddenly being scooped up, and I think that's where you see this uncertainty, and people, you know, vague posting on LinkedIn or X to be like, oh, who knows what's going to happen, oh God, but I think in general, if you talk to developers and people who are kind of in these companies implementing this, they'll, they'll take a look at it, and they'll say, oh, you know, like, okay, this saves us time here, we can, like, let's do the cost benefit analysis and implement it, if not, and they'll move on to the next thing, so they're the folks, I guess, who are doing the implementation are not scared, but the people who are like looking at a business unit and being like, well, how viable is this in the future? Those people are, you know, reacting to something that's very real.
Sarah Shoker:Can I ask, because I know this is a step away from AI, but can you say more about Fast 16? Because now that we have you here, I mean, that discovery is actually, it's just fascinating, and I bet people want to hear, you know, our listeners probably want to hear more about it from someone who was involved in the research directly.
Gabriel Bernadett-Shapiro:Oh man, yeah. Well, I should.. I want to caveat this by saying that the man did the research. Vitaly Kamluk is genius, and we would not have this without him. So, he really. he's the one that you know discovered, did all the main major discoveries here, and my role was to kind of follow behind Vitaly and see whether AI found the same things that he found, and where that stuff, which was very instructive, and we got a lot of uplist from that, but yeah, Fast 16 is a remarkable case. Okay, so before Stuxnet, you know, one of the earliest known cyber sabotage campaigns, we had Fast 16, and Fast 16 comes out of the Shadow Brokers leaks. There was a file in there called Territorial Dispute in and this is this was a major source of intelligence that was leaked, and a lot of people kind of skipped over it, went straight to the hacking tools that got leaked, but territorial dispute is interesting because it was a list of basically implants that if, if you were on a system and you infect that system, and you saw anything on that list, you need to just take your toys and go home, right? Just get off that, get off that box, because you were in somebody else's territory, and you didn't want to, you know, you didn't want to cross streams or get in in the way of their operation or anything, and so this was just a list of all of basically all of these five eyes hacking tools, and one of them was called Fast 16, and there was a little note next to it that said nothing to see here, carry on, which is like catnip to any reverse engineer, and so we, you know, for years we had no idea what this was, we got our hands on a sample, and we started the reverse engineering, and what we found was that this thing looked like a root kit, and so we're like, okay, boring root kit, espionage, you know, whatever, just going to steal some information. Okay, 20 years ago, probably not that interesting, but Vitaly was like, no, you know what, there's like some other stuff in here that's pretty interesting, there, there's like a Lua component, which was, you know, is a way of extending, you know, native C code, so it's like, okay, they were doing something that's a little bit special here, let's dig in, let's figure out what that was, and what he found was that there was a this thing did a very small patching update to a very specific targeted software, and the patching, the patching update just changed in a very subtle way how floating point calculations were done within this software, so you can imagine you're in a lab and you're trying to develop, let's say, you know, a bridge or a dam or a nuclear weapon, and you're using this simulation software to run your calculations over and over and over again across many different machines in the lab, and the whole point is like, you want to check your work here, and then we'll be like, okay, Sarah, like, what did you get? Did you get something else? Okay, we'll compare our results, and then see what happened. So, what this, what fast 16 did was, when it infected the lab, it spread as a network worm, infected every single machine. Mean, and then whatever I was calculating over here would be messed up, whatever Sarah is calculating over there would also be messed up, and we wouldn't know how that it was wrong, right? We'd be using this software to be like, yeah, like calculate this, calculate the stress in three different directions on, you know, this bridge that we're building, or whatever, and it would be like, oh yeah, it looks okay, great, but then you know when we go to build that, whatever it is, it's built on the basis of incorrect calculation, so now, like, we can't trust our work, we can't trust our work in that lab, we can't trust our work anywhere in a scientific environment where this has been deployed, and so that's what makes Fast 16 so remarkable. It is a very sneaky sabotage operation, large scale, infected entire lab, you know. Stick to that subnet, so we're not escaping off the open internet, but like, just stay there and throw off those calculations, and so you know, you can think about, like, where this thing would be deployed, and you start to think, like, oh, okay, this is, like, a pretty.. this is like one of the first cyber weapons we've ever found, and already they're thinking about, like, yeah, let's just, like, nudge these math calculations. It's really remarkable stuff
Sarah Shoker:that's fascinating. You mentioned that you were trying to determine if AI could potentially, I guess, you had a human benchmark in the form of your colleague, and and you wanted to see if AI could potentially track or repeat the same, you know, perform at the same capability as your colleague. Are you allowed to say what you found there? Or
Gabriel Bernadett-Shapiro:Yeah, I can talk about some of our findings for that, so we, we, because, like, you know, this isn't in any, this isn't any data set that's like got hoovered up by, you know, one of the big AI labs, it certainly wasn't analyzed before, so we're fairly confident this is a great ethyl for us, because we can be like, yeah, like, great, let's see how it actually does. We put it in, we gave it all the same tools that Vitaly would have, and we're basically just watching it like step by step as it tries to solve this problem, and we're realizing pretty quickly that it's just going down rabbit holes, it's not performing the analysis quite correctly, and then we see a few runs where we're like, oh, it like it almost got there, like it can't, it couldn't figure out how to extract this like Lua VM from within the software, because it was just like, I don't know, I don't know how to do this, but it got pretty far, we're like, oh, okay, this is bearing some fruit, like, what, like the implications, of course, being that now we can look inside some black box applications and say, well, what does this software do, right? What does, like, what does this like, does it do anything that, like, looks like it's doing, like, looks like malware? There's some issues that arise with that. Right, decompiler is basically like fighting entropy as, like, a physical concept, so you, you end up being like, how do we put, we put entropy back into this software program, and we had some, some tricks for that, that were relying on the models, and yeah, we're like making progress on that, I guess, but it's not there yet. It certainly isn't as good as a human analyst.
Sarah Shoker:For those of us who don't understand, which is definitely not me, I 100% understood every single thing you just said. There, can you maybe explain what you mean by trying to put entropy back in the ball in the box,
Gabriel Bernadett-Shapiro:Kind of, yeah. So, when, when we decompile software, we see this like high-level pseudocode that's that's generated by, like, you know, basically like binary ninja or IDA pro, and this pseudocode is a representation of the the assembly that we can read, but it's not the actual code that somebody has written, right? It's just like, it's like this is what we think it is, you know, based on our understanding of another coding language that's a little bit machine, machine language. Now, the the problem with that is, you know, like, look at, like, a security scanning product that's on the market today that uses an LLM. They all read the code that you're writing, so they see it before it goes to the compiler, which means, like, they'll be able to find bugs in it, because they're like, "Yeah, I can read all this code, and I know a lot about written code, but going backwards is much harder, you know. There might be like references that are missing, or like symbols that are wrong, or something's something's a character when it should be something else, and you're like, okay, like that's that's not right. The benefit of having LLMs now, though, is that we can apply, you know, typically this would be. Analyst job to like look at the pseudocode, look at the assembly, and be like, this doesn't look quite right. That's a very tedious, that's very tedious work. Now we have an LLM, we just send the LLM after it, and we're like, yeah, like, let's like, what's the like, should this be renamed or not? So, yeah, it's a completely different approach.
Vivian Bossieux-Skinner:Well, thank you so much for joining us. And this was really interesting follow up to our previous conversations about AI, and we hope to have you back on the podcast sometime to talk more about this interesting topic of cybersecurity
Gabriel Bernadett-Shapiro:Anytime.