CERT-In issues a blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure

The Indian Computer Emergency Response Team (“CERT-In”) has issued a detailed Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure. The blueprint has been developed by CERT-In to support organisations in strengthening resilience against AI-enabled cyber threats. The blueprint provides a structured and implementation-oriented framework covering:

•  Governance and accountability mechanisms 
• Exposure reduction strategies
• Technical defensive controls
• AI-aware security operations
• Vulnerability and exposure management
• Supply-chain security
• Incident response and cyber resilience
• Continuous security validation
• Workforce preparedness and operational readiness 

Further, the organisations have been advised to implement the following recommendations in a risk-informed manner based on operational criticality, technology dependencies, and threat conditions:

1. Organisations must adopt AI-enabled, adaptive, intelligence-driven, continuously validated, and resilience-oriented cybersecurity practices to reduce exposure to AI-assisted cyber threats. Traditional perimeter-centric and periodic compliance-driven security approaches remain necessary but may not be sufficient against rapidly evolving AI-enabled adversarial activity. (For details, please refer to point no. 5 of the attached Blueprint.)
2. Organisations must have effective defences against AI-assisted cyber threats, which require strong governance, defined accountability, continuous risk assessment, and organisational preparedness. (For details, please refer to point no. 6 of the attached Blueprint.)
3. Organisations must implement layered, risk-based, and continuously validated technical controls to reduce exposure to AI-assisted cyber threats. Controls should prioritise protection of internet-facing systems, critical business applications, identities, cloud environments, APIs, sensitive data, AI-enabled systems, and operational infrastructure. The technical control areas should be implemented based on organisational risk exposure and operational criticality.(For details, please refer to point no. 7 of the attached Blueprint.)
4. Organisations must strengthen security operations and monitoring capabilities to detect, analyse, and respond to AI-assisted cyber threats. Traditional static and signature-based approaches may be insufficient against rapidly evolving AI-enabled attack techniques involving automation, behavioural evasion, impersonation, and large-scale exploitation.(For details, please refer to point no. 8 of the attached Blueprint.)
5. Security operations must support continuous visibility, intelligence-driven detection, rapid response, proactive threat hunting, and coordinated incident analysis across enterprise, cloud, AI, identity, application, and operational technology environments.(For details, please refer to point no. 8 of the attached Blueprint.)
6. Organisations must adopt continuous, risk-based vulnerability and patch management practices to reduce exploitable exposure arising from vulnerabilities, misconfigurations, insecure APIs, exposed services, weak identities, cloud exposure, and third-party dependencies. (For details, please refer to point no. 9 of the attached Blueprint.)
7. Organisations should establish incident response and cyber resilience capabilities to rapidly detect, contain, investigate, respond to, and recover from cyber incident. (For details, please refer to point no. 10 of the attached Blueprint.
8. Organisations are encouraged to participate in technical exercises, cyber drills, simulations, and table-top exercises conducted by CERT-In from time to time to strengthen cyber resilience, incident coordination, and response preparedness.
9. Entities must ensure timely reporting of cyber incidents to CERT-In in accordance with the directions issued by CERT-In from time to time, including reporting of cyber incidents within 6 hours.Organisations should establish continuous and risk-based security validation mechanisms to assess the effectiveness of cybersecurity controls, monitoring capabilities, incident response readiness, and operational resilience against evolving AI-assisted cyber threats.
10. Organisations should conduct Red Teaming & cybersecurity audits, security assessments, adversarial simulations, and resilience validation exercises to assess effectiveness of implemented controls and operational preparedness. Where applicable, such assessments may be conducted through CERT-In empaneled Information Security Auditing Organisations in alignment with the Comprehensive Cyber Security Audit Policy Guidelines and other relevant guidelines issued by CERT-In from time to time.

 Source: Indian Computer Emergency Response Team