This is the part 2 in a 5-part series covering the situation, challenges and opportunities to address the sharp increase in cyberattacks due to IoT, 5G, and remote life using AI/ML. Check out part 1 covering how Machine Learning helps customers power True Zero Trust Device security at scale.
The goal of the series is to give those using AI/ML or learning about it an understanding of where modern AI/ML can help scale security efforts to protect organizations against Malware, Advanced Persistent Threats (ATP), Ransomware and more.
The Current Situation
AI/ML has generally been used for good purposes with powerful results that advance organizations and nations. Increasingly however, AI/ML has been weaponized and used for nefarious purposes.
Cybercriminals have also employed AI/ML to assist with the scale and effectiveness of their social engineering, ransomware, and cyberattacks. AI/ML is being trained to spot patterns in behavior, how to convince people that a video, phone call or email is legitimate, and then persuading them to compromise networks and hand over sensitive data – all automatically.
On the good side of security, AI/ML and security engineers have augmented security products and practices to fight these increasingly sophisticated attacks, with the better products and solutions addressing issues at moments of compromise.
Typical AI/ML Security Applications
Here are a few of the more typical use cases where AI/ML has been implemented in organizations to fight cyberattacks, ransomware, ATPs and more. This can be used as a resource or self assessment for your team and organization.
Network threat analysis
Here is a simple illustration of how intelligent, behavior-based anomaly detection can reveal network threats and attack attempts pre infiltration. These can be people, bots, malware or some combination.
Intrusions and backdoor attempts usually create anomalous behavior against baselines – whether by unknown users and devices – and/or known users and devices at unusual times, geos, behavior.
Fine-grained controls coupled with intelligent risk profiling offered by modern systems can detect behavioral anomalies indicative of attack, and can trigger alerting to the SOC instructing network infrastructure to prevent traffic to that outside entity/those outside entities.
Malware detection
While malware has been around since the beginning of the web and networks, it has continually been evolved to circumvent the latest firewall, EPP, and perimeter defenses. Thus, modern systems need also to detect and remediate ever-evolving malware and its’ persistence inside a network.
First, once attackers are inside the network, they can blend in by using legitimate credentials and applications. If organizations are just looking for known exploits, they won’t be able to find these attackers lurking in their network.
Second, many organizations focus their efforts on preventing malware and intrusions at the network perimeter. While this is essential, they may inadvertently turn a blind eye to threats inside their networks. They do not monitor for behavioral anomalies indicative of internal reconnaissance, lateral movement, or data exfiltration.
And lastly, security teams are overwhelmed by a huge volume of alerts, with some organizations reporting receiving a million alerts a day. Organizations often build crude correlation rules to find threats. Organizations need something better.
Once an attacker gains access, then they must perform a certain number of steps to achieve their goal, which is typically to access and steal, manipulate or destroy data. Rarely, will an attacker “land” on the device with the desired data or be the sole resource to carry out their objective.
So the malware and/or attacker must perform many different actions, including probing the network, stealing or cracking credentials, accessing sensitive servers or applications, and locating and exfiltrating data.
Similarly exfiltration post intrusion must be understood and addressed. Your systems need to detect large data transfers from (multiple) devices sent to outside/unknown entities and instruct your network infrastructure to drop traffic to those destinations.
Security team augmentation
The example behaviors above are signals you can use to detect and remediate behavioral anomalies indicative of attack at moments of compromise. Obviously unknown users in the network can be blocked, access from unknown geos, and/or at odd times of day, and more sophisticated systems can importantly assess access requests to sensitive data by users based on their roles and/or departments and thus can be blocked. At worst, proactive security measures such as this require employees logging on during travels and/or at odd hours have to reauth in.
Closer to home, literally at home these days, known users with compromised credentials can pose significant threats to organizations. A Sales person spending some time in customer files is perfectly acceptable, but them downloading all customer data less so, and accessing company revenue data is unacceptable and should require reauth. Marketing people accessing R&D info the same. R&D staff accessing customer data ok, revenue data less so.
It quickly becomes untenable to protect an organization with manual security policies at this level. Similarly, having AI/ML training to trigger and enforce network access controls in broad strokes, say against an entire team or department in response to an incident, would be similarly ineffective, not to mention less than user friendly. Modern, intelligent tools need to be able to see all devices and activity, baseline and profile behavior to identify anomalies indicative of attack or compromise, then remediate those threats at an individual device level at the moments of compromise.
AI-based threat mitigation
Traditional systems fail to combat AI/ML driven attacks given their speed, variants, and sophistication. “Fighting AI/ML fire with AI/ML fire” is fairly commonplace in today’s security vendor and solution landscape.
The fuel to fight these fires is data, specifically training data to teach the AI/ML engine what is right or wrong depending on the objectives.
- Data theft – As data is the oxygen that breathes life into AI/ML systems, the theft of corporate data, university research, R&D IP and more has been on the rise to fuel these systems. There are a variety of ways in which this has been happening, increasingly manipulating AI/ML programs to feed data out of the system as well as traditional breach and exfiltration as we have been covering in this and past posts.
- Sabotage – Beyond manipulating the target systems AI/ML programs to access or steal data is the chance attackers may poison or sabotage it to introduce,
- Recreating data – Reverse engineering the AI/ML system to recreate similar (or better) data for themselves also is possible.
- Poor design – harder to manage particularly when organizations are new to AI/ML or less trusting, can hamper efforts to drive an evolution towards an intelligent IT and/or security system.
WootCloud helps address all of the above with customers feeding data across use cases, industry verticals, and attack scenarios as checks and balances for other customers of ours.
With AI/ML design and development expertise working on this platform in production for over 4 years, and years of customer proof points on threat detection and remediation in press and case studies, we at WootCloud are confident our platform offers leading AI/ML technology to protect against what’s attacking us now and what will attack us next.
Self Assessment
How do you compare in these critical security categories?
Forrester Research, November, 2019.
Summary
Tying together the current situation where good guys have created fairly savvy AI/ML use cases for network threat, staff augmentation, malware detection and more, we also see the bad guys are using AI/ML-powered apps to circumvent security to access IT ops and applications.
Even if you rank pretty highly in the self assessment in security triage, we reiterate the need these days for intelligent AI/ML-driven, flexible platform that ties into your tools, with the ability to detect and react in real time moments of compromise.
To learn more in a zero touch, no obligation Demo or POC, please contact us.