Humans are creatures of habit. Threat actors love that aspect about people and literally banks on it, deploying Machine Learning (ML) and AI, to detect and attack our vulnerabilities.
Cyber defenders are deploying ML and AI to fight back cybercriminals.
The battle is raging, and one side is gaining ground.
Data, AI and ML
In an exclusive interview with Hussam Sidani, Symantec’s Regional Manager, he explains that at the centre of AI and ML is data.
“AI analyses Data while ML learns from Data. Symantec, a 7- year-old industry, has been gathering threat logs and malware analysis, into a big data lake, now the largest civilian intelligence network,” Sidani starts.
“We use intelligent capabilities to move this industry from being reactive to being proactive. We need to jump in before the smoke comes out, to understand patterns of active threats and pre-empt.”
How ML and AI work?
Let’s say you wake up at 9 am, proceed to check your social media links, and post some info using your phone or laptop. This data is gathered by ML, stored somewhere and is learnt.
In comes AI which analyses your data patterns and begins to ‘predict’ how you would react in a new scenario.
“AI requires data to learn but can predict things without having data. It’s a machine making a decision,” adds Sidani.
Malware like ransomware are normally codes that are written, amended and adjusted in what is called variances.
“There are hundreds of different variances for every malware, but the majority of source codes remain the same. So ML understands that this piece of attack software, while never before seen on the internet, still has, for example, 40%-50% of the original source code, so we flag it as risk,” explains Sidani.
He continues: “When a malware is injected into a word document and a user opens it, we could see different types of behaviour and we need to map them to what other malware attacks do and flag them as a threat and quarantine them immediately. These are the techniques we are injecting into all of our technologies.”
New malware types
“How can you prevent a Zero-Day malware?” asks Sidani.
A Zero-Day is a previously unknown computer virus/malware for which specific antivirus software signatures are not yet available.
“For Zero-Days, we sandbox or isolate the threats, then detonate the infected files, open them and observe their behaviour while the files are quarantined to prevent spreading the virus to other files,” says Sidani.
The latest malware is called: Living of the Land (LotL). Attackers who use LotL tactics use trusted off-the-shelf and preinstalled system tools to carry out their work. It might not be obvious, but there are more than 100 Windows system tools that can be used by cyber attackers for nefarious purposes
“Threat actors and cybercriminals are basically using everyday Excel, PDF, or Word documents to inject malicious code into them. This is where the complexity comes in,” said Sidani.
Detecting and pre-empting cyber attacks
Using detection, response capabilities and automation into a cybersecurity perspective, companies like Consensys open strange acting files trying to activate privileges on client machines, quarantine the user, and force him to re-authenticate while the companies clean the files, in the background.
“Cybersecurity has boomed in the last 10 years. If you want to combat an AI type of attack, the only way is to use ML defences. You cannot use humans,” announces Sidani.
“We believe there will be a huge amount of incidences in any network today. If you are not able to pick up the incidents you will not be able to prevent an attack. You need the same methodology, speed, automation and prediction techniques used by attackers to combat them.”
Sidani explains that attackers are much faster than defenders mainly because how humans deal with their social presence, making them easy to target and vulnerable.
“We study patterns and what AI is attempting to do and elevate incidents to threats, after we detect them.”
What areas are attackers focused on?
Most attackers are after data.
“With ML I can take your image and if I have the data on you (social or otherwise), I can take this image and the machine will gather all the information about you from it. If I know you like sports, ML will gather info about your friends with similar activities, and everything is automated,” explains Sidani.
ML can impersonate you using natural language protocols (NLPs), learns how you speak and the way you speak, while AI is able to predict what you would say in a specific scenario.
“While the machines do this, humans won’t know the difference,” said Sidani.
Today ML learns how to obtain unauthorized access predicting user names and passwords, from, for instance, your facebook history, knowing your family members, birthdays, favourite pets and hobbies.
Is it a losing battle?
It is very challenging and that’s why the big hype on cybersecurity.
“The World Economic Forum describes damage from Cybersecurity as more severe than natural disasters. It needs to be combated. ML and AI capabilities need to be equal between defenders and attackers,” declares Sidani.
“To help further, we hire psychiatrists. We need to understand the motives of attackers and we don’t want to antagonize them. It’s a very complex domain.”
The motive for attackers ranges from easy money, to sabotage, and skimming financial data from bank cards.
Top 3 threats:
- Crypto Jacking, an easier way to make money
- Ransomware- Which has decreased on consumers but increased on organizations like big energy companies, banks, etc.
- Zero-days for espionage activities.
The Waterbug espionage group (aka Turla) has continued to attack governments and international organizations over the past eighteen months in a series of campaigns that have featured a rapidly evolving toolset and, in one notable instance, the apparent hijacking of another espionage group’s infrastructure. The group has also followed the current shift towards “living off the land,” making use of PowerShell scripts and PsExec, the most frequently used tools for remote command execution.
Iran has increased its offensive cyberattacks against the U.S. government and critical infrastructure as tensions have grown between the two nations.
It is believed the Iranian government has targeted U.S. government agencies, as well as sectors of the economy, including oil and gas, according to reps of cybersecurity companies CrowdStrike and FireEye.