Machine learning and artificial intelligence (AI) are changing the way cybercriminals and their bots scan for and exploit vulnerabilities in corporate and utility networks, but the same tools can also be used to defend against adapting cyberthreats.
Cybersecurity multinationals Fortinet, Trend Micro and McAfee Labs predict a rise in the use of machine learning and AI methods to create more effective attacks, including against cloud systems, as well as in business process compromise scams, denial of services and ransomware attacks.
Threat actors will leverage machine learning and blockchain technologies to expand their evasion techniques, says Trend Micro research and development centre TrendLabs in its ‘Paradigm Shifts’ 2018 predictions report.
Cyberattackers will use more machine learning to create attacks, experiment with combinations of machine learning and AI, and expand their efforts to discover and disrupt the machine learning models used by defenders, McAfee Labs predicts in its ‘Adversarial machine learning arms race revs up’ November 2017 report.
“During the year, we expect researchers will show that an attack was driven by some form of machine learning. We already see black-box attacks that search for vulnerabili- ties and do not follow any previous model, making them difficult to detect.”
For example, machine learning could help improve the effectiveness of social engineering and make phishing attacks more difficult to identify by harvesting and synthesising more data than a human can.
It can also increase the effectiveness of using weak or stolen credentials on the growing number of connected devices and help attackers scan for vulnerabilities, which will boost the speed of attacks and shorten the time from discovery to exploitation.
Skills & Resources
Skills and resources are the key elements in any cyberattacker’s arsenal. All attacks require a vulnerability in the network – whether in the form of technology or people, TrendLabs reports.
Cyberattackers are expected to analyse machine learning models through a combination of probing from the outside to map the model, reading published research and public domain material and trying to exploit an insider.
“The goal is evasion or poisoning. Once the attackers think they have a reasonable recreation of a model, they will work to get past it, or to damage the model so that either their malware gets through or nothing gets through and the model is worthless.”
However, combined human-machine teams show great potential to swing the advantage back to the defenders, states McAfee Labs.
Machine learning is already making significant contributions to security, helping to detect and correct vulnerabilities, identify suspicious behaviour and contain zero-day attacks. Human-machine teaming is becoming an essential part of cybersecurity, augmenting human judgment and decision- making with machine speed and pattern recognition.
“Combining machine learning, AI and game theory to probe for vulnerabilities in our software and the systems is the next step beyond penetration testing and uses the capacity and unique insights of machines to seek bugs and other exploitable weaknesses.”
Further, because adversaries will attack the models, defenders will respond with layers of models, each operating independently, at the end point such as in the cloud and in the data centre. Each model has access to different inputs and is trained on different data sets, providing overlapping protections, McAfee Labs adds.
Machine learning, however, can only be as good and accurate as the context it gets from its sources.
“We have found that certain ransomware use loaders that certain machine learning solutions are unable to detect because the malware is packaged not to look malicious. This is especially problematic for software that employs pre-execution machine learning, which analyses files without any execution or emulation,” according to the TrendLabs report.
While machine learning helps improve protection, it should not take over security mechanisms and should be considered an additional security layer incorporated into an in-depth defence strategy.
Local information technology security services firm Galix MD Simeon Tassev highlights that South African businesses must put in place tools such as AI and analytics to identify, collect and analyse data quickly and address issues, but they face a cybersecurity skills shortage, in line with global norms.
A lack of awareness or understanding can lead to insufficient security measures or the wrong decisions. Companies need the right skills – whether these are in-house or hired – to cross-check and validate their responses to changing cybersecurity risks and vulnerabilities, he emphasises.
Cybersecurity multinationals forecast the continuing proliferation of ransomware attacks, which will increasingly target industrial and utility systems and industrial Internet of Things (IoT) networks, as well as cloud systems and service providers.
Although the magnitude of ransomware has already grown 35-fold over the last year with ransomworms and other types of attacks, there is more to come. The ransom of commercial services is big business, highlights Fortinet global security strategist Derek Manky.
In 2018, digital extortion will be at the core of most cybercriminals’ business model and will propel them into other schemes that will get their hands on potentially hefty payouts, TrendLabs avers in its report.
Further extortion and fraud attacks can be anticipated in 2018, even as other types of digital extortion become more prevalent.
“Ransomware is evolving and is being deployed with more regularity. While targets, attack groups and tactics may change, there is growing concern that ransomware could easily be combined with nation-state- developed exploits to spread through networks at an alarming rate,” highlights Trend Micro Southern Africa manager Anvee Alderton.
“What we are learning from these attacks is that it is vital to patch any known vulner- abilities the moment a fix is available. Simul- taneously, it is important that we understand how security can be undermined and to research the exploits that are available for popular software.”
One of the biggest challenges to create machine learning models is gathering data that is relevant and representative of the rapidly changing malware environment, adds McAfee Labs.
Further, researchers have already demonstrated the possibilities of using machine learning to monitor traffic and identify possible zero-day exploits and have also proved machine learning models have blind spots that adversaries can probe for exploitation. Cybercriminals will use these same capabilities to find zero-day exploits.
Cybercrime organisations will use more machine learning to modify code based on how and what has been detected by penetration- and detection-testing services – offered by cybercrime organisations – to make their penetration tools less detectable, says Manky.
“Machine learning allows cybercriminals to quickly refine their technology to better circumvent security devices used by the targeted company or government agency. To perform such sophisticated scanning and analysis, however, criminal service providers have had to create computing clusters leveraging hijacked compute resources.”
Coinhive, a recent example, is distributed through browser plug-ins that infect end-user machines and hijack their compute power to mine for virtual currency. This computing botnet process is shortening the time from concept to delivery of new malware that is both more malicious and more difficult to detect and stop.
“Once true AI is integrated into this process, the time between a breach and the time it is detected or protected will be reduced to a matter of milliseconds, rather than the hours or days [as is the case] today,” emphasises Manky.
Cybercriminals will begin to combine AI technologies with multivector attacks to scan for, detect and exploit weaknesses in a cloud provider’s environment, predicts Manky.
FortiGuard Labs recorded 62-million malware detections in one quarter in 2017. Out of these, nearly 17 000 malware variants were detected from over 2 500 different malware families.
“Increased automation of malware will only make this situation more urgent in the coming year,” he says.
Further, cybercriminals will turn to IoT devices to create proxies to obfuscate their location and Web traffic, especially considering that law enforcement usually refers to intellectual property addresses and logs for criminal investigation and postinfection forensics, TrendLabs highlights.
“A large network of anonymised devices, running on default credentials and with virtually no logs, could serve as jumping-off points for cybercriminals to surreptitiously facilitate their activities within the compromised network.”
The next big target for ransomware is likely to be the ransom of commercial services such as cloud service providers. The financial opportunities are clear, as cloud computing is expected to grow to $162-billion by 2020. Cloud services present a huge potential attack surface, adds Manky.
Government entities, critical infrastructure, law enforcement, healthcare and a wide range of industries of all sizes use the cloud. Healthcare and critical infrastructure providers are at greatest risk from the effects of an attack and the advances in cyberattack techniques.
“Most critical infrastructure and operational technology networks are notoriously fragile and originally designed to be air-gapped and isolated. Applying security as an afterthought once a network designed to operate in isolation is connected to the digital world is rarely very effective,” warns Manky.
Because of the high value of these net- works, and the potential for devastating results should they be compromised or knocked offline, critical infrastructure and healthcare providers will need modern cyberdefence.
“The security these systems currently have in place will not be enough. It is imperative that organisations migrate to advanced security systems built around quality intelligence and an integrated security fabric that can see across the distributed network and counter the sophisticated attack systems being developed and deployed by attackers, as well as easily integrate advances in collaboration platforms and AI systems into the fabric,” states Manky.
Tassev concurs and adds that, to partici- pate in the global digital economy, South African businesses must demonstrate their ability to secure their systems and their customers’ data.
“Ensuring access to up-to-date security skills is going to be as important as actively participating in developing security skills in South Africa. This will become increasingly important as AI, virtual reality and other new technologies continue to emerge,” he concludes.