By Cassandra Balentine
Cybersecurity is a major concern for every business across all verticals. Software vulnerabilities and targeted attacks are two major cybersecurity concerns for today’s modern business. The latest solutions in artificial intelligence (AI) and machine learning (ML) are being implemented to aid in preventing cybersecurity attacks and securing software vulnerabilities.
According to market research by Mordor Intelligence, the global cybersecurity market was valued at USD 161.07 billion in 2019, and is expected to reach USD 363.05 billion by 2025, registering a compound annual growth rate of 14.5 percent during the period of 2020 to 2025. The research company says the popularity of the internet of things, bring your own device, artificial intelligence (AI), and machine learning (ML) in cybersecurity is increasing, leading to more vulnerabilities and an ever-growing need to secure networks and devices.
Examples of cybersecurity solutions include identity and access management, threat detection and prevention, security and vulnerability management, DDoS Mitigation, next-generation firewalls, IDS/IPS, security information and event management, email security, endpoint security, and IoT security, according to Mordor Intelligence.
First, let’s discuss the need for cybersecurity. Software vulnerabilities are targeted by bad actors. These cybercriminals also look for human vulnerabilities to gain access to a company’s network.
The volume of cyber-attacks is increasing, as well as the velocity of malware evolution. Overall, attacks are continuously more sophisticated. “Attackers are trying to exploit multiple vulnerabilities and use multiple attack vectors. The biggest weakness is actually not software vulnerability, but the human factor. Attackers take advantage of the fact that there is a limit to the human capability and that many organizations expose critical parts of their network and resources,” says Yaelle Harel, technical product manager, Checkpoint.
According to Stephan Jou, CTO, Interset, a Micro Focus company, if a bad actor is determined enough to penetrate a company to steal data, destroy an individual’s reputation, or simply cause havoc, the result is an attack that leverages many techniques that are extremely subtle and difficult to detect. For example, a determined actor can use spear-phishing to steal an individual’s credentials to impersonate them, exploit software vulnerabilities to enter the network, and/or use social engineering to obtain account access. “All of these techniques, when properly executed, result in activities that can easily fly under the radar amidst a company’s day-to-day activities and escape detection,” he adds.
While human behavior is one weakness of a business’ cyber health, software vulnerabilities still play a major role in the attack chain. Harel says some of the most popular software vulnerabilities exploited include Remote Desktop Protocol (RDP); exploiting RDP is already an established, popular attack vector which could allow cyber criminals to access targeted machines and even install a backdoor for further malicious activities. “This year, a new RDP vulnerability called BlueKeep took the cybersecurity community by storm as it is capable of spreading automatically on unprotected networks, potentially leading to a Wannacryscale attack,” he explains. Another is Oracle Weblogic Server Vulnerabilities, where the various critical remote code execution vulnerabilities that reside in Oracle WebLogic Servers allow an unauthorized attacker to remotely execute arbitrary code and affect numerous applications and web enterprise portals using the servers. Another popular attack strategy is exploiting DoS Vulnerabilities in Linux and FreeBSD – TCP SACK Panic. In this case, a critical set of vulnerabilities was unveiled in 2019 that affected FreeBSD and Linux operating systems. Successful exploitation of one of the vulnerabilities is capable of remotely crashing servers and disrupting communications.
Nadav Maman, CTO, Deep Instinct, points out that in addition to cloud-based vulnerabilities, the use of third-party security companies—like a managed services provider (MSP), managed security service provider, or managed threat detection and response provider. “Ideally, every organization should hire an in house network security team. The reality is most companies need to outsource their cybersecurity efforts.” However, due to their extensive customer base, MSPs are an attractive attack target as attackers can abuse their systems to reach many different organizations in a short period of time. “Attacks against MSPs have escalated within the past several months, with threat actors abusing different MSP providers to spread ransomware. And the increase in attacks abusing MSP software isn’t going unnoticed. So far, reported attacks have all abused MSP tools to drop ransomware, however it is likely the same tools were used to drop other types of malware as well. Several attacks were reported during the past few months and we strongly believe that only a few of them went public,” he warns.
To ensure effective cybersecurity, it is essential to consider how up-to-date your systems are, and how often new users are introduced.
“First, like any enterprise, cyberattackers don’t spend money when they don’t have to. The latest Threat Landscape Report, for example, shows that cybercriminals were more likely to target vulnerabilities from 2007 than they were from 2018/2019—and the same holds true for every year in between. For cyberattackers, there is no reason to develop a new malware tool when organizations seem all too willing to leave the front door unlocked,” says Derek Manky, chief security insights and global threat alliances, Fortinet.
Another strategy is to target as many attack vectors as possible. “For example, in that same Threat Landscape Report, it calls out that criminals are increasingly targeting publicly facing edge services, perhaps in response to organizations over-rotating on training personnel and upgrading their email security gateways to combat phishing. Different attack vector, same outcome. Interestingly, this same strategy undergirds the power of swarm-based attacks, a developing attack strategy I have been talking about for some time. Intelligent swarms of customizable bots, grouped by specific attack function and that can share and learn from each other in real time, could potentially target a network and, by attacking it on all fronts simultaneously, simply overwhelm the network’s ability to defend itself,” shares Manky.
Integrating AI into Cybersecurity
There are several ways that AI can aid in cybersecurity, specifically detecting and identifying threats quickly, as well as determining the type of attack. AI is also used to automate tasks that reduce human touchpoints.
“AI-enabled applications can lead to more automated solutions that can help improve detection, triage alerts, and offset the workload of their human counterparts, allowing security analysts to conduct more higher-level examinations of threats,” says Michelle Cantos, strategic intelligence analyst, FireEye.
Cantos points out that it is important to remember that AI is not a silver bullet for cybersecurity, rather it is a utility. “Overall when we think about AI, we should approach it the way we do with resources like electricity. Dangerous if used incorrectly, but inherently a useful resource that can help us change the world when applied appropriately.”
As the threat landscape continues to evolve rapidly, it now includes increasingly sophisticated, zero-day malware that traditional security approaches can no longer keep pace with. Manky says that as a result, security researchers estimate that the cost of cybercrime will outpace security spend by over 16 times, reaching $2.1 trillion by the end of 2019.
Staying ahead of today’s accelerated cybercrime trends requires adding AI to an organization’s network security strategy. “For example, as an early adopter of AI, Fortinet began developing a self-evolving threat detection system over six years ago. This system leverages a custom-designed artificial neural network (ANN) comprised of billions of nodes, and we have been meticulously training it with new threat data every day since, offering our customers a significant competitive threat intelligence advantage. Our FortiGuard Labs team now uses this advanced AI technology to analyze files and URLs and label them as clean or malicious—at machine speeds and with a high degree of accuracy. And because of those years of careful preparation, the threat intelligence produced by FortiGuard AI has become so fast and reliable that it has now been included as a fundamental cloud-based component of every solution in the Fortinet Security Fabric, and even as an in-line component of the FortiWeb web application firewall,” shares Manky.
In order to beat the challenge of today’s malware sophistication and velocity, Harel says cybersecurity solutions must integrate AI. It should be integrated in many decision points throughout the entire security cycle and IT infrastructure. “AI is mostly useful when huge amounts of continuously updated data need to be processed. Effective cybersecurity AI models will provide a high prevention rate and low false positive rate,” he shares. “It is less costly to prevent an attack than to detect and remediate it after it has breached the network. Therefore, AI is mostly important in cybersecurity for predicting unknown attacks before they happen and preventing them. Well-built, machine-generated logic can update and improve itself automatically, reducing both cost and response time to prevent first seen attacks. AI is also very useful in detecting attacks and responding to them, as quick detection and remediation can prevent the damage.”
There is a lot of hype around AI, but Jou believes there are two cybersecurity areas in particular where AI is proving to be more than just hype.
The first is user behavior and entity analytics (UEBA). UEBA uses a combination of analytical methods, such as unsupervised machine learning and time-series anomaly detection, in order to learn the normal behavior of every user account and every machine in a company, so that it can alert the security team when a user account or a machine behaves abnormally. “This is very useful because when a user’s account is taken over by a hacker, that account will begin to behave differently—for example, it will begin to run different programs or access different servers as the hacker begins an attack. Sometimes these behavioral differences are very subtle, especially if the hacker is sophisticated and intentionally trying to hide their movements. In these cases, UEBA detects these attacks, which would normally be undetectable through traditional means. UEBA is not just about unusual user behaviors, however, as the ‘E’ for entity highlights and has proven very useful to detect when a machine behaves abnormally by accessing the network in a strange way because it has become a command-and-control machine, or when a process changes behavior because of advanced persistent threat takeover,” offers Jou.
The second area is malware detection using ML. Jou says detecting malicious binaries has been done for decades using signature matches based on rules and heuristics defined by human experts. Although this has been reasonably effective, it is difficult to keep up with all the variations of malware that released each year—there’s just too much volume. ML techniques, including the increasingly popular deep learning method, are increasingly important ways to augment the human expert defined detection method with new detection models that are generated by machines. “ML models can study hundreds of thousands of malware examples and exploits and generate amazingly effective and novel models to detect malware, including ‘zero day’ malicious binaries that have never been seen before,” adds Jou.
Maman says AI technologies are advancing and deep learning is proving to be the most effective cybersecuirty solution for threat prevention. He’s increasingly observed the ability to leverage deep learning algorithms to predict and prevent cyber threats. “Deep learning is inspired by the brain’s ability to learn new information and from that knowledge, predict accurate responses. Once a brain learns to identify an object, its ongoing identification becomes second nature. Similarly, we’ve discovered that as the artificial deep neural network brain learns to identify any type of cyber threat, its prediction capabilities become more instinctive. For the enterprise, this has significant implications as it means any kind of malware, known and unknown, are predicted and prevented with unmatched accuracy and speed.”
Cybersecurity is a growing industry, becoming more critical every day. The adoption of AI is certain to advance the effectiveness of cybersecurity solutions in the future. While today AI is primarily used for detection, more opportunity for prevention and response arises.
Harel believes that the velocity of malware evolution, the vast number of devices and technologies that need protection, and a huge amount of data to process all combine to make it impossible for human-created models to give comprehensive, up-to-date protection. “Therefore, we can expect AI to make most decisions across all parts of cybersecurity solutions,” he says.
He also expects to see wider use of unsupervised ML anomaly detection to help predict unknown attacks. “We expect modeling of more complex objects besides files or URLs such as business processes, systems configuration, or entire organizations. We can also expect wide usage of deep learning for security. Further into the future, we can expect to see reinforced learning schemes for both attackers and defenders,” says Harel.
To stay ahead of cyber criminals that continue to evolve, it is important that organizations also advance to defend their networks. “That means adopting an intelligently integrated approach that leverages the power and resources of today’s enterprise,” explains Manky. “AI represents one of our best hopes for being able to get out in front of this issue. The goal is to develop an adaptive immune system for the network similar to the one in the human body. In the body, white blood cells come to the rescue when a problem is detected, acting autonomously to fight infection, while sending information back to the brain for more processing—like marshaling additional resources or remembering to take an antibiotic.”
Manky adds that that as AI progresses from its current form, where it is used primarily to sift through mountains of data to solve a problem, it will be able to function more like a human immune system or neural network. AI will rely on interconnected, regionally deployed learner nodes to collect local data and then share, correlate, and analyze that intelligence in a distributed manner.
AI and ML have come a long way in terms of threat detection. Jou points out that although there have been several detections based on AI/ML in 2019, these have been kept private. “In 2020, at least one company will come forward announcing a detection made by AI/ML, really championing the use of AI and ML for this purpose, amongst others. Similarly, as the use of AI/ML evolves we will see these tools for what they are—new methods to complement industry cyber-defense, and not the magical silver bullets they are currently perceived as. There will be new developments on the academic side as well, we’ll see universities create and publicly launch an undergraduate degree in cybersecurity data science—not just cybersecurity or data science on their own, but specifically the combination of the two disciplines.
Regarding the future of cybersecurity and AI, Maman says Deep Instinct has seen a potential war of algorithms, where good AI will be forced to content with bad AI. “Recently released research has shown that AI has the potential to be used in three different ways—in the business logic of the attack, within the infrastructure framework of an attack, or in an adversarial approach and to undermine AI-based security systems. With the theoretical groundwork already established, the cyber attack landscape is at the precipice of becoming vastly more sophisticated and complex,” he offers. Armed with this powerful technology, hackers can become more robust, and he predicts we will soon be facing attacks that are more devastating in their capability and impact. “The need for a cybersecurity paradigm shift has never been greater.”
Cybersecurity Offense and Defense
Cybercrime is on the rise, and it continues to evolve. It is essential that cybersecurity tools continue to advance as well.
Cyber criminals are smarter and more dangerous than ever before, adopting automated and scripted attacks that increase their speed and scale. “With the volume, velocity, and sophistication of today’s global threat landscape, we must be able to respond in real time at machine speed to effectively counter these aggressive attacks. ML and AI can help in this fight,” concludes Manky.
AI and ML are powerful tools. When integrated with cybersecurity solutions, they can detect, protect, and classify bad actors and cyber-attacks to ensure limited fall out.
Mar2020, Software Magazine