We are currently experiencing the 4th Industrial Revolution (4IR). If adoption of digital technology was the defining feature of the 3rd Industrial Revolution, then interconnection between these technologies as well between technologies and humans is one of the defining factors of the 4th Industrial Revolution. 4IR has us witnessing technology advancement at an unprecedented pace, blurring the lines between the digital and physical worlds – so much so that it has been termed as the ‘imagination age’. However, at least as far as cyber security is concerned, this is a double-edged sword as these very advancements also help cyber threat actors. Cyber-attacks are evolving at a rapid pace and threat actors have started focusing on Internet of Things (IoT) and Operational technology (OT) in addition to targeting traditional IT infrastructure.
So, how does one protect themselves from these evolving threats? The answer lies in a blend of experienced analysts and threat detections driven by Artificial Intelligence (AI).
There’s a lot of talk about usage of AI. But the million-dollar question that everyone is asking is – does AI really help in improving my cybersecurity detections?
However, before we start talking about whether AI can solve our problems or not, we need to look at WHAT do we want AI to solve for us.
The niche spot for AI to shine in SOC operations
Instead of reinventing the wheel by having AI replace existing technologies, it makes more sense, at least in these initial stages, to augment existing detection mechanisms by utilizing AI to focus on more complex and advanced threats.
The below image helps in visualizing the area where AI can be most effective.
If we categorize threats and threat actors into ‘Knowns’ and ‘Unknowns’ as depicted in the image above, we can see that quadrant 2 is where most of the existing technologies are focused on. This quadrant signifies the ‘Known Knowns’, i.e., information is known about both, threats and threat actors. SIEMs and other rule and signature-based detection mechanisms are used to address the ‘Unknown Knowns’ in quadrant 1, i.e., the attacks are known but we do not know when and where they will come from. Quadrant 3 addresses ‘Known Unknowns’ via Threat Intelligence, i.e., looking for Indicators of Compromise (IOCs) associated with known threat actors even if there is no prior information about the threats (think, zero-day attacks). However, quadrant 4 with ‘Unknown Unknowns’ is a clear gap in existing defense mechanisms. And this is the segment where AI can play a pivotal role.
Now that we have established WHAT we want AI to solve for us, we need to determine HOW AI will help in solving said problem, i.e., how do we leverage AI for the ‘Unknown Unknowns’?
Since both, threats and threat actors, are not known, it is not possible to look for a specific threat or any IOCs. We have addressed this challenge by creating AI models that aim to identify symptoms associated with threats instead of the attacks themselves. For example, detecting beacon signals or lateral movement, which are symptoms of malware infections.
Isn’t detecting a symptom the same as detecting the attack?
Strictly speaking, no. The symptoms need not always be associated with an attack. Consider the 2 examples we looked at earlier – beacon signals and lateral movement.
Beacon signals could be associated with legitimate browsing traffic – like the live score updates on a sports website. And lateral movement behavior could be due to distribution of updates from a central server.
So, what is the advantage of detecting symptoms instead of attacks?
Most threats will have eventual goals like data theft, denial of service (DoS) or using compromised system to launch further attacks. Since the goals are similar, the symptoms also end up being similar, regardless of the type of threat used to realize the goal, i.e., the same symptoms could be associated with multiple types of attacks. Continuing the 2 examples from earlier,
Beacon signals could be associated with a malware as well as periodic exfiltration of chunked data, while lateral movement behavior could be indicative of a malware as well as an insider threat.
Therefore, identifying symptoms instead of specific attacks enables us to detect a wider variety of threats.
Now, getting to how Atos has put these ideas into practice.
We have created AI-powered models for numerous sources including, but not limited to, Firewall, Netflow, Web Proxy, Intrusion Detection Systems (IDS), Web Application Firewalls (WAF) and Active Directory (AD) for detecting complex, advanced threats that cannot be detected by traditional SOC monitoring. There are more than 50 AI-powered models that are constantly working to detect a wide variety of threats across various attack surfaces for our clients, augmenting the efficiency of our threat detection.
These AI-driven threat hunting models have helped detect many threats ranging from account takeovers and lateral movement to data exfiltration and supply chain attacks.
Let’s take a look at a few interesting incidents where AI played a key role.
Case 1: Zero-day exploit – Log4Shell
Log4Shell (CVE-2021-44228) was a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The exploit was simple to execute and is estimated to affect hundreds of millions of devices. According to Wiz and EY, the vulnerability affected 93% of enterprise cloud environments. (Source: Wikipedia)
Like any zero-day, this vulnerability caught organizations by surprise. And, what made this worse was the fact that Log4j (the vulnerable component) was present in almost every Java application and was getting targeted by various threat groups (e.g., Mirai, Muhstik, Khonsari ransomware, XMRIG miner, Kinsing Cryptominer).
Initial response was centered around certain patterns of text being present in the payload. However, this was a makeshift solution, at best. Also, there was no easy, quick way to determine if a system had already been compromised.
The organization in question was a Fortune 500 enterprise with a vast, complex network, and had deployed most well-known technologies including IDS, EDR etc. for protection.
The AI models for firewall and NetFlow flagged off unusual traffic patterns for certain DMZ systems. On investigation, it was identified that the abnormal traffic was due to the exploit traffic associated with Log4Shell vulnerability. The AI-powered models were already live before the incident and were able to immediately identify the change in traffic patterns as a symptom of a potential threat while having no input about the associated threat of a zero-day attack.
The incident was one of the many real-life validations of how AI-powered models could help detect a zero-day attack with no input or changes.
Case 2: IoT malware infection
The adoption of Internet of Things (IoT) has seen an exponential increase in recent years. Therefore, it needs to be ensured that that defense mechanisms consider all aspects, including the security of IoTs and other connected systems. Cybersecurity is not limited to simply securing traditional IT infrastructure but encompasses securing all devices that are connected to an organization’s network.
This infection was detected by the AI models which monitor network activity. The AI models alerted of anomalous network behavior, indicative of lateral movement, from a particular system. Since network-level logs have limited information, the information was correlated with the asset database to pinpoint the identity of the system. Once the system in question was identified, an investigation was launched which resulted in the detection of a malware and the incident response team was deployed to ensure proper measures were taken to respond to the infection
On the surface this seems like a typical malware infection. However, what was unique in this situation was the system in question was an ATM – one of the oldest examples of an IoT. The device was one of the hundreds that belong to a financial services company and are spread out across more than 450 branches across 6 countries. The organization has multiple security measures in place and has invested in technologies like Intrusion Detection System (IDS), Web Application Firewall (WAF) and Endpoint Detection & Response (EDR). Unfortunately, the infection remained undetected by any of the technologies.
This example helps highlight the capability of an AI-model to go beyond traditional IT infrastructure and provide a more comprehensive coverage. It also showcases the ability to find the proverbial needle in a haystack.
The above examples highlight not only the growing complexity of cyber threats but also make it evident that detecting such advanced threats needs detailed analysis rather than traditional pattern matching approach. However, humans cannot scale to meet this requirement due to the sheer volume of information that needs to be analyzed and the speed at which it needs to be done.
The ability to process large volumes of information, ‘learn’ and mimic human decision-making, make AI the ideal candidate for augmenting human efforts in detecting a wide variety of threats, including complex attacks that cannot be detected by usual means. Therefore, leveraging AI in the right way can help organizations drive their cybersecurity initiatives forward while improving their overall security posture.