AI has become a key weapon in the fight against cybercrime. However, there is always the matter of separating the hype from the reality around the use of AI. So, how does AI really help in detecting attacks? Let’s look at the five best ways that AI can make a difference in detecting and combatting threats.
1. Lateral Movement
The deeper attacks we see today including the latest supply chain attacks involve attackers moving laterally. One common technique used is known as “live off the land.” It involves gaining additional access using trusted native OS tools like PowerShell and PsExec. In such scenarios, it is almost impossible to detect lateral movement through indicators of compromise (IoCs) or signatures.
AI enables the detection of lateral movement by profiling and creating a baseline on the nature of machine interaction and the use of native OS tools in an organization. Any anomalies against the baseline can trigger a rapid investigation to qualify an actual attack and related response. Such profiling can be done using netflow, VPC Flow, system event logs and UTM/Firewall logs.
2. Data Exfiltration
The traditional approach to prevent data exfiltration is with Data Loss Prevention (DLP) tools. The use of DLP tools that depend on keywords and document fingerprinting for detection have been challenged by new attack techniques that break up documents into micro slices. The documents are then uploaded to the micro blogging sites.
AI can aid the detection of such advanced exfiltration techniques. Using AI, we can profile users based on common features including data size, end destinations, time of the day and day of the week. Any profile deviation would signal data exfiltration by an insider or a cybercrime syndicate who is persisting in the environment.
3. Malware Beaconing
Malware has become the “Swiss army knife” of cybercrime syndicates for all attacks. Despite many solutions for detection, the variants and innovation used in sophisticated attacks makes it extremely difficult to detect malware.
Malware beaconing is a common characteristic of most malware, used to reach back to command and control (C&C) servers. Analyzing proxy data for beaconing patterns has been extremely effective to capture malware traces. Using entropy algorithms to identify certainty of traffic is a technique that enables us to separate out malware data that is less random (low entropy) as compared to normal, random user web traffic (high entropy).
4. Authentication Profiling
Identity is the new perimeter in a hybrid IT world where boundaries are fast disappearing. Ransomware and supply chain attacks extensively exploit authentication weaknesses in the enterprise to take control of identities and continue persistence in an organization. A rule-based Security Information and Event Management (SIEM) approach cannot scale to detect the complex combination of techniques used in the attacks.
Machine learning plays an important role in detecting authentication-based complex attacks by building authentication profiles — including for remote and local access. Common systems that get profiled are O365, AD/ADFS, Terminal Servers, VPN, IAM and SaaS applications. The common features for creating the profile include geographies, time of the day, day of the week and destination systems.
5. DNS Anomalies
DNS has been the arsenal of cyber-crime syndicates for innovative ways to circumvent domain-based controls. Domain generation algorithms (DGA) are commonly used by malware to bypass access controls and connect to C&C servers.
Using machine learning to profile non-resolved domain responses (NXDomain) makes it easier to detect malware in the environment. Attackers also use DNS recursive requests to embed data for exfiltration. In that case, machine learning algorithms can detect an anomalous increase in requests to a specific or a set of name servers, making it easy to detect such exfiltration.
The future of cybersecurity
The use of AI opens the possibility of detecting new attacks, whether they are supply chain attacks or deep malware. The five techniques outlined above are among the best ways to detect and respond to the more sophisticated threats we see today. In addition, AI has a great deal of promise going forward, and has the potential to future-proof us from new attacks long before they become known.
About the authors
Global CTO MDR, Atos
Vinod Vasudevan is currently Global CTO for MDR & Deputy CTO for Cybersecurity services at Atos. He brings more than 20 years of cybersecurity leadership and product innovation. He co-founded Paladion in 2000 and has acted in the role of CTO. During his tenure, he has led technology development and made Paladion an industry leader in managed Detection and Response. He currently holds two U.S. patents in AI & Cybersecurity and has directly serviced global enterprises in the U.S., Europe, and the Asia Pacific. Vinod is a prolific writer and has authored multiple books, articles, and presentations in leading cybersecurity forums. Before co-founding Paladion, Vinod worked with Microsoft and helped drive the adoption of Windows 2000 in the Asia Pacific. He is also a CISSP since 2001.
Interested in next publications?
Register to our newsletter and receive a notification when there are new articles.