Cybersecurity: the top 5 AI use cases for Managed Detection and Response

Cybersecurity: the top 5 AI use cases for Managed Detection and Response

AI has become a key weapon in the fight against cybercrime. However, there is always the matter of separating the hype from the reality around the use of AI. So, how does AI really help in detecting attacks? Let’s look at the five best ways that AI can make a difference in detecting and combatting threats.

Download the Digital Vision paper

Vinod Vasudevan
Global CTO MDR, Atos

1. Lateral Movement

The deeper attacks we see today, including the latest supply chain attacks, involve attackers moving laterally. One common technique used is known as “live off the land”, which involves gaining additional access using trusted native OS tools like PowerShell and PsExec. In such scenarios, it is almost impossible to detect lateral movement through Indicators of Compromise (IoCs) or signatures.AI enables the detection of lateral movement by profiling and creating a baseline on the nature of machine interaction and the use of native OS tools in an organization. Any anomalies against the baseline can trigger a rapid investigation to qualify an actual attack and related response. Such profiling can be done using netflow, VPC Flow, system event logs and UTM/Firewall logs.

2. Data Exfiltration

The traditional approach to prevent data exfiltration is with Data Loss Prevention (DLP) tools. The use of DLP tools that depend on keywords and document fingerprinting for detection have been challenged by new attack techniques that break up documents into micro slices. The documents are then uploaded to the micro blogging sites.AI can aid the detection of such advanced exfiltration techniques. Using AI, we can profile users based on common features including data size, end destinations, time of day and day of the week. Any profile deviation would signal data exfiltration by an insider or a cybercrime syndicate who is persisting in the environment.

3. Malware Beaconing

Malware has become the “Swiss army knife” of cybercrime syndicates for all attacks. Despite many solutions for detection, the variations and innovations used in sophisticated attacks make it extremely difficult to detect malware.

Malware beaconing is a common characteristic of most malware, used to reach back to command and control (C&C) servers. Analyzing proxy data for beaconing patterns has been extremely effective to capture malware traces. Using entropy algorithms to identify certainty of traffic is a technique that enables us to separate out malware data that is less random (low entropy) as compared to normal, random user web traffic (high entropy).

4. Authentication Profiling

Identity is the new perimeter in a hybrid IT world where boundaries are fast disappearing. Ransomware and supply chain attacks extensively exploit authentication weaknesses in the enterprise to take control of identities and continue persistence in an organization. A rule-based Security Information and Event Management (SIEM) approach cannot scale to detect the complex combination of techniques used in the attacks.

Machine learning plays an important role in detecting authentication-based complex attacks by building authentication profiles — including for remote and local access. Common systems 12 that get profiled are O365, AD/ADFS, Terminal Servers, VPN, IAM and SaaS applications. The common features for creating the profile include geographies, time of day, day of the week and destination systems.

5. DNS Anomalies

Domain Name Systems (DNS) attacks have been added to the arsenal of cyber-crime syndicates for innovative ways to circumvent domain-based controls. Domain generation algorithms (DGA) are commonly used by malware to bypass access controls and connect to C&C servers.

Using machine learning to profile non-resolved domain responses (NXDomain) makes it easier to detect malware in the environment. Attackers also use DNS recursive requests to embed data for exfiltration. In that case, machine learning algorithms can detect an anomalous increase in requests to a specific or a set of name servers, making it easy to detect such exfiltration.

The deeper attacks we see today, including the latest supply chain attacks, involve attackers moving laterally.

Related resources

Atos Cybersecurity Magazine

Read more

In this fourth edition of the Atos Digital Security Magazine, security experts from all horizons and specialties have shared their unique and in-depth knowledge on how to make cybersecurity an enabler of your digital transformation.

How to protect Australian public sector from cyber threats

Read the blog

When working with public sector agencies on cybersecurity, responsibility is proportionate to the amount of data which could potentially be compromised. Ensuring the safety of citizen’s data, as well as the uninterrupted delivery of services, requires a comprehensive and up-to-date understanding of cyber threats.


Read the client story

Atos participates in CyberSec4Europe, a Research and Innovation Action co-funded by the European Commission bringing together 43 organisations from 22 EU Member States and Associated Countries, with the objective of designing, testing and demonstrating potential governance structures for a future European Cybersecurity Competence Network using best practices.

Take your next step with Innovation in a Box

Atos offers innovation workshops to build roadmaps to solve your most pressing challenges. Once you select a topic and the relevant business conversation, we’ll build an agenda that provides insight from our scientific and expert communities as well as proven best practices based on our experience with the public sector. And you can experiment with demonstrations tailored to your specific challenges.

Whatever your challenges, an Innovation in a Box will help you decide what’s next.

Schedule your Innovation in a Box

Our public sector and defence experts can help - whatever your challenge

Share This:FacebookTwitterLinkedIn