Post Published On: February 5, 2019
“I’m a Data Scientist”. Fundamental to the field of Artificial Intelligence, Data Scientists are skilled at developing or exploiting mathematical tools to examine troves of data and extract meaningful insights – insights that in today’s data-driven economy spell the difference between competitive edge and fall from glory. A job that barely existed five years ago, today’s Data Scientist represents skills that recruiters worldwide are working hardest to acquire. Testament to this trend is lent by LinkedIn as they assert in their 2018 Emerging Jobs Report. Demand for AI skills saw a phenomenal upsurge by 190% between 2015 and ‘17. This ascent is indicative of a broader and predictably inevitable trend – the incursion of AI into industries around the world.
From highly tailored recommendations from Netflix and facial recognition, mastered by Google and Facebook, to Tesla’s self-driving cars that recognize and respond to virtually anything a road throws at them, AI, as an integral engine, rudimentary implementation or at least honorary mention, is everywhere.
Cyber Security is no exception. The competitive edge it proffers notwithstanding, AI played a founding role in the evolution of new cyber defense tactics including User and Entity Behavior Analytics (UEBA), Endpoint Detection and Response (EDR) and Intelligent SOCs. However, the twist to the tale lies on the other end of the line. It is not only Cyber Security teams that have been investigating AI. Cyber criminals aren’t far behind, and those with a strong enough motive, deep technical know-how and financial backing are adopting AI to bolster their advances.
AI in Cyber Defense
AI Powered SOC
Artificial Intelligence is transforming and augmenting SOC capabilities across a plethora of domains. The first domain is Threat Intelligence. By tracking cybercriminal actions, mostly on Dark Web forums, AI tools create unique profiles for Threat Actors. Actions and outcomes linked to these profiles are collated over time and patterns uncovered to generate Threat Intelligence data. This data is then fed across several Cyber defense platforms in the environment to meaningfully update its risk and controls posture. Fortinet, for instance, has developed an AI based platform called Self-Evolving Detection System (SEDS), which autonomously collects and classifies Threat Intelligence data. This data feeds across the entire suite of Fortinet security solutions.
The second domain concerns traditional operational inefficiencies that plague SOCs, the most pronounced of which is the False Positive Syndrome. Over-worked SOC analysts take on close to 1 million alerts a day, 2018 research from Imperva suggests. Naturally, SOC managers “tune” alerts towards lower volumes, thereby improving attackers’ odds at passing through. The answer lies in contextual filtering of alerts by AI. Contextual filtering considers a variety of parameters, not apparent to the average human, and prioritizes alerts for analysis. The McAfee Investigator platform is a major step in this direction. Investigator collects and classifies alerts, related evidence and threat intelligence gathered on a suspected attack and presents it to the SOC analyst in a usable format.
The third domain is Cyber Forensics. AI is lending invaluable assistance to investigators by optimizing the entire evidence gathering and analysis process. McAfee Investigator achieves this with its “investigative guidebooks”. These machine learning engines are built to mimic the human thinking process. They consider multiple hypotheses and present evidence in a human-readable format for analysis.
User and Entity Behaviour Analytics addresses Insider Threats, and Machine Learning lies at its heart. Estimated by Gartner as attracting global end-user spending of up to $352m by 2020, UEBA solutions monitor and “learn” employees’ behavior over time. In this way, UEBA also addresses the “False Positive Syndrome” described earlier, as there is a great deal of contextuality that it brings in to its alerts.
Forcepoint is helping organizations implement scalable and highly efficient UEBA solutions. Forcepoint UEBA is capable of ingesting and analyzing relevant data from multiple sources, including structured as well as unstructured, such as users’ emails, chats, voice, SMS, files accessed, device logs, etc. Over time, a profile of “normal” or “expected” user behavior is developed. Any deviations from set norms are reviewed and flagged off as potential compromise indicators.
Endpoint Detection and Response consists of a multi-pronged approach to threat management with focus on end-point devices. EDR exploits AI for Malware management. Suspect files are analyzed statically before execution and dynamically in terms of post-execution behavior by ML models which have been trained against a massive dataset of malware samples. For instance, Bitdefender GravityZone Ultra utilizes more than 75,000 distinct machine learning models to detect malware even before it is executed.
MalwareGuard, coming straight out of the FireEye power-house, is a Machine learning model that analyzes files statically to determine malware symptoms. FireEye has integrated MalwareGuard with their Network and Email Security offerings, as it complements dynamic analysis engines (files are executed in a controlled environment and their behavior is vetted), already present on these platforms.
Sophos’ Intercept X, EDR solution builds on the benefits of neural networks to detect and protect against malware. Neural networks are an implementation of deep learning (a subset of machine learning), consisting of nodes organized across multiple layers and communicating with each other, much like the neurons in a human brain. In less than 20 milliseconds Intercept X extracts millions of features from a file and determines if it is malicious or benign.
AI in Cyber Crime
Criminals, understandably, also want a piece of the pie, and the same data crunching and process optimizing benefits of AI are leveraged for nefarious purposes. In a ZeroFox study, an AI based algorithm was trained to scrape Twitter profiles and send targeted and highly personalized phishing links. Hit rates were four times higher than human hackers working in parallel.
Phishing remains one of the prime carriers of choice for cybercriminals, providing them with a hot conduit right into the heart of organizations’ infrastructures. Cofense is helping organizations combat phishing of all forms through a collective security approach encompassing simulated phishing (Cofense PhishMe), phishing incident reporting (Cofense Reporter), incident response and analysis (Cofense Triage), threat intelligence (Cofense Intelligence) and computer-based training (Cofense CBFree).
Machine learning simplifies previously labor-intensive doctoring of people’s words and actions into fake videos. Popularly called Deepfakes, AI applications can generate facial models based on people’s photographs and map them onto videos of another person making a speech, for instance. Understandably, politicians could be targeted by fake videos, thereby threatening national security and potentially world peace.
The implications of Artificial Intelligence are taking shape across every sphere, and the field is here to stay. In the world of data protection, AI can be a double-edged sword, as both warring parties, Cyber Defense and Cyber Crime, start to adopt it. Game on.
Article Written by Praveen Joseph Vackayil – Cyber Security Consultant and Trainer