AI and machine learning techniques are said to hold great promise in security, enabling organisations to operate an IT predictive security stance and automate reactive measures when needed. Is this perception accurate, or is the importance of automation gravely overestimated?
Whether or not your organisation suffers a cyber attack has long been considered a case of ‘when, not if’, with cyber attacks having a huge impact on organisations. In 2018, 2.8 billion consumer data records were exposed in 342 breaches, ranging from credential stuffing to ransomware, at an estimated cost of more than $654bn. In 2019, this had increased to an exposure of 4.1 billion records. While the use of artificial intelligence (AI) and machine learning as a primary offensive tool in cyber attacks is not yet mainstream, its use and capabilities are growing and becoming more sophisticated. In time, cyber criminals will, inevitably, take advantage of AI, and such a move will increase threats to digital security and increase the volume and sophistication of cyber attacks. AI provides multiple opportunities for cyber attacks – from the mundane, such as increasing the speed and volume of attacks, to the sophisticated, such as making attribution and detection harder, impersonating trusted users and deep fakes.
Seymour and Tully’s SNAP_R (Social Media Automated Phishing and Reconnaissance) provides an example of a simple but elegant AI-based attack. AI’s ability to analyse large amounts of data at pace means many of these attacks are likely to be uniquely tailored to a specific organisation. These kinds of highly sophisticated cyber attacks, executed by professional criminal networks leveraging AI and machine learning, will enable attacks to be mounted at a speed and thoroughness that will overwhelm an organisation’s IT security capabilities. However, AI can also be part of the solution by fighting fire with fire. In 2016, the Defense Advanced Research Projects Agency (Darpa), of the US Department of Defense, held a Cyber Grand Challenge – the world’s first all-machine (no human intervention allowed) cyber hacking tournament. This was a competition to create automatic defensive systems capable of reasoning about flaws, formulating patches and deploying them on a network in real time. Using this type of combative AI as a part of cyber defence will become more commonplace. One approach to enhance defences might be to use behaviour-based analytics, deploying the unparalleled pattern-matching capability of machine learning.
Assuming the appropriate data access consents are in place, the abundance of user behaviour data available from streaming, devices and traditional IT infrastructure, gives organisations a sophisticated picture of people’s behaviour. This includes being able to determine what device they use at a particular time (e.g. iPad at 10pm), what activity do they typically do at that time (e.g. processing emails at 10pm), who are they interacting with (e.g. no video calls at 10pm), what data do they typically access (e.g. no shared drive access at 10pm). This can be built, maintained and updated in real-time by a well-trained machine learning system. Any detected deviations from the normal pattern will be analysed and trigger an alert that could lead to cyber defence mechanisms being deployed. The use of behavioural data is a long-standing practice in traditional SIEM systems; however, AI technology takes it to a different level. There is no need to craft pre-operation rules on choosing the right behavioural data or even slicing the time and task patterns to fit a particular threat. The machine learning algorithms will do that for you. The solution could also take in data points from peripheral behavioural activity to provide robust evidence of an emerging threat pattern.
For example, a top-tier global bank is using neural networks to predict whether connections to the outside world are legitimate or fake. A fake connection will attempt a connection via snoopware on the infected device or a link to a drive-by-download site. These are typically launched using sophisticated botnets, such as banking trojan cyber attacks. The neural network has been trained by the bank using LSTM (long short-term memory) architecture to examine the URL or domain name used to open the connection to determine its legitimacy. The bank trained the algorithms on more than 270,000 phishing URLs, and the detection rate was in excess of 90%, higher than traditional cyber security systems for new types of attacks, such as the botnet detection. Be under no illusion, offensive-AI is an issue that all organisations must be prepared to deal with sooner rather than later. The time to review your approach and capabilities is now – before you are forced to do it retrospectively. A successful strategy needs to develop and deploy not only technical capabilities, but change cultural processes and governance to deal with the new approaches that AI will bring to an organisation.
Lee Howells is an AI and automation expert and Yannis Kalfoglou an AI and blockchain expert at PA Consulting.