How criminals use Artificial Intelligence and Machine Learning
It has become common practice for attackers to use Artificial Intelligence (AI) and Machine Learning (ML) to link tools together so that they can be run in parallel when conducting an attack.
Attackers use AI and ML to take the results from one tool and then allow the other tools to "learn" about the finding and use it against other systems. As an example, if a one tool finds a password, that tool can feed the information to another tool or bot that may conduct the exploitation of one or many systems using the discovered password.
AI and ML allows for an attacker to program a toolset or bot to act like a "real" attacker. As an example, the tool or bot may launch a phishing attack against an organization and then take the results of the phishing tool and conduct other types of attacks just as a human would.
Attackers are building toolsets and bots that use AI and ML techniques to evade detection and blocking the methods already in place within most organizations. Many of these tools (typically open source) can be easily obtained from the Internet. This gives anyone the ability to run the tools against target organizations.
In an article in Wired President Obama expressed his concerns about AI-enabled bots attacking nuclear weapon silos and causing a launch. This intimates that the threat of AI and ML enhanced attacks are a major concern even at the highest level of government.
Advice and Recommendations
- Use defense in depth mechanisms to defend against automated/AI-based attacks. As an example, consider using more than one anti-virus product to protect your systems, one on desktops, one on servers, and one at the Mail Transfer Agent (MTA). This improves your chances of detecting the attack.
- Utilize Security Information and Event Management (SIEM) to evaluate log data from systems and protection mechanisms. As an example, capture data from firewalls, Intrusion Detection/Prevention (IDS/IPS), and from workstations and servers. Look for anomalous behavior such as systems trying to connect to other systems that normally would not have anything to do with each other.
- Ensure that all systems require users to use strong passwords comprised of alpha, numeric, and special characters. Put polices in place that require the users of these systems, including administrators, to change their passwords at least every 90 days.
- Train your employees on a regular basis on what to do when they notice anomalous events on their computers (mouse pointer moving with no user interaction, etc.).
- Shut down unnecessary services on all systems. As an example, if you have a file server running a web server but that web server is never used, shut it down to reduce the attack surface of the host. Tools and bots using AI/ML will hunt for systems with exploitable services first so that they can be used as pivot points to attack other systems on the network.
- Stay abreast of new threats to ensure that the protection mechanisms you have in place still provide the level of security that you are expecting.
- Conduct ongoing vulnerability scanning and penetration testing to discover weaknesses in your computing infrastructure that may be exploited by a bot or other tool that seeks out and exploits vulnerabilities.
As the Chief Information Officer of Digital Defense, Tom DeSot is charged with developing and maintaining relationships with key industry and market regulators; functioning as the "face of DDI" through public speaking initiatives, identifying key integration and service partnerships, and serving as the prime regulatory compliance resource for external and internal contacts. Tom also serves as the company’s internal auditor on security-related matters.