3 attacks you'd miss without AI
There has been a lot of hype around AI to the point where some people are simply tuning it out. I think this is a mistake. While there are limits to what AI can do, there also are sophisticated attacks that we’d miss without it.
The need for AI is driven by three fundamental yet significant changes in the enterprise computing environment.
- Sophisticated Threats: Adversaries obfuscate their attacks, create polymorphic delivery vehicles, and use automation to increase the volume of attacks.
- Complex IT Environments: Migrating workloads to the cloud, an exploding IoT population, and BYOD has expanded the attack surface and rendered obsolete traditional perimeter security approaches.
- Talent Shortage: Most security teams are understaffed. By 2021, there is expected to be more than 3.5 million job openings worldwide in security.
Taking all of these factors together leads me to believe that AI is not only a viable solution, but it may be the only solution.
One of the challenges when it comes to discussing artificial intelligence is that when someone says "AI", many think there’s just one type. The reality is that AI is a big science -- including expert systems, unsupervised and supervised machine learning (ML), and deep learning -- and each type of AI is particularly well suited to different tasks.
Now let’s explore three particularly nasty attacks that we all would have missed if it weren’t for AI.
Emotet
Emotet is a modular banking Trojan. It's polymorphic, meaning it looks different every single time. It’s like Agent Smith in the Matrix -- endlessly replicating itself, but each is slightly different. And it's self‑obfuscating to avoid detection.
To illustrate what AI does to detect Emotet recall the ancient Hindu parable about the six blind men and the elephant. They each feel a different part, and think it’s something completely different -- a rope, a tree, a saber, etc. Of course, all of them are wrong. Only by combining their experiences can they understand what an elephant it.
To detect Emotet, you need a combination of supervised ML that can piece together seemingly unrelated behaviors that are the individual elements of the attack and an expert system that has been programmed to know what an attack like Emotet looks like. The AI system will detect the individual elements of an attack, but also sees them in context of what I know an elephant -- an attack -- looks like.
Loki Bot
This Trojan credential stealer is perhaps most famous for compromising Android machines, including in March of 2017, when it was preloaded with the standard Android OS. Who can detect that?
Well, AI can. But to detect Loki Bot you need both supervised and unsupervised ML.
Think of an atomic collider where we smash atoms into each other looking for the spray pattern that indicates its elemental components. What we see the telltale signs of certain atomic elements. This is what supervised ML is trained to detect.
Sometimes however you see little particles spin off, as well. Those are the anomalies. Those might be the bosons or quarks that are splitting off of the atom. The undiscovered things that weren't supposed to be there so the supervised ML didn’t know to look for them. This is what unsupervised ML sees -- the anomalies.
Applied to security, it starts with smashing a file to see what it’s elemental parts are, including code segments that have been reused from prior attacks -- the behaviors it was engineered to exhibit.
Supervised ML recognizes some telltale malicious behaviors based on prior training on how malware operates. For instance, the AI can detect a similarity, or elemental part, that’s identical to a known malicious object.
The unsupervised ML detects other anomalies. For example, command‑and‑control traffic happens all the time. So, AI can detect command‑and‑control traffic that is anomalous when compared to what is typical. This is that particle, that quark, that's spinning off into space.
Each type of AI -- supervised and unsupervised ML -- sees different things, and when combined, it becomes clear that the file is malicious, such as Loki Bot. It's not enough to do one or the other. You need to do both.
DMSniff
DMSniff installs onto point-of-sale devices. It's impacted a lot of retailers and restaurants, including Buca di Beppo and Planet Hollywood. Most interestingly, I think, is that it was undiscovered for four years, during which time it stole two million credit card numbers. Detecting it requires both deep learning and supervised machine learning.
To understand this one, think of the TV show, "Cold Case". For many unsolved cases there are DNA samples that were collected at the crime scene. But too often the search comes back with zero hits to known DNA samples.
Then something interesting happened -- home DNA kits like 23andMe. There are now millions more DNA samples against which inspectors can compare crime scene DNA. While I may not get a 100 percent match, I can identify with a high degree of confidence a specific person to whom the criminal is related based on DNA similarities, enabling me to solve the cold case.
In this metaphor, the DNA components represent code re-use, which you see all the time in the hacker world. Hackers frequently share routines that they know are effective. In the case of DMSniff, an AI system could see obfuscated command‑and‑control traffic, the beaconing, to detect where the keylogging is going to be or where the credit card information is stored.
What is also detected in DMSniff is abusive domain generation and low‑bandwidth data exfiltration. I know these both are bad behaviors. I use deep learning to combine all of these DNA strands to make a determination. I don’t have an exact match, but I have enough to determine that this activity is related to DMSnif with a high degree of confidence.
In conclusion, despite all of the hype and misperceptions about AI, I think it is exactly what we need. Just keep in mind that not all AI is the same -- different types of AI help with different types of data, different objectives for what the software is looking for.
Image Credit: Mopic / Shutterstock
John DiLullo is CEO at Lastline and has nearly 30 years of demonstrated success in enterprise security, networking, cloud, and AI, plus go-to-market expertise spanning sales, marketing, customer success, technical support, and operations. His career includes extensive time domestically and abroad with market leaders such as Cisco Systems, Avaya, SonicWall, and Aruba Networks serving customers large and small through traditional and emerging channels.