For sensitive data owners, users and storage companies, the “Threat Landscape” has changed from a perception that locking my doors is good enough protection to I need the secret service with the most modern weapons and technology they bring to the party and I also want them backed up by the best intelligence agencies from across the globe.
Current threats range from old but effective techniques such as phishing emails to state-sponsored attacks and everything in between. For example, WhatsApp was hacked to spy on Indian activists and lawyers and who could’ve done it. Another is Trojans. Then there is the weaponization of cloud resources to attack on-premises assets. The days of hacking for status are behind us. Nowadays, the main motivator behind cyberattacks is some sort of financial gain.
One of the most challenging aspects of defending your systems against cybercriminals is recognizing when those systems are being used for some sort of criminal activity in the first place—especially when they are part of a botnet. A botnet is a network of compromised devices that are controlled by an attacker without the knowledge of their owners. Botnets are not new. As a matter of fact, a research study “Why Botnets persist” from Internet Policy Research Initiative by MIT stated that “As early as 2007, experts believed that approximately 16–25% of the computers connected to the internet are part of botnets. Today, botnets continue to generate as much as 30% of all internet traffic. Moreover, the FBI estimated in 2014 that 500 million computers are annually infected by botnets, incurring global losses of approximately $110 billion”.
To prevent these attacks or any other is to identify the attack pattern, that is, how will an attacker enter your system? How and when will he make his attack? There have been numerous scenarios where the attacker enters a system and can stay there for months if not years just observing and studying your environment before going for an all-out attack. This whole life cycle of an attack is now commonly known as a cyber kill chain.
In simple, let’s go with the approach and recognize that it’s not enough to prevent a breach. You must adopt an “assume breach” mentality. When you adopt an assume-breach mentality, then you gather the people, processes, and technology that will help you find out when a breach occurs as early as possible, discover which breach has occurred, and eject the attacker while limiting the effects of the breach as much as possible.
And a big part of this attitude is the intelligence you gather, so while your secret service with its hands-on approach (in IT this is your firewalls and anti-viruses) cannot be done away with, your proactive approach will still be the Intelligence gathering and the chatter and attitude to learn from patterns from systems running across the globe. This is where AI and ML-driven systems come into play. You have if not billions, millions of systems and you have four patterns:
- Normal system functioning parameters
- Change in Normal before a system is attacked.
- Change in Normal after a system is attacked
- Change back to Normal after the threat is identified and removed.
The reason this becomes compelling for AI and ML is that the Normal comes with plenty of environmental factors and any changes in that does not always mean a breach, it could be a normal systems behavior change. For this, you really need a huge data set of systems that your ML can learn from. The good example of this is Microsoft Intelligent Security Graph (www.microsoft.com/en-us/security/intelligence). This system has developed a security intelligence service that is based on security signals that are received from a multitude of sources—including , the Digital Crimes Unit, By analyzing the traffic from—450 million authentication events per month, 400 billion emails, and more—It Give AI and ML the necessary data points that can identify and respond to both existing and emerging threats originating from all over the internet.
As data points from systems like the above continue to become available, you will see more learning and more Applications built on AI and ML playing the role of securing our sensitive data. With hopeful thinking, AI and ML will one day not only detect the attacks and the attackers, but maybe even attack them back too.
Attributed to Dr. Christopher Richard, MD & Chief Cloud Architect, G7 CR Technologies India Pvt Ltd.