The arms race of AI in cybersecurity

Wayne Dorris

With any advancement in technology, you can bet that the criminal fraternity will be quickly examining its potential in supporting their nefarious goals. Whether cyber criminals planning ransomware attacks or the theft of data and financial information, or nation states looking to disrupt the critical infrastructure of adversaries (if not worse), new technology has the potential to add to their armory.

As well-funded as any legitimate business, these organizations can innovate in their use of new technologies – artificial intelligence (AI), machine learning (ML) and deep learning (DL) among them – unencumbered by any national or international regulations or laws, morals or ethical norms. They will simply look at the opportunity these technologies give them to achieve their criminal objectives.

But while new technology will find its way into the hands of criminals and bad actors, it is also available to be used as defense by those organization’s being targeted.

Hidden in plain sight

There’s an overwhelming amount of evidence that bad actors are using artificial intelligence (AI), machine learning (ML) and deep learning (DL) to improve the sophistication of their attacks. While large-scale Distributed Denial of Service (DDoS) attacks often grab the headlines – disabling as they do high-profile websites and online services – remaining undetected for as long as possible is the primary aim of most cybercriminals. In exactly the same way as a house burglar will aim to spend as long as possible undetected – moving from room to room in search of valuables and, if possible, leaving as stealthily as they entered – a cybercriminal will want to penetrate, move around, and exit a network without being detected.

To do this, they aim to look as much as possible like a legitimate user of the network, whether human or a device. And this is where AI machine learning becomes an invaluable new weapon, allowing cybercriminals to learn the network behaviors of people and devices, rapidly develop new malware and phishing strategies, and deploy these at huge scale. The simplest way to access any network is still to somehow compel a legitimate user to click on a link and open the door. And a fake email from the boss which is virtually indistinguishable from the real thing – including in tone and style of language used – can often be the most effective key.

Darktrace is recognized on one of the leading companies globally focused on AI in cybersecurity and, as you’d expect, is also expert in understanding the increasing use of AI by the criminal fraternity. This excellent blog post details the benefits to cybercriminals in using AI through the attack lifecycle, from chatbots engaging employees through fake social media profiles to the use of neural networks to identify the most valuable data for extraction.

The increasing – and dangerous – link between IT and OT

The Darktrace blog post also highlights the objective of lateral movement in the network once access has been gained. This is essential in meeting the cybercriminals’ aims, as the network entry point – which may be an unsecured device in a remote location – is rarely the desired final location. Ultimately, the bad actor will be looking to move towards far more sensitive areas of the network, harvesting user credentials along the way, and particularly those of privileged users such as network administrators which will give them a primary key to network access.

With the world of connected devices and the so-called Internet of Things (IoT) the risks are exploding as the information technology (IT) network becomes more tightly integrated with the operational technology (OT) environment. Put simply, the IT network manages the flow of digital information, the OT manages the operation of physical processes, machinery and physical assets of the business or specific location. For those bad actors whose aim is disruption and destruction rather than theft, access to the OT is essential. It takes no imagination at all to understand the potential damage that could be created through access to the machinery within a power station, oil refinery or hospital.

AI as a tool for defense as well as attack

We’ve spent a good while looking at the potential application of AI and ML by bad actors and cybercriminals, and it paints a fairly chilling picture. However, these same technologies are, of course, available to those aiming to protect networks from penetration and in many ways the advantage is in the hands of the defenders over the attackers.

I caught up with Jeff Cornelius, Executive Vice President at Darktrace, to hear more about the ways that the company is innovating in AI and ML to keep one head ahead of the criminals. Handing the mic over to Jeff…

“First things first, despite the impression you may get from the media, developing artificial intelligence and machine learning isn’t easy! And while we have a powerful adversary in the criminal fraternity and nation states looking to perpetrate cyberattacks, there are a number of aspects in our favor.

“Primary amongst these is that – given the access provided by our customers – we can see the entirety of the network activity which we use to create an understanding of the behavior of every device and user. In contrast, bad actors will only ever be able to rely on a limited view of activity. Every action they take from an initial foothold is a partially blind step into an environment that we understand, and they do not. Ultimately their goals are activities that the business does not normally perform. Our primary objective is to identify and address anomalies in network behavior, a necessarily wide scope since we do not know when or where an adversary might appear or what their specific new methods or goals may be.

“To draw an analogy, someone who studies my daily movements from outside my house will build up a fairly detailed view of my habits: the time I generally leave the house each day, which route I take to work, where I grab my lunch, and so on. They could probably do a decent job of mimicking those parts of my life. But without having a view inside my house, if they tried to mimic my tastes at breakfast, they’d almost certainly make a mistake that would easily be spotted as an anomaly by a close family member. There is usually decent information available on the internet to target an individual with a clever spear-phishing email, but once inside they are sitting at our table.”

Supervised vs unsupervised machine learning

“There’s an important distinction to be made between supervised and unsupervised machine learning. In the former, computers are trained against a set of known data, and constantly refer back to this data to check if the outcome recorded is the expected one. From a cybersecurity perspective, the models for learning are based on known malware. And this is where the real race between criminals and cybersecurity lies: bad actors are using ML to create new versions of malware – we’re seeing an exponential growth in these – and cybersecurity companies are trying to keep pace by writing new models for supervised ML defenses. It’s a bit like a spellcheck trying to keep pace with a world where new words and even languages are being created daily. And it’s becoming increasingly difficult, if not impossible, to keep pace.

“By contrast, instead of relying on knowledge of past threats, unsupervised machine learning algorithms independently classify data and detect compelling patterns. In this context they analyze network data at scale and make billions of probability-based calculations based only on the evidence that they see. From this, they form an understanding of ‘normal’ behaviors across the specific network, pertaining to devices, users, or groups of either entity. They can then detect deviations from this evolving ‘pattern of life’ that may point to a developing threat. This early warning system will allow us to stay a step ahead of the cybercriminals and bad actors.”

The subject of AI and machine learning in cybersecurity is fascinating, and one which even this lengthy blog post cannot do justice! It’s also one that may seem much broader in relevance than simply related to security and surveillance. But of course, network video and audio are as likely to be targeted as much as any network-connected device, so it’s one we take an acute interest in.

More information on Axis and cybersecurity can be found here.