AI Based Threat Intelligence vs. AI Based Cybercrime
July 8, 2019 | 3 minute read
AI Based Threat Intelligence vs. AI Based Cybercrime
Artificial intelligence (AI) and machine learning (ML) are the latest buzzwords surrounding general technology trends that have also made their way into cybersecurity.
Many use the terms interchangeably, but they’re not quite the same thing. ML is a subset of AI that relies on algorithms and large data sets to learn and adjust, whereas AI is able to perform specific tasks similar to, or better than, a human. It can also generate new conclusions without additional data. Often, AI uses ML algorithms, but may often use other methods too.
AI Threat Intelligence
Banks and retailers are investing more money than any other industry into AI and ML capabilities, with each industry expected to spend more than $4 billion this year, according to the International Data Corporation. Banking, in particular, is finding AI capabilities useful for dealing with threat intelligence and prevention systems, fraud analysis, and investigation.
As cyberthreats become more complex and sophisticated, AI and ML provide the necessary efficiency and value to keep pace with the changing cyber landscape. A perfect example of this is ML for virus and malware detection. For decades, antivirus solutions have relied on signature-based detection. Attackers could make small changes to a virus or malware to change the signature to bypass AV tools. Now with ML, algorithms ingest vast data sets of malicious programs to determine what to look for. Rather than specific signatures, ML-based scanners look for characteristics which makes evading detection more difficult.
The current application of AI provides additional analytics horsepower to already existing technologies; AI thus lends to these applications greater effectiveness and value.
- AI-based solutions may function as a stand-alone solution but are tightly integrated with another technology, SOAPA, Security Operations, and Analytics Platform Architecture; in other cases, the technology is applied within an existing application.
- AI prevent DGAs (Domain Generation Algorithms) which are generated with a seed that is shared between malware and an attacker. These DGAs can create many thousands of pseudo-randomly generated domain names which makes standard blacklisting obsolete.
- Incident response and priority are based on AI and ML tailored for the specific needs of an industry vertical. This allows the system to improve itself with more vertical expertise.
Other methods offer an advantage to cybersecurity in leveraging AI and ML. Because cybercriminals can develop sophisticated techniques and are not bound by “rules,” a foundational method of ensuring good can be more effective than searching for bad. AI and ML can improve the current effectiveness of this method of least privileged environments at scale.
AI and Cybercrime
While experts have leveraged AI to improve cybersecurity defenses, no doubt cybercriminals also see the value of AI in developing methods to defeat the latest defense tools. This presents a critical threat to organizations, as these AI-based attacks can be even more difficult to detect, allowing attackers to remain inside a network for months without detection.
Malware network penetrations, for example, will be able to adapt on the fly rendering standard cybersecurity defenses outdated. AI could potentially be used to automate and quickly discover critical software bugs or support social engineering attacks with algorithmic profiling to achieve a higher likelihood that a user will click on a malicious link or file.
The first known AI-based cyber attack occurred in India in 2017. The attack took place inside a corporate network using ML to observe and apply patterns of normal user behavior. The software was difficult to detect as it behaved like a typical user. In this particular case, it was not entirely clear what the goal of the attack was meant to be, but the number of dangerous scenarios was numerous with AI and ML at play.
Cybercriminals are also targeting the retail industry, and these threat actors include organized cybercrime groups and Nation State actors. They are targeting point of sale systems at physical stores, and using payment scraping, credential stuffing, and mobile applications in online attacks. The 2018 Thales Data Threat Report illustrates that retailers aren’t doing enough to prioritize security and cybercriminals are exploiting their weaknesses. According to the report, 50 percent of retailers have experienced a data breach in 2018, putting retail among the most-attacked industries as ranked by the 2018 IBM X-Force Threat Intelligence Index.
Cybercriminals are just now getting started, and more sophisticated AI-based attacks are sure to be quickly on the horizon. Organizations need to be aware of the inevitable reality of widespread cyber attacks that take advantage of AI and ML technologies.
Staying Ahead of the Curve
Cybersecurity solutions from just a few years ago were not designed to combat algorithmic attacks, so it’s critical to find a solution that is capable of adapting to cybercrime techniques that will include AI and ML. An effective solution must keep pace with the changing attack behaviors that may be driven by algorithms that will be changing and self-updating over time.
However, technology is not enough to defend against threat actors. Value from a team of expert analysts, automation, and targeted threat intelligence is needed to provide a comprehensive defense. To stay ahead of the curve, businesses require the following:
- Cyber expert analyst team - including a feedback loop between cyber analysts and the machine, to enable continuous improvement in severity scoring and prioritization.
- Automation - drives the speed of detection and response. With the Argos platform, CyberInt's ratio of automation/manual is 80/20 respectively.
- Targeted threat intelligence - making AI and ML more effective for specific customers without flooding them with data. While AI and ML-based systems may find a threat that is relevant to an industry, it will not be prioritized high if it isn't targeting a specific company.
CyberInt’s Argos™ platform provides Managed Detection and Response (MDR) services to enable B2C companies in the retail, eCommerce and banking industry to protect their customers, employees and business with enhanced capability, securing an organization’s 24/7 managed SOC and with real-time incident response, and mitigation services.
Contact CyberInt for a consultation on a solution for your organization.