AI in cyberattack lifecycle
Network defenders and the cybersecurity industry must move their focus from the network’s edges and endpoints to the network’s interior. Inside the network, IT and security data collection is frequently abundant but underutilised. Rich data can be utilised to build “network normal” behaviour and serve as a foundation for the use of artificial intelligence to surface adversary conduct when anyone acquires illicit access.
Foundation of our cybersecurity vendors
The parameter and endpoint defences are frequently and readily breached by skilled actors. The cybersecurity vendor landscape was built on a foundation of outmoded technologies and methods. These same technologies’ “second,” “third,” or “next” generations make grand claims yet continue to employ the same antiquated and unreliable methods for identifying and thwarting hackers.
The proof is indisputable: business network breaches in 2014 resulted in the compromise of six billion data records; by 2015, there were around 160 cyberattacks every week. With a maximum documented cost of $65 million, these breaches cost an average of $1.9 million per breach.
Since attackers can cause the most damage inside the network and the security team’s capacity to detect and eject them there is now quite restricted. Modern cybersecurity teams must concentrate on detecting and stopping adversary conduct inside the network where adversaries are able to most damage. Using the wealth of internal data can yield incredible security insights when analyzed by artificicial intelligence(AI).
Using AI for internal network observations
Analyzing internal data is always a challenge for network defenders because of its volume and complexity. The data is interrelated in intricate, nuanced ways that a human can’t pick out quickly enough to matter.
But artificial intelligence (AI) provides a few key capabilities that complement and enhance the ability of experienced humans to successfully investigate and thwart cyber attacks and secure networks:
- Specialised models based on a particular environment
In order to highlight and further examine unusual, potentially suspicious actions, AI may rapidly construct and test models to maintain a rolling grasp of what is “normal” in a given environment.
- Link seemingly unrelated occurrences
Behavioral patterns that would be difficult for a human analyst to interpret can be related in ways that AI can recognise. In other words, AI can determine which warnings or alerts from security systems were genuinely relevant to the attack when an attack is happening.
- Processing Power
More data can be processed faster by computers than by people. Which also provides an upper hand in handling the data effectively. Combining the AI with the human expertise of adversary behaviour, more efficient systems for network security can be developed.
How AI fits in securing networks
The number of alternatives for illicit access available to sophisticated players outside the target network and that is only limited by their willingness to expose their capabilities, their availability of time, and their willingness to put up effort.
Once within the target network, attackers look for the metaphorical “high ground” from which to watch internal network activity, gauge the degree of the target’s defensive posture, and collect credentials and other data that will make lateral movement less dangerous and easier. From within network an attacker has a high degree of control and firm understanding of who is responsibel for what. Since the routine activity is monitored and the adverseries can’t leave any footprints and occasionally try to adjust it. But the use of AI to these data sets can highlight attempts at covert behaviour within the network. Security teams spend a lot of time analyzing the data without having a clue whether they are looking at the right place or not. However, it is obvious that all of this data isn’t being used; to efficiently detect and fend off attackers.
AI in cyberattack lifecycle
Observing data movement on the network and mapping it to the stages of the “cyber kill chain,” defenders can catch adversaries who are otherwise taking great care to stay invisible.
Reconassiance phase
This phase is the initial phase of hacking into a network by the attacker. This stage exhibits certain behaviours that will help the defenders to identify and detect the attacks.
- Devices behaving differently than usual
- Data source mapping and breadth-wise exploration (Activity conducted by an adversary differs from activity conducted by a user and can be highlighted in logs).
- Broad search patterns vs. targeted access
These tells would be extremely difficult for human analysts to pick out, and even if they did, it would be hard to discern whether the behaviors were related as part of an adversary campaign or just coincidental. AI with continuous visibility into the relevant data sources could see the tells and understand the relationship between them quickly and with a high degree of confidence and accuracy.
Collection and staging phase
While gathering and staging information can resemble reconnaissance, they are also more likely to involve unusual data flow patterns that can be detected and utilised as additional proof of an assault in progress. This activity may be a sign that an adversary has accessed the network if it coexists with other identified behaviours. AI is best suited to identify these links, whereas humans should still be the only ones to analyse them and choose the best course of action.
Exfiltration phase
Adevrsaries/attackers after gaining access into the network will be looking to exfiltrate the data, for which several methods will be trialed. This may include clandestinely enabling specific services (such as Remote Desktop Protocol) on the staging machines and/or modifying proxy or firewall settings to allow for previously-prohibited protocols (such as FTP). But the movement of data at volume from inside to outside the network is measurable activity that can be detected and categorized.
The braoder point is to watch for the anamolous behaviour across network which includes ports, protocols etc. AI is the only way to do it at a speed and scale that will actually detect intrusions in time to prevent data loss.
Building AI’s on what is normal and marginalize abnormalities in networks
At various organizations volume of the network data is out of scope of the human analysis. Analysists are forced to pick and choose the data and limitting their effectiveness and visibility.
No matter how unusual the environment, AI can use all of the data to create a model of what “normal” looks like in any network, maintain and update this idea of normalcy, and report on connected actions that deviate from the norm. This concept has the potential to be the biggest advancement in cybersecurity in years.
Although most categories of security technology are on the verge of becoming commodities, they will still be necessary. Network defenders stand to benefit greatly from the integration of AI, which will give insight and correlation across all systems, by giving them the advantage over adversaries both now and in the future.