Disruptions Caused by Autonomous Malware Could Have Devastating Implications
Organizations and consumers alike have a growing expectation for instant access to personalized information and services through an increasingly complex array of interconnected devices and networks. It is this demand that is driving the digital transformation of our economy.
Businesses that want to succeed need to not only stay ahead of demand from consumers and employees, but also the growing criminal element looking to exploit these new opportunities.
The proliferation of online devices accessing personal and financial information, the adoption of virtualized and multi-cloud environments, and the growing connection of everything – from armies of IoT devices and critical infrastructure in cars, homes, offices, and industry, to the rise of smart cities – have combined to create new destructive opportunities for cybercriminals.
Black Hat Automation
Cybercriminals have begun to leverage automation and machine learning in their attack tactics, techniques, and procedures (TTP). We have already begun to see attacks with automated front ends mining for information and vulnerabilities, combined with artificial intelligence-based (AI) analysis on the back end to correlate the vast amounts of structured and unstructured Big Data they have pilfered. The challenge is these sorts of data-intensive attack strategies require massive amounts of computing power. Which is why cybercriminals are using stolen cloud services and public infrastructure to launch and manage their attack campaigns and refine their malware tools.
Security vendors and researchers already use machine learning and sandbox tools to analyze malware to determine whether or not it is malicious. So there is no reason why this same approach can’t be used by cybercriminals to automatically map networks, identify targets, determine device or system weaknesses, conduct virtual PEN testing, and then build and launch custom attacks using techniques such as fingerprinting and blueprinting. In fact, we are now seeing the first attempts at automatically generating custom code based on such information in order to more effectively strike at vulnerable targets
This isn’t science fiction. Current polymorphic malware has been using learning models to evade security controls for years, and can produce more than a million virus variations per day. But so far, there is very little sophistication or control over the output. Next-gen “Morphic Malware,” however, will be able to build customized attacks that are not simply variations based on a static algorithm. Instead, they will employ automation and machine learning to build thousands of customized attacks against a specific target.
Fighting Fire with Fire
One critical response to advancements in malware and cybercriminal technologies is the development of “expert systems.” An expert system is a collection of integrated software and programmed devices that use artificial intelligence techniques to solve complex problems. For example, expert systems currently use databases of knowledge to offer advice, perform medical diagnoses, or make educated decisions about trading on the stock exchange.
The success of expert systems depends on different systems collaborating together to solve complex challenges. They need to be able to share critical intelligence and support security architectures automatically working in concert to root out and stop advanced threats. In addition to integrating multi-cloud and mobile devices together under a common security protocol, unsegmented and unsecured networks also need to be actively monitored and secured at digital speeds. Which means that isolated security devices will need to be identified and replaced with those designed to operate as part of a more complex, integrated, and automated system.
One of the biggest challenges will be the last mile of security – finding the will and the way to automate critical security hygiene functions, such as inventory management, patch and replace, hardening systems, and implementing two-factor authentication. The challenge is that complex, multi-cloud ecosystems and hyperconverged networks that span physical and virtual environments are making performing these basic security practices extremely difficult to achieve. It is essential, therefore, that AI and automation begin to fill this gap by replacing basic security functions and day-to-day tasks currently being performed by people with integrated expert security systems and automated processes that are able to do such things as:
1. Keep a running inventory of all devices connected to the network, analyze and determine device vulnerabilities, apply patches and updates to devices, flag devices for replacement, and automatically apply a security protocol or IPS policy to protect those vulnerable devices until an update or replacement is available. They also need to be able to isolate compromised devices to stop the spread of infection and initiate remediation.
2. Device misconfiguration is another huge problem many organizations face. Expert systems need to be able to automatically review and update security and network devices, monitor their configurations, and make appropriate changes as the network environments they operate in continue to shift, all without human intervention.
3. Automated systems also need to be able to rank devices based on levels of trust and indicators of compromise, and dynamically segment traffic, especially that coming from the growing number IoT devices. And it needs to be able to do this in even in the most highly elastic environments at digital speeds. Automation will soon reduce offense vs. defense (time to breach vs time to protect) to a matter of milliseconds rather than the hours or days it does today, and to be able to successfully counter this evolution, human beings need to be able to get out of the way.
Over the next couple of years, we will see the attack surface expand through the use of automation and tools that are able to make autonomous or semi-autonomous decisions. Once AI and automation take on a life of their own without human interaction – massive disruptions caused by autonomous malware could have devastating implications and permanently reshape our future.
To meet the demands of these changes, security speed and volume will require automating security responses, applying intelligence, and developing and refining self-learning so that networks can effectively make autonomous decisions. This will allow us to replace our current accidental network architectures with intentional design that can not only withstand serious and sustained attacks, but also automatically adapt now and into the future.