Cyber criminals are using increasingly sophisticated methods to infiltrate company networks and conceal their attacks. Security specialists are often overstretched by the number and complexity of attacks. They struggle to detect intruders and to implement the correct countermeasures. This article shows how new threat-prevention approaches based on artificial intelligence can support experts and thus provide greater security.
Traditional IT security methods such as firewalls, email gateways and antivirus software are still important components of the IT security strategy of today. For several reasons, however, they are no longer enough to effectively protect companies from the dangers on the internet. The increasing prevalence of cloud and mobile computing means that the traditional perimeter paradigm of network security no longer works. If employees access company resources from anywhere and obtain applications from the Cloud as software as a service (SaaS), then the traditional distinction between the ‘outside’ and ‘inside’ of a company network no longer makes sense. Instead of network perimeters, therefore, staff accounts, applications and data must be protected directly – regardless of where they are physically located.
Not only have the IT landscapes that require protection grown more complex, but the attacks have also become more diverse, sophisticated and targeted. Botnet and trojan modules available on the dark web make it possible to quickly create new attack vectors that cannot be recognised by traditional signature-based AV solutions. According to security provider Symantec’s Internet Security Threat Report 2018, the number of ransomware variants alone increased by 47% in 2017. For a few dollars, hackers can also buy login data from user accounts. For example, more than three billion user accounts were hacked at Yahoo alone, and transportation network company Uber had to confess to the data theft of around 57 million users.
Multi-layer defence required
A multi-layer approach that combines traditional defence mechanisms with new techniques is needed to fend off such attacks:
Signature-based malware recognition.
This classic technique represents the first line of defence, recognising and eliminating all malwares that have already been registered. It is essential here that the signature database of the security solution gathers information from as many sources as possible and makes these available to the user as quickly as possible. Cloud-based solutions are ideal because they are updated centrally and therefore always up to date.
Behavioural analysis and heuristics.
Scanners that monitor the computer for suspicious activities provide another line of defence. If an unknown programme attempts to change the hosts file or to write changes to the registry, for example, then the guard raises the alarm and blocks the operation. In order to recognise hitherto unknown malware, heuristic techniques attempt to make predictions based on existing knowledge of the typical design of malware. Both methods have the disadvantage, however, that they often result in numerous false alarms. This runs the risk that users will become annoyed by the numerous alerts and completely switch off the virus scan as a result.
Statistical code analysis.
Virus programmers often try to disguise their real intentions by hiding malicious code in apparently useful, or at least seemingly harmless, programmes. To find these code elements, statistical analysis investigates the programme code directly, without running it.
In this method, suspicious attachments are first opened in a secure virtual environment – the sandbox – so that suspicious behaviour can be detected. This can to be used to ward off, for example, so-called zero-day attacks, in which criminals attack weak points that have only recently been discovered and for which no patch yet exists. Sandboxing does, however, slow down the delivery of messages, because the attachments must first be opened and analysed. The sandboxing technology chosen should therefore be highly scalable so that rapid results can be delivered even for a high volume of emails. In addition, sophisticated malware is able to recognise when it has been opened in a virtual environment, and in this case remains inactive. The latest sandboxing methods therefore make use of CPU emulation techniques, which are not recognised by malware as a virtual environment.
Advanced protection from artificial intelligence
Nonetheless, hackers do often manage to overcome such multilayered defence systems by specifically targeting individual employees at a company and gaining their trust. They also spy on the personal environment of the target person via social media in order to get their hands on company secrets, or to convince the target to perform actions such as transferring large sums of money or shutting down security systems. However, the direct takeover of email accounts (account takeover, ATO) is also becoming more and more common. Using stolen login information, the attacker hijacks the account of an employee and uses it to send their phishing emails. Because internal emails are often delivered directly, they do not pass through the email gateway, and are therefore also not scanned for malware. The recipient thinks the message, which of course has come from the account of a colleague or superior, is legitimate and responds accordingly.
It is extremely difficult for human security experts to ward off these risks. They can neither recognise suspicious patterns in thousands of messages, not analyse and evaluate the behaviour of all employees in real-time. This is exactly where artificial intelligence is at an advantage. After a training period, neural networks are able to recognise correlations and patterns in millions of data, no matter how complex the connections. For the training, the AI-based solution should be able to access the whole existing email data base of a company, and to thereby recognise the typical communication patterns of individual users by means of machine learning. On the basis of this analysis, it can define parameters with which the communicative behaviour can be classified. In addition, positions and departments that are particularly vulnerable to the risk of phishing attacks can also be identified.
Thanks to the classifications developed in the learning phase, the deployed AI engine can now recognise social engineering attacks in real-time by looking for anomalies in metadata and contents, for example, that deviate from known patterns. Suspicious messages are automatically quarantined, and administrators and users are notified. AI can also quickly detect an account takeover, because communication by criminals via a compromised employee account of this kind differs significantly from that of normal use.
Modern IT landscapes are complex and can no longer be adequately protected by traditional perimeter security. Companies should therefore rely on multi-layered threat-prevention methods that combine signature-based malware recognition with behavioural analysis, statistical code scanning and sandboxing techniques. They offer a high level of security, but reveal their limits when criminals manipulate the behaviour of employees via targeted attacks and social engineering, or mount an attack from inside a company by taking over accounts. Techniques based on machine learning and artificial intelligence are therefore an important addition to traditional security strategies. By means of neural networks, such solutions learn to differentiate normal and suspicious behaviour and to identify particularly vulnerable people or departments. Anomalies in the metadata or contents of an email can be identified just as quickly as an account takeover.