It has been a year for the record books, and Cybersecurity has been the year's topic. I have learned the hard way that Cyberthreats have entered a new realm of technology, and just about everything you thought you knew has gone out the window. It used to be that if you had long and strong passwords, disabled accounts, Antivirus on workstations and servers, web filtering and Malware protection, and kept your systems patched and updated, you were in good shape. If you had Multi-Factor-Authentication, used VPNs, and were in Office 365, you were in great shape. As I learned the hard way, cyber threats and the prevention you need have gone to a whole new level, and it is now a battle of Artificial Intelligence at machine learning speed, which humans could never keep up.
Stealing a line from the Twilight Zone, Image this, if you will, an offensive artificial intelligence virus that can learn a networking environment independently, problem-solve by reaching out to the host, or perform an Internet search to resolve issues. On top of that has developed the knowledge to disable your two-factor authentication so that the administrative console does not report that your two-factor authentication is not working. Then render your Advanced Threat protection software or anti-virus ineffective, yet again, but fool the administrative console into thinking it is reporting. Also, imagine, if you will, what if a virus could take a user that is disabled and placed in an inactive operating unit with no rights to the network, brute force the username and password, and crack that twenty-character alphanumeric unique character password, all without detection? Impossible, you say? Actually, the reality is a surprise they can, and I have seen it in action myself with the use of artificial intelligence by a threat actor. The industry-leading experts couldn't believe it, and all this was done without the detection of other advanced monitoring and prevention systems.
Cybertechnologists are using artificial intelligence to defend the country, our online shopping, and our businesses from threat actors performing ransomware attacks, data mining, identity theft, and several other attack vectors. However, only a small percentage of corporate America focuses on security within their businesses. Corporate America has forgotten or not realized or could be in denial that the threat actors are also heavily investing in using artificial intelligence to launch attacks at speeds we have never seen before. These attacks are more complex and focused than ever. In a report by Security Intelligence, they reported that the emergence of Offensive Artificial Intelligence is coming or is here in my experience and that 88% of the decision-makers in the security industry believe that future attacks will be led by Offensive based Artificial Intelligence. Only about 5% of American companies are prepared for this type of offensive attack, and don’t let the “I’m in the cloud, so I am safe” thoughts cloud your judgment; you aren’t. I’m here to tell you if you have been told that your IT company or IT professional has the golden key, I’m just going to say it; they are lying to you.
A Deloitte study and Security Intelligence published Smart Cyber: How AI can help manage cyber risk? Refers to cyber risk as a spectrum; previous cyber threats and attacks were at the lower end simply because they mimicked human behavior but not our thought processes. Cybercriminals now moving into using full artificial intelligence models are seeing cyber-attacks mimicking human intelligence. Not just mimicking our behavior, repeating it, and anticipating it, but this is real learning intelligence that will learn unsupervised, communicate with other outside resources, including internet searches for problem-solving, and interact directly with humans without their knowledge.
When we talk about Cybersecurity, what are we talking about?
Most people, including technologists, think Cybersecurity is focused on your backend network infrastructure and hardware, which is part of it, but there is more to Cybersecurity than that.
- Critical Infrastructure Security, infrastructure in the IT world, is a tricky word. Still, in Cybersecurity, we are talking about electrical grids, water systems, traffic controls, and hospitals and 911 functions; within your business, we may be talking about accounting systems, hosted systems, remote or mobile workers, and other software.
- Application Security, users, and companies have become app crazy, there is an application for just about everything nowadays, including enterprise applications, locally loaded applications, and then there are SAAS (Software as a Service) applications. All these are prone to hackers, regardless of where or what they are loaded in the “Cloud” or on in-house systems.
- Network Security is your traditional Firewall, servers, routers, switches, permissions on workstations, laptops, and IP phones, anti-virus, web filtering, and email filtering, which are typically what network engineers focus on when they think of Cybersecurity.
- Cloud Security is where all the software solutions (SAAS) and hosting platforms such as Azure, M365, Amazon web services, and Google Cloud are; these solutions are typically paid for hosting and management platforms. However, most of these platforms offer basic security options; the management of security on these platforms remains the customer's responsibility.
- The Internet of Things (IoT) will exceed 530 billion dollars, are Alexa devices, Ring devices, gate openers, video cameras, and the list goes on and on. Many of these devices have found their way into the corporate world. So, they continue to pose new challenges and security risks to corporate networks.
- Securing the human, which is training the human to be security aware, identify spam and malware, and use common sense when using outside or public WIFI, human, continues to be the most significant risk, up to now, with the use of offensive artificial intelligence, which can think and act like a human, the risks are higher now than ever.
Offensive or Attack AI
Offensive or attack AI is one emerging threat you must start thinking about and getting ahead of how you will implement countermeasures for offensive artificial Intelligence. The historical manner of the layered security approach, which is a good baseline for prevention, will not match the emergence of Offensive AI. This doesn't mean abandoning the historical approach because it still has merit. After all, this is just another layer of the attack matrix, primarily launched by companies that focus on developing and coordinating large-scale ransomware attacks and state agencies.
An example of the layered historical approach would be:
- Firewall – This is your front-line defense, it keeps the bad guys at bay, but the threats change; firewalls have to be updated and patched on a routine basis and supported by another defense matrix, don’t rely solely on the Firewall to protect you.
- Enterprise and Server Anti-Malware / Web Filter Device – Barracuda makes an excellent anti-malware and web filtering device to control what and where your users are going on the Internet. However, remember you have many other access points, such as smartphones, tablets, and remote systems, that are vulnerable to attack.
- Anti-Virus and Malware Protections on the Workstations, all workstations, laptops, mobile devices, and cell phones should have anti-virus and malware protection.
- Strong password policies, more than 12 characters alphanumeric with special characters. The INST now says that if you use Two-Factor Authentication, once the user sets the password, you don't have to change it again. Studies show that if users are forced to change their passwords on a routine basis, they progressively get easier to crack, which is why it's better to have a strong password that doesn't change but uses two-factor authentication to verify user identity. However, this is where user education comes into play; if they get a request from your two-factor system that they were not expecting, don’t just approve; something is wrong.
- Email Archiving, I know this doesn't seem like a security thing, but for disgruntled employees, typically, the first thing they do is delete the email. Backups sometimes don't capture all the inbound and outbound traffic that an email archiver would. They are much easier and quicker for administrators to self-administrate and find historical or deleted emails.
- Then there is the standard stuff like automatically locking workstations in 30 minutes of inactivity and moving terminated users to inactive operating units with no rights. Use a VPN for remote access, do not use RDP for remote access. Securing the remote end, home workers need to be as secure at the corporate office.
How to Protect Yourself
How do you protect yourself against threats you don't know about? How do you design a security strategy based on something that is thinking like a human and learning on the fly? These are now the things that companies will start struggling with, and the viruses will continue to be more destructive and aggressive as time passes. What is the lifecycle of an offensive AI virus?
- The first step is Prediction, meaning the virus develops a predictive assumption based on previous data on how the human will act or react to certain conditions. These predictive assumptions can include reviewing keystroke activities, movement of your cell phone or mobile device utilizing GPS logging, the type of applications loaded, and known vulnerabilities within those applications. This is the first step in attack or Offensive AI learning you and your business processes; in most cases, you won’t know this is going on.
- The second phase of the lifecycle of an offensive AI virus is Generation, which is creating content that fits into a targeted distribution model; however, it goes at it with a realism that the human eye has trouble filtering. The generational growth would include intelligent password gatherings, such as screen scraping and dictionary matches. Generational growth would include traffic shaping to avoid filters and anti-virus software detection. The new phishing attacks, called deepfakes, are also part of the Generation growth stage, where the offensive AI will create a fake media event based on the predictive assumptions of the users and then present that to the users to enlist a reaction. This Generational phase is where the AI can interact directly with the end user to gather and create predictive behaviors. What makes them want to sign up for something? What makes them go to new websites? What makes them create accounts?
- The third phase of a lifecycle of an offensive AI virus is the analysis growth stage. This analysis stage is where the AI analyzes or mines data for insights into the normalized operations of a user or network traffic. Some of the analytics the Offensive AI is looking at are the countermeasures that you have in place. Countermeasures include anti-virus, intrusion detection software, end-user permissions, and local permissions to workstations. Knowing what it can and can't load is important because it needs to know how to load program artifacts that allow it to launch an attack once it has grown on your network to understand your topology and defenses. Keep in mind that these Offensive AI viruses can research and learn without human intervention, so they will search for their answers, probing and testing on their own based on the limitations of the countermeasures you have in place to remain undetected.
- The fourth stage is Retrieval, which is once the virus has successfully navigated your system and found what it is looking for, it might simply offload the data or launch a ransomware attack. The Retrieval stage is where you know you have been compromised, and now you are in a recovery phase, assuming that you are in a position of recovery or if you must negotiate with the threat actor.
Pre-Attack Signs
There are other pre-attack signs you need to be aware of that can help determine if you have been compromised before the attack. Many times, if you are going to fall victim to an attack, the threat actors have already penetrated your network, which could have been through an open port on your Firewall, an RDP session, a remote user, customer, or vendor being compromised, end user mistake, and the most popular is email. However, don’t rely on the current security standards to protect you and secure your business. Defensive artificial intelligence must be a part of the thought processes in countering offensive artificial intelligence attacks by identifying virus artifacts and virus behavior before they launch. Some of the other things to watch for and be proactive in blocking are:
- Lateral movement is when a system or network has been compromised; however, the threat actor is now looking for a manner to move around the network to explore the possibility of copying data to a centralized location for offloading. All these actions will leave artifacts that can be tracked, there is always something left behind, but in many cases, unless you are specifically looking for these artifacts, they will go undetected.
- Stopping lateral movement on your network comes in many steps. It starts with ensuring that users don’t have access to things on the network that do not directly relate to their job role. It would be best if you were most restrictive with your user permissions and access.
- Whitelist caution: when you allow free accounts, personal accounts, and websites that are not related to running your business, these could all be avenues to your system being compromised, regardless of the security processes you have in place. In today’s world and with the growing use of Offensive AI, whitelisting or using company networks and resources for personal use should be highly risky. Another key is to limit the country codes you allow users to browse or receive emails from; if you don’t do business in China, block that traffic.
- End-Point Security, traditional Anti-virus is not enough; a new generation of Anti-Virus is on the market, such as Sentinel One, which has lateral movement protections, SMB protections, and the ability to roll back workstations and laptops to last known good configurations. These functions are must-haves in the battle of artificial intelligence.
- Strong Password Management, Multifactor Authentication, and MFA come in many flavors; DUO is one of the leading MFA providers, it will work with Office 365 and Software as a Service (SaaS) programs, and it will protect users working locally or remotely. Passwords should be no less than 12 characters that are alphanumeric with special characters; however, if you are using MFA, once you set these, the industry standard says you don’t need to have routine password changes again.
- SMB attack is difficult to detect and track unless you are specifically looking for that traffic on your network. SMB stands for Server Message Block; it primarily operates on the Application and presentation layers of the network; however, it depends on the TCP/IP layers and NetBIOS layer to operate correctly. SMB allows your workstation to communicate with the server and other network resources; this layer allows you to share documents and connect to a remote machine.
- How do you prevent an SMB attack? The first thing to do is replace SMB1 with SMB 3.1.1 or higher. A firewall with advanced controls like Cisco Firepower can limit outbound SMB destinations, ensuring that end users are not going to known hacker-related sites. Microsoft has implemented the ability to perform UNC hardening, a method to force SMBs to utilize user-based or defined security versus server-defined security measures.
Next Steps
I have covered a lot so far, but the big question is, what can we do to protect ourselves with what we know now? I must admit; that I’ve been struggling with that question myself, it just seems like a daunting task that will never end. It’s not; there is too much money involved with ransomware and other system attacks, it will never end, and it will only continue to become harder to detect and recover. The damage they are willing to do now is just mind-blowing. The fact of the matter is that it is much harder to be in the defensive position than in the offensive position. In the defensive position, you must be able to anticipate what you don’t know is coming, learn quickly, and put countermeasures in place at a moment’s notice. You also must have a complete recovery process in place; if all else fails, included in that recovery process are the funds available to pay the threat actor if required.
With defensive AI, the system you choose does matter; most systems will do a great job of protecting you against known threats. However, to predict human behavior, you must have something that has the logic to analyze and normalize your historical traffic, then apply a process to identify activities that are not within the normalized patterns of your users and company. This type of learning and analysis is typically based on a much higher device level than you find in your historical antivirus software.
2022 has forced me to do a lot of research on artificial intelligence and the different providers out there, and there are so many good ones, so make sure you do your research. However, Winning Technologies has focused on three providers that can cover small and large businesses based on their specific needs and requirements. In no order, Arctic Wolf, Darktrace, and Mantix4 are all leaders in the Cyber Security Artificial Intelligence defensive market for small to large businesses. On the surface, it seems they are all very similar and have similar characteristics. However, based on your company's needs and your current security culture and status, each one of these providers offers a comprehensive solution that will improve your security posture and provide the expertise required for oversite, reporting, prevention, and recovery within your security model.
Having been in the technology business for more than 40 years and having designed over 2000 systems, small and large, performed over 500 technology audits, and managed tens of thousands of users, I thought there wasn’t much I hadn’t seen or been exposed to in my long career. However, the technology around attack artificial intelligence on businesses is an incredible new frontier catching businesses and IT professionals off guard and unprepared. Firewalls, Anti-virus, and other traditional security measures, including multi-Factor, are no match for attack artificial intelligence. It is time for us to evolve and change our thinking about where, who, and what the threats are and that a simple VPN is not enough to protect us any longer. It will take building a culture of security within your business by expanding how we train end users to protect our businesses; all the traditional stuff still applies. Still, the combination and layering of these approaches must be accomplished and expanded, including budgets for security.
By Scott M. Lewis, President / CEO Winning Technologies, Inc.
About the Author: Scott Lewis is the President and CEO of Winning Technologies Group of Companies, including Liberty One Software, Lingo Telcom, and XpressHost LLC. Scott has over 40 years of experience in the technology industry, managing systems as small as a few and as large as thousands of users. Scott is a nationally recognized speaker and author on technology subjects. Scott has worked with thousands of large and small businesses to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed over 2000 thousands of systems for large, medium, and small companies. Winning Technologies aims to work with companies to select, implement, manage, secure and support technology resources. If you are interested in Scott doing Security Awareness Training, Technology Auditing, Winning Technologies MSP services, or learning more about Arctic Wolf, Darktrace, or Mantix4. In that case, you can contact him at www.winningtech.com or call 877-379-8279.
