Like any other shrewd businesspeople, cyber-criminals work with many of the same financial models of reducing risk and exposure while maximizing profitability as the organizations they seek to exploit. Attack techniques are evaluated not only in terms of their effectiveness, but in the overhead required to develop, modify, and implement them.
To better defend themselves, organizations are adopting AI and machine learning to automate tedious and time-consuming activities that normally require a high degree of human supervision and intervention to increase visibility and response time, as well as to accelerate critical security functions such as threat detection and response.
As these newer defensive strategies are implemented, they impact the basic economic and ROI models of cyber-criminals. In response, the cyber-criminal community continues to adjust and accelerate their development efforts, as outlined in trends recently discussed in my Threat Landscape Predictions for 2019.
Four Emerging Security Threats
The evolution of zero-days: The rapidly increasing variety and number of vulnerabilities and exploits is likely to be augmented by the ability to quickly produce zero-day exploits and provide them as a service. Making traditionally rare and highly effective attack vectors such as zero-days more available will radically impact the types and costs of services available on the dark web.
It will also completely change how organizations need to approach security, because there’s no way right now to even begin to anticipate where these zero-days will come from, nor how to properly defend against them using the sorts of isolated, legacy network security tools most organizations have in place today.
Zero-day exploits have thus far been expensive, primarily because of the time, effort, and expertise involved in uncovering them. By applying AI and machine learning to the process, such exploits will shifting from being extremely rare to becoming a commodity. We have already seen the commoditization of more traditional exploits, and the resulting spike in attacks and exploits have already pushed many network security tools to their limits.
Zero-days plus AI: Zero-day vulnerabilities are a favorite exploit because they target unknown threat vectors. However, as mentioned above, it often takes too much time and expertise to discover and exploit them. This will change as AI and machine learning (ML) are combined with the technique known as “fuzzing” to better discover zero-day vulnerabilities and related exploits.
Fuzzing has traditionally been a sophisticated technique confined to lab environments that is used by professional threat researchers with specialized skills to discover vulnerabilities in hardware and software interfaces and applications.
As a result, using fuzzing to discover zero-day vulnerabilities has traditionally been beyond the scope of most cyber-criminals. As ML models are applied to this process, however, it will become more efficient – and more accessible as an attack vector.
Fortinet predicts that cyber-criminals will begin to leverage machine learning to develop automated fuzzing programs to accelerate the process of discovering zero-day vulnerabilities, leading to an increase of these attacks. Once that is in place, we also expect zero-day mining-as-a-service to be made available by the cybercrime economy – a strategy that will completely change how organizations need to approach security.
Combined dangers: Combining these threats with previous predictions about the advent of organized swarms of autonomous and self-learning bots will take cybercrime to a whole new level. Rather than waiting for a fuzzing-as-a-service tool to discover a requested exploit, combining AI with the distributed processing power and learning potential of swarm-based attacks means that these zero-day and other exploits can be discovered and exploited in real time.
Wild threats: The final threat in the progression will be the development of an AI-based fuzzing solution added to a swarmbot that cyber-criminals could simply launch into the wild unsupervised. The potential havoc and disruption resulting from such an event could be severe.
Ending the Arms Race
These predictions, which intersect technology development patterns with the economic models of cyber-criminals, are the natural result of an ongoing arms race between cyber-criminals and defenders.
At the end of the day, the evolution of cybercrime is really about what will be best for business. Professional cybercrime organizations choose targets based on risk/reward and ROI strategies. Because most cyber-criminals tend to follow the path of least resistance, they look for the most accessible network to exploit and look for development strategies with the greatest potential for profitability combined with the lowest cost to update or maintain.
As cybersecurity strategies increase in innovation and effectiveness through the application of AI and ML, criminals will not only be able to adjust their own innovations with minimal effort, but also reduce the amount of time required to monitor and manage live exploits.
Rather than engaging in this perpetual arms race, organizations will need to leverage the power of AI and automation to better anticipate threats and combat the economic motivations of cyber-criminals to force them back to the drawing board.
This can only be achieved by combining technology advances with threat information collected from unified open collaboration efforts between industries, cybersecurity vendors and professionals and law enforcement. Organizations can then apply behavioral analysis to this data to identify attack patterns, and then incorporate that intelligence into an automated system for broad protection and visibility across every network segment, from IoT to multi-clouds.
Given the scope of the potential threat in front of us, the only viable recourse for organizations is to integrate AI directly into security solutions to enable a distributed framework of sensors and security solutions that can then work together to analyze behaviors, detect changes, and apply a coordinated response—including dynamically provisioning segmentation and micro-segmentation to keep critical data isolated.