Nowadays, artificial intelligence is a kind of a de facto standard. One would be hard-pressed to find an industry where AI or machine learning found no applications. AI projects are popping up everywhere -- from law to medicine, farming to the space industry.
Cybersecurity is not an exception. As early as 2013, pioneer companies such as Cylance, Darktrace and Wallarm have released AI-based cybersecurity products. Since then, the number of security startups using some sort of machine learning has grown year after year. These are cyber threat defenders armed with AI, but what about AI-powered attackers?
It would be foolish to assume that attackers and intruders would forgo such an effective tool as AI to make their exploits better and their attacks more intelligent. It’s especially true now when it’s so easy to use so many machine learning technologies out of the box, leveraging open-source frameworks like TensorFlow, Torch or Caffe. Not being an attacker, I can still speculate what these AI-generated exploits might look like, when we can expect them to materialize and how we can protect us from these threats.
We got our first glimpse of what AI-powered attacks would look like from the DARPA’s Cyber Grand Challenge -- the world’s first all-machine cyber hacking tournament that happened two years ago in 2016. That contest proved that it was possible to fully automate practical cybersecurity aspects like exploit generation, attack launch and patch generation processes. We can pinpoint this event as the beginning of the era of fully automated cybersecurity.
To understand how machine learning works regarding cyberattacks, we need to understand the attack process a little better by formalizing it. I'll attempt to explain what happens from a technical perspective when we hear about a data breach. All the successful attacks that lead to data breaches can be divided into several stages that should be passed by attackers to make the breach happen:
• post-exploitation (discovery and exploitation of other vulnerabilities inside)
• data theft
This is my own way to simplify the famous kill chain model. Let’s look at what happens at each stage to understand how the AI can be applied there.
An attacker should find some issues inside the system to break it. Primarily, there are two different ways to discover vulnerabilities: 1) check for known issues by known payloads and 2) generate new payloads by fuzzing to discover new issues. The first approach is as simple as following a checklist. The vulnerability tool, in this case, should check all the items one by one. The second one is more interesting. The attack tool tries to generate some unusual behavior like putting some unusual data in request fields to cause an abnormal response from the target service. This is where neural networks really shine. Artificial intelligence, trained by already discovered payloads for existing vulnerabilities, can suggest new payloads to discover new issues with better probability.
This vulnerability discovery phase, in fact, looks pretty similar to picking a lock. At this phase, a thief would need to find the right pick from a set of different lockpicks. As I showed earlier, AI tools already can generate new types and variants of these lockpicks automatically.
At the exploitation phase, attackers apply all their knowledge and experience to gain access or cause another adverse impact by using a previously discovered vulnerability. This process can be automated by simply coding each particular exploit step by step for well-known issues. But what if the vulnerability was discovered for the first type? In this case, an attacker -- whether it be human or machine -- should find the right way to generate an exploit to penetrate a particular system/application/infrastructure/environment configured in a particular way. AI can help, at this phase, to adapt an exploit for the particular environment faster than a human just because it can generate exploit variants and run them much faster.
According to our lockpicking analogy, this phase is similar to the door opening. A thief would apply the proper lockpick right way to open the door and come inside.
This process is often recursive. After exploiting the first issue and gaining some access because of the exploitation phase, an attacker would go deeper by discovering new issues and, in turn, exploiting them. This happens because any reasonably designed infrastructure is organized into separate isolated layers. By compromising one layer, an attacker will be able to repeat the same discovery -> exploitation -> post exploitation -> data theft phases for the new layer that was not accessible before.
This is the same as a thief in the real world who will find some new locks on safes after they get through the front door.
The paydirt part for attackers is the data-stealing phase of the attack. They are finding and downloading some sweet data like user emails and passwords, credit cards, SSNs, etc. Sometimes it's not so easy to steal a lot of data because of the amount and the number of outbound filters installed inside victim's infrastructure. At the same time, data search and classification are important at this stage as well. And AI is historically good when it comes to searching.
Thieves would find the most valuable things and steal them first -- AI can also help them decide what to steal faster.
AI exploits are not only able to find new ways to discover vulnerabilities, but they can also identify which data is more important to a breach. And sooner rather than later they will be available to generate new ways to exploit these issues, unlike the present-day situation when they are able to speed up a step-by-step attack scenario defined by humans.https://www.forbes.com/sites/forbestechcouncil/2018/03/22/how-ai-can-be-applied-to-cyberattacks/#709ec20d49e3