Leveraging AI to Reduce the Likelihood of a Cyber Security Attack
February 4, 2020
Before they were overwhelmed by the global pandemic, it was common for a data breach or ransomware story to be featured on national newscasts weekly, as breach stories are easy to find, despite the best efforts of the cyber security community. Global spending on cybersecurity products and services exceeds $100B annually, and is growing at near double digit rates. MIT reports that ransomware alone may have cost the US over $7B in 2019, while the average cost of a data breach to the victimized organization is nearly $4MM in total. Clearly, protecting the endless store of electronic information on networks the world over from the legions of cyber criminals working to steal and exploit it is an on-going challenge that will require the good guys to leverage any and all available technology. So, does AI have a role in this war? The short answer is: absolutely. The longer version requires some quick cyber security background.
Even the general public is aware of high profile breaches like Equifax, Sony, Target, Yahoo, and more recently in 2019, Facebook, Marriott, and CapitalOne. Of late, ransomware attacks have dominated the information security headlines as Bitcoin has enabled cyber criminals to monetize their successful attacks with impunity. What is less apparent from popular press reports is the means by which bad actors penetrate these companies. In fact, most breaches are the result of one of two general attack techniques: 1) a phishing campaign, or 2) exploiting a known software vulnerability.
Phishing is an attack technique in which thousands of emails specifically designed to look like legitimate communications are sent to the employees of the target organization. The phishing emails either include a link to a website designed to convince victims to input personal information or a password, or an attachment that, when clicked on, installs malicious software on their computer. The other type of attack leverages software vulnerabilities, or flaws that attackers can use to gain access to systems and data. Some software vulnerabilities can be difficult to exploit and require significant expertise to take advantage of, while others are relatively simple to leverage for criminal activities. Given the complexity of a typical enterprise network, and the number of software products used by a modern business, at any given time, a network can have hundreds of thousands or even millions of vulnerabilities. Although, for obvious reasons, companies don’t publicly reveal the number of vulnerabilities on their networks, one example from a recent news article exposed that Minnesota Blue Cross had over 200,000 severe or critical vulnerabilities on its network.
Most breach reports avoid revealing details of the attack, so it can be difficult to know how many breaches are the result of successful phishing attacks, and how many originated with the exploitation of a vulnerability, but the respondents to a recent survey by the Ponemon Institute estimated that “60% of breaches in 2019 involved unpatched vulnerabilities.” On the surface, this would seem to be an unacceptable figure resulting from apathy or negligence, when “simply” patching vulnerabilities can close these security gaps and eliminate them as a source of attack. But experienced IT professionals know that patching - essentially installing newer versions of existing software - can not only be time consuming and resource intensive, but more importantly, risky. The installation of new software can break the system on which it’s running, or those adjacent, and even in the best-case circumstance, business-critical systems must be brought offline purposely for a period of time to install and test patches. Thus, patching is not the panacea it might appear to be to the uninitiated.
And this is where AI comes in. As we noted earlier, typical enterprise networks can have hundreds of thousands of vulnerabilities at any given time, so the goal of security and IT teams is to prioritize those vulnerabilities so resource-intensive and risky patching efforts can be focused on the vulnerabilities that pose the highest risk to the enterprise. Sorting through those thousands of vulnerabilities is virtually impossible to do manually, especially at scale, but there are a number of ways AI can be deployed to automate the prioritization process.
One factor key to developing a useful list of prioritized vulnerabilities is whether or not the asset housing the vulnerability - e.g. laptop, connected device, server, router - is unique in some way. Why? Because experienced hackers search for “outlier” assets on a network as prime targets for compromise. The best hackers know that unique assets can often be soft targets, and are particularly attractive to bad actors in the early stages of an attack. But, with thousands of assets on the typical enterprise network, it’s virtually impossible for the average IT analyst to identify outlier assets accurately. Here, AI - specifically machine learning - can be used to filter outlier assets from the thousands on the network. Vulnerabilities on assets identified as outliers are considered higher risk - and therefore higher priority - as it’s more likely that those vulnerabilities will be exploited by experienced hackers drawn to those assets because of their uniqueness. Moreover, when a hacker identifies an outlier asset and successfully exploits it, he or she then searches for similar assets to that which was just successfully exploited, all in an effort to gather as much data and as many credentials as possible while expending the least effort. Thus, the identification of these likely targets is a critical element of risk-ranking network vulnerabilities.
Not all assets on an enterprise network are created equally. Some servers or machines are more important to business operations than others. They might house particularly sensitive data or power applications essential for the day-to-day operation of the business. Vulnerabilities on these “business-critical” assets are often considered higher priority. However, identifying which assets are more critical than others manually is challenging. The sheer number of assets on a typical network makes this task difficult, at best, while the constantly changing nature of the network and the organization compounds the difficulty. In this case, the patching and other behavior of the IT team can be collected and combined with machine learning to, over the course of a week or two, accurately identify which assets in the organization are receiving the most attention consistently, and therefore are the most likely to be considered business-critical, conclusions that can be effectively drawn without the need for tedious manual identification.
Another example of how AI can be leveraged to automate vulnerability prioritization is to predict whether or not a new vulnerability is likely to be exploited. New software vulnerabilities are discovered and published daily, and today’s AI researchers have developed techniques to predict whether or not a newly-discovered vulnerability is likely to be used by bad actors to attack networks. Many - in fact, most - vulnerabilities are never used by bad actors to execute attacks, so knowing which ones are likely to be used and which ones aren’t is one factor in a meaningful prioritization analysis.
These are just 3 examples of the dozens of factors modern, AI-driven vulnerability prioritization solutions use to meaningfully prioritize the hundreds of thousands of vulnerabilities on enterprise networks. Without the power of AI, automating vulnerability prioritization would be impossible, and largely futile manual prioritization would be the only alternative, particularly as the number of assets on a network increases. Meaningful prioritization at scale is simply not feasible without AI. As the number of software products, and enterprise reliance on any number of business applications grows, so too will the number of vulnerabilities. The only way to mitigate this monumental information security risk is to meaningfully risk-rank all vulnerabilities continuously, and optimize patching efforts to address the most legitimately serious vulnerabilities first. Leveraging modern AI technology is the only way to accomplish this.