Tech News and Analysis

6 min read

Harnessing AI to Proactively Thwart Threats

By using artificial intelligence to predict how an attacker would carry out their attack, we can deploy defenses and preemptively shut down vulnerable entry points.

Security teams can't protect what they don't know about. But it is not enough to just understand what they have within their organizations' environment. Defenders also need to put themselves in an adversary's shoes to understand which systems are likely to be targeted and how the attack would be carried out. Technologies such as attack surface management and attack path modeling make it possible for security teams to gain visibility into which assets adversaries can see and how they might gain access.

With attack surface management, organizations are continuously discovering, classifying, and monitoring the IT infrastructure. Unlike asset management, which looks for everything the organization has, attack surface management looks at the IT infrastructure from outside of the organization to determine what is exposed and accessible. Since new assets are always being created and cloud infrastructure can be spun up dynamically, this inventory needs to be updated continuously or the organization will have gaps in its knowledge of all the potential entry points, says Pieter Jansen, CEO of Cybersprint, which was acquired by Darktrace in February for $52.3 million (€47.5 million).

Cybersprint's attack surface management platform gives customers their own "hacker's lens" that they can use to determine where an attacker could strike next, Jansen says. Attack surface management goes beyond tracking Internet-accessible systems by considering how the assets are configured, what security controls are in place, and how the various tools and devices are connected.

Someone creating new infrastructure components within the DevOps environment may think they are working within the test environment, but an attacker doesn't care whether it is in testing or production. "It's an ideal way of getting in [to the organization's environment] early and to move to production systems," Jansen says.

Darktrace acquired Cybersprint for its external view of the organization's environment, says Jack Stockdale, CTO of Darktrace. Darktrace's artificial intelligence (AI) technology develops a comprehensive view of the organization's infrastructure, but it is an internal view, he says. Darktrace can see what the organization has within the IT environment — the network, email, cloud assets, and endpoints — as well as OT. Bringing Cybersprint's external view into Darktrace's platform makes it possible to find more threats earlier.

"It's essential to put all those different areas into one platform" instead of maintaining individual silos of information, Stockdale says. "Trying to infer what's happening and stop attacks by looking at individual silos — we truly believe that is not the way to go."

A Shift to Proactive AI

Up until now, Darktrace's self-learning AI technology has focused on detection and response, which means it is reactive, Stockdale notes. "Essentially, [the AI] sits there and waits for a problem," he says. Teaching the AI about the attacker shifts the balance, since the AI now doesn't have to wait for an attack to do something about the organization's security.

This is where attack path modeling comes in.

Security teams are beginning to think about attack path analysis. For the past few years, Verizon's "Data Breach Investigations Report" (DBIR) has devoted a section to analyzing attack paths. Understanding the paths adversaries are likely to take helps security teams identify places they can add more controls or tools to stop the attack.

"Our job as defenders is to lengthen that attack path. Attackers tend to avoid longer attack chains because every additional step is a chance for the defender to prevent, detect, respond to, and recover from the breach," Verizon's researchers wrote.

Attack path modeling uses the existing view of the environment to determine the most likely and most effective paths attackers would take through the organization, Stockdale says. After identifying the key assets and people, as well as the organization's crown jewels, it is possible to use both the internal and external views to identify the likely path the attacker would follow to reach the crown jewels. After analyzing the path, it is possible to run a simulation to see what would happen in the case of an incident.

"What happens if ransomware was detected on a particular laptop or a particular type of compromise started in a particular environment? How will the attacker most likely move through [the] organization to cause the damage or to reach the crown jewels or to sell information?" he asks.

Attack path modeling is more than a red team exercise of a penetration test, Jansen notes, because it allows security teams to identify the most likely steps an attacker would take in order to compromise the organization. AI shines here because it is capable of going down every path and seeing every permutation of possible attacker scenarios. Human teams, in contrast, would be able to run only a limited number of exercises.

Once they can see all the potential entry points, security teams can start testing defenses along those particular paths and determine whether additional resources are necessary. Perhaps they discover four or five most likely routes an attacker could take from a compromised email account or system login. At this point, the team can deploy additional controls or defenses to make those paths unfeasible for the attacker.

Adding 'Prevent' to the Cybersecurity Loop

Darktrace's Cyber AI Research Centre has been working on ways to apply AI to attack path modeling for almost two years, Stockdale says. The research is now being incorporated into Darktrace's new product family, Darktrace Prevent, which will be generally available by the summer.

"We're now taking [attack path modeling] out of the research center and building it into our next set of products that will go to our customers," he says. Several customers in the early adopter program already have the new technology in their production environments.

Darktrace views security as a continuous loop where the AI learns about the organization, identifies potential attack paths, and feeds those outcomes to detect and respond to harden the environment, Stockdale says. Eventually, the plan is for AI to learn to heal from the damage caused by attacks, as well.

"When we talk to our customers, we tend to look at the areas where human beings are doing lots of repetitive work, or challenging work, that we think AI is a perfect fit for," Stockdale says. There are areas where AI can help make these teams more efficient or allow companies that don't have the resources to hire human teams to add security capabilities.

"Our vision moving forward is to be much more proactive," Stockdale says.