Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/22/2017
02:00 PM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Battle of the AIs: Don't Build a Better Box, Put Your Box in a Better Loop

Powered by big data and machine learning, next-gen attacks will include perpetual waves of malware, phishes, and false websites nearly indistinguishable from the real things. Here's how to prepare.

We've heard a lot about the fallout from last year's Shadow Brokers bombshells, particularly when it comes to previously unreleased exploits put into the wild. Those exploits include EternalBlue, which was weaponized into the WannaCry ransomware that wreaked havoc on the Internet.

However, the most damaging element wasn't necessarily the actual exploits. Yes, there has been an incredible amount of harm done, but it only foreshadows the real damage control the industry will be doing in the coming months and years.

Included in the information leaked by the Shadow Brokers, but not as widely understood, was a trove of information on the intelligence community's methodology for finding vulnerabilities and building exploits. Now that this has been exposed, security pros had better be prepared to weather continuous attacks by zero day exploits against any and all applications and platforms.

In the next 12 to 36 months, we're going to see hackers using these techniques to build the next generation of attacks. There will be perpetual storms of malware, click-free attacks, perfect lures — and much of it will be untraceable, with exploits becoming unique and essentially disposable.

Powered by big data, machine learning, and natural language processing engines, we'll see phishes and false websites that will be nearly indistinguishable from the real things. There won't just be new worms, but the equivalent of Web drive-by attacks extended to major services and even mobile platforms.

These attacks will be launched from command and control (C&C) networks that were never seen before and will never be seen again. Expect malware that is constantly evolving and never reused, or which contains so many new detections that traditional antivirus software can't handle it all.

As such, domain analysis for malware C&C networks will become an obsolete art. IP reputation filters will be useless. Information from intelligence providers will become less valuable.

Get Your Head out of the Gear and into the Analytics
To defend against this dizzying new reality, we need to produce new types of logs that are more behavior-based and do a better job of using automation to analyze and detect other outputs across the entire stack. Security professionals need to be thinking about how they're building their fully automated analytical loop instead of what a specific device is detecting.

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Essentially, today's gear represents a collection and input mechanism. It's a collector and an actuator. It's both an earphone and a switch. To defend against the attacks of tomorrow, we need to extend the power of that collection effort, and close the loop with machine learning logic that can correlate, corroborate, and take action appropriate to the server or device in question.

To do this, companies must first establish methods for collecting information from all layers. The way to defend goes back to TCP/IP and the Open Systems Interconnection (OSI) model, from the physical layer to the application layer and everything in between.

Improve Your Ability to Detect Anomalies and Close the Loop
There are multiple places to detect anomalies — end-user machines, network gear, firewalls and application-aware firewalls, servers. Output feeds about the behavior of the full stack on these devices must be collected from all these physical locations.

After establishing a collection methodology, it's time to get better at identifying anomalies, with the idea of creating an engine that will know the markers across all layers and devices.

Once those anomalies are understood, they must be fed into some kind of analytical system to be correlated. This allows for corroboration of what's happening at the different layers, enabling more assured detection.

Then there should be some logic that looks at what the anomaly is and where it is best to halt the activity with the least impact to operational processing. At this point, the system can decide where to stop the traffic and make a determination. And the answer may be: multiple places.

In other words, we're going to get to a point where the system doesn't just automatically detect something and corroborate it but goes beyond that to determine the best place to stop it and take action to close the loop.

Don't Be Afraid to Get Crafty
Yes, there's machine learning embedded in this process. Is it something you can build? Yes. Something you can buy? Not always. Notice that I called for the feeds to go to analytical system and not a SIEM. The concept is not fully fleshed out in the industry, though a lot of players are working on it, especially in the SIEM market. The next generation of security analysis capabilities will clean all the disparate inputs, normalize them so that they can be used for analysis, and allow us to compare information from all sources.

In the end, this process will combine and automate network and application security to an extent most organizations haven't experienced before. But to do so, companies will have to get really knowledgeable about what is happening in their network and what the blind spots are. We have to ask questions such as: Do I have anything that gives me visibility into what is happening at the session layer on a PC? To what extent do I have the stack in my PCs, servers, and network covered?

All this is imperative today. In this new era, companies who rely on block lists, human analysis, or end users being able to spot phishing emails are going to be completely exposed.

And the pace is about to change due to our adversaries' ability to generate new attacks in an automatic way. How do we fight off more automation on the bad guys' part? The answer is a massive push into automation and a clearer and speedier corroboration of data on ours.

Related Content:

Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17667
PUBLISHED: 2019-10-17
Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.
CVE-2019-17666
PUBLISHED: 2019-10-17
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
CVE-2019-17607
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVE-2019-17608
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
CVE-2019-17609
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.