Unexpected attacks like the Log4j vulnerability exploits underline for IT professionals how important it is to be able to catch novel threats you know nothing about. Because the flawed component was foundational to so many interconnected systems, tech teams had a hard time tracking down which assets were vulnerable. For an environment where even the most innocuous program element could become a threat, Max Heinemeyer, director of threat hunting at Darktrace, says that autonomous response can step in to counter suspicious behavior rather than suspicious code.
Self-learning artificial intelligence (AI) observes how a system typically works — what the normal traffic pattern is, what kind of files a server sends where, who the usual users are — and creates a profile of that healthy behavior. Then it continues to monitor the network to make sure things continue along those lines. When it detects something out of the ordinary, such as lateral movement or data exfiltration or encryption, the autonomous response system can shut down that behavior.
"So although we had never seen that kind of attack before, autonomous response stepped in and said, 'That device significantly deviates from its usual behavior. That server never does all of that stuff. We know what it normally does. So therefore we're going to put it in a box of known well behavior, what we've learned before,'" Heinemeyer says. "So ad hoc, autonomously, that decision was made on the fly based on the context to contain the attack while allowing normal business to continue just as normal."
Indeed, allowing normal business behavior is an important piece of recovery. Part of the harmful effect of the Colonial Pipeline hack came from the company shutting down its digital and physical operations to avoid further damage. Heinemeyer says autonomous response can block just the new, suspicious behavior while allowing the previously defined well behavior to continue.
Cybersecurity tools tend to focus on detection of threats or prevention of attacks, and finally stopping an attack requires remediation by removing the malicious code. But there's a gap of time between when malware is detected and when the cybersecurity team can remove it, Heinemeyer says, when ransomware can be stopped — if you move quickly enough.
"As you get toward the later stages of the kill chain — data exfiltration, impact, data encryption — that's where the time to action is really short," Heinemeyer says. "The time between detecting something possible and damage done is super short. Even the best security team in the world might see it through a good tool, but until they can get hands-on and click the 'quarantine' button or do something, the damage might be done."
Note: DR Technology is sponsored by Darktrace.