[BreachExchange] 10 Cyber Attacks Machine Learning Can Help Prevent

Audrey McNeil audrey at riskbasedsecurity.com
Fri Oct 6 15:46:06 EDT 2017


https://www.scmagazine.com/10-cyber-attacks-machine-
learning-can-help-prevent/article/688722/

Not even Cersei Lannister's scheming or Sir Jorah's father-like
protectiveness could have prevented attackers from breaching HBO's network
and stealing 1.5 terabytes of data (including unreleased Game of Thrones
episodes). Machine learning, however, may have offered a more sound defense
of HBO's virtual fortress.

Artificial intelligence (AI) and machine learning (ML) are the topics of
much debate, especially within the cybersecurity community. Is machine
learning the next big security frontier? Is AI ready to take on machine
learning-driven attacks? Is AI even ready for use, generally speaking? No
matter your conviction about whether machine learning is cybersecurity's
savior, two things remain true: There is a place for analytics in security,
and there are specific use cases where machine learning represents the best
answer we have today.

Despite reports of hackers' “sophisticated” intrusion methods, it is likely
the hacker or group of hackers who oh, so cleverly go by the moniker
“little.finger66” used a commonly seen attack vector to penetrate the
silver screen giant's system.

The following use cases are not exhaustive. They represent common security
threats that affect every business. Machine learning may or may not be
cybersecurity's panacea, but it can certainly help in these scenarios.

Use Case 1: Spear Phishing

Phishing campaigns are some of the most common and successful attack
vectors today. These attacks take advantage of individuals' familiarity
with communication tools like social media and email to send unwitting
recipients malicious content via attachment or link. The effectiveness of
this attack relies on the ability of attackers to mislead end users into
clicking or download malicious payloads and subsequently bypassing internal
controls. Current additions of destructive and ransomware payloads make
this attack even more serious.

Organizations can detect these threats by capturing metadata from emails,
without compromising users' privacy. By looking at email headers and a
subsampling of body data, machine learning algorithms can learn to identify
patterns that reveal malicious senders' emails. By extracting and labeling
these micro behaviors, we can train our models to detect if a phishing
attempt has occurred. Machine learning tools can build, over time, a graph
based on the trustworthiness of senders.

Use Case 2: Watering Hole

Built similarly to phishing attacks, watering holes appear to be legitimate
websites or web applications. However, these sites or apps are either real
and have been compromised, or they are fake sites or apps designed to lure
unsuspecting visitors into entering personal information. This attacks also
relies in part on the ability of attackers to mislead users and to
effectively serve exploits.

Machine learning can help organizations benchmark web application services
by analyzing data like path/directory traversal statistics. Algorithms that
learn with time can identify interactions that are common to those of
attackers or malicious websites and apps. Machine learning can also monitor
for behavior of rare or unusual redirect patterns to and from the site's
host, as well as referrer chains — all of which are typically risk
indicators.

Use Case 3: Lateral Movement

Rather than one specific type of attack, lateral movement attack vectors
represent an attacker's movement across a network as they look for
vulnerabilities and apply different techniques to exploit those
vulnerabilities. Lateral movement is particularly indicative of risk
escalation along the kill chain — an attacker's movement from
reconnaissance to data extraction — especially when attackers move from
low-level users' machines to those of more important personnel (who have
access to valuable data).

Network traffic input logs can tell you a lot about visitors' interactions
with a website. Machine learning-informed contextualization of this data
can offer a dynamic view of normal traffic data. With a better
understanding of typical traffic flow, algorithms can perform change-point
detection (i.e., they can identify instances when the probability
distribution of a given traffic pattern changes and becomes unlikely based
on “normal” traffic activity) to detect potential threats.

Use Case 4: Covert Channel Detection

Attackers using covert channels transfer information via channels that are
not intended for communication. Using covert channels allows attackers to
maintain control of compromised assets and to use tactics that allow for
the execution of attacks over time, undetected.

Attacks using covert channels often depend on visibility of all domains
across a given network. Machine learning technology can ingest and analyze
statistics about rare domains. With this information, security operations
teams can more easily work to cloud attackers' visibility. Without a
holistic view of the network they intend to attack, it becomes more
difficult for cybercriminals to keep their attacks moving forward along the
kill chain.

Use Case 5: Ransomware

Ransomware acts the way the name sounds. It is malware that wipes drives
and holds infected devices and machines ransom in exchange for the user's
encryption key. This form of cyberattack either holds the information until
a user gives up their key, or, in some cases, it threatens to publish the
user's personal information if they do not pay the ransom.

Ransomware presents a challenging use case because the attacks often leave
network activity logs with a dearth of evidence. Machine learning
technology can help security analysts track micro-behaviors associated with
ransomware, such as entropy statistics or processes that interact with the
entire file system in question. Organizations can focus machine learning
algorithms on the initial infection payload in an attempt to identify these
shards of evidence.

Use Case 6: Injection Attacks

The Open Web Application Security Project (OWASP) lists injection attacks
as the number one Most Critical Web Application Security Risk. (Note: The
current version of the OWASP Top-10 has been rejected, and the organization
has reopened a data call and survey for security professionals). Injection
attacks allow attackers to supply malicious input to a program. For
instance, attackers will input a line of code into a database that, when
accessed by the database, modifies or changes data on a website.

Database logs are another source of information that can help identify
potential attacks. Organizations can implement machine learning algorithms
to build statistical profiles of groups of database users. Over time, the
algorithms learn how these groups access individual applications in the
enterprise and learn to spot abnormalities in those access patterns.

Use Case 7: Reconnaissance

Before launching an attack, hackers perform extensive reconnaissance on a
target or group of targets. Reconnaissance includes probing networks for
vulnerabilities. Attackers will conduct recon at the perimeter of a network
or within the local-area network (LAN). Typical reconnaissance detection
involves signature-matching technology that hunts through network activity
logs for repeated patterns that might represent malicious behavior.
However, signature-based detection will often set off a string of noisy,
false alarms.

Machine learning can be a proverbial compass for the topology of network
data. Trained algorithms can develop a graph of this topology to identify
the spread of new patterns more quickly than signature-based methods.
Implementing machine learning also reduces the amount of false positives,
allowing security analysts to spend time addressing the alarms that
actually matter.

Use Case 8: Webshell

Webshells, as defined by the United States Computer Emergency Readiness
Team (US-CERT), are “script[s] that can be uploaded to a web server to
enable remote administration of the machine.” Via remote administration,
attackers can initiate processes like database data dumps, file transfers,
and malicious software installation.

Targets of webshell-using attackers are often backend eCommerce platforms,
through which attackers target shoppers' personal information. Machine
learning algorithms can focus on statistics of normal shopping cart
activity then help identify outliers or behaviors that shouldn't be
occurring with such frequency.

Use Case 9: Credential Theft

A few high-profile attacks, including virtual private network (VPN)
compromises, have been the result of credential theft. Credential theft is
often accomplished using tactics, such as phishing or watering holes,
whereby attackers extract login credentials from victims in an attempt to
access sensitive information an organization maintains.

Internet users — consumers — often leave behind login patterns. Websites
and applications can track locations and login times. Machine learning
technology can track those patterns and the data that comprises those
patterns to learn about what sort of user behavior is normal, and that
which represents potentially harmful activity.

Use Case 10: Remote Exploitation

Finally, many attack patterns utilize remote exploitation. These attacks
often operate via a series of malicious events that target a system to
identify vulnerabilities then deliver a payload (like malicious code) to
exploit the vulnerability. Once the attack drops the payload, it executes
code within the system.

Machine Learning can analyze system behavior and identify instances in
which sequential behavior does not correlate with typical network behavior.
Algorithms that have learned over time can then alert security analysts
about the expected delivery of an exploitation payload.

The Discussion Doesn't End With Machine Learning, but It Should Start With
It

Accurate cybersecurity analytics systems must be the cornerstone of modern
security operations centers. But, developing accurate analytics is
impossible without data samples. Security teams that adopt a machine
learning mentality, as well as implement machine learning technology, can
more quickly address the various types of attacks discussed above. Machine
learning, or any technology for that matter, will never be the end-all and
be-all of any industry. It does offer an alternative, open-source
philosophy to identifying and dealing with cyberattacks that can improve
upon many of the methods currently used today.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171006/fcd9f5cd/attachment.html>


More information about the BreachExchange mailing list