This blog is a summary of an article written by Fortinet’s Derek Manky that appeared as a byline article on the Threatpost website on December 7, 2018.
Many developers, along with professional threat researchers, employ a technique known as fuzzing that is designed to discover vulnerabilities in hardware and software interfaces and applications.
By injecting invalid, unexpected, or semi-random data into an interface or program, security engineers can then monitor them for unexpected events—such as crashes, undocumented jumps to debug routines, failing code assertions, and potential memory leaks. This technology helps developers and researchers find bugs and zero-day vulnerabilities that would be nearly impossible to discover otherwise.
Generally speaking, fuzzing tools tend to be custom-made, and because of this, only a tiny group of people have the expertise, time, and backend resources needed to develop and run them. Which is why their use by the criminal community tends to be limited.
Of course, the value of owning an unknown vulnerability for a zero-day exploit to target is high, but fortunately, the ROI for finding such things has been higher still. But all of that could quickly change.
AI Changes Everything
As machine learning models begin to be applied to fuzzing, however, this technique will very likely become available for the first time to a wider range of less-technical individuals, including the cybercriminal community. And as they learn how to leverage automated fuzzing programs augmented by machine learning, they will be able to accelerate the discovery of zero-day vulnerabilities.
This, in turn, will lead to an increase in zero-day attacks targeting programs and platforms, which will be a significant game changer for cybersecurity. By using Artificial Intelligence Fuzzing (AIF), malicious actors will be able to automatically mine software for zero-day exploits simply by pointing an AIF application at them, bypassing all of the technical skill needed for development and operation.
AIF attacks would have two phases: Discovery and Exploit.
· In the Discovery phase, the AIF tool would learn the patterns a target uses for structured data.
· In the Exploitation phase, the AIF tool would then inject intentionally designed, structured data into that software or interface, eventually forcing the target to break.
This constitutes discovering and exploiting vulnerability at the same time.
“In a landscape where a vast supply of zero-day attacks are [readily] available, even advanced tools designed to detect unknown threats, such as sandboxing, would be quickly overwhelmed.”
AIF Will Change the Cybercrime Economy
Cybercriminal economics depends on maximizing the ROI of the cybertools and malware being utilized. That’s why most attacks usually leverage malware already created elsewhere, usually only making minor modifications to evade detection. And they are also subject to the same skills gap the rest of the security industry is experiencing. The number of skilled criminals who can actually develop and deploy effective security is rare. Most are only moderately skilled copycats.
“By leveraging AIF, however, attackers will be able to increase the number and variety of available vulnerabilities and exploits at their command, including the ability to quickly produce zero-day exploits, and even provide for-hire services on the Dark Web, such as Zero-Day Mining-as-a-Service. The availability of such a service will require a complete change in how organizations approach security, because there’s no way to foresee where these zero-days are, nor how to properly defend against them. This is particularly true using the kinds of isolated, legacy security tools most organizations have deployed in their networks today.”
Once automated AIF tools fall into the hands of the criminal community, the security game will change for both the attacker and the target. To get ahead of this challenge, organizations will need to leverage automation, machine learning, and AI for themselves. Security will have to evolve from reactive to proactive to anticipate threats, constantly change strategies so it is difficult to pin down and personalize an attack, and deploy solutions such as deception and intent-based segmentation so that it’s no longer economically viable for adversaries to target your organization, regardless of the tools available to them.
Read the entire article, entitled “Using Fuzzing to Mine for Zero-Days,” on Threatpost.