For many security teams, mature machine learning (ML) plays a critical role in defending against sophisticated cyber threats by analyzing attack strategies and frameworks. Once recognized, the underlying patterns discovered by ML can then be passed on to an artificial intelligence system (AI) to predict a cyber attacker’s next move.
With digital transformation continuing to make an impact across industries and organizations, cybercriminals have an expanded attack surface to work with. Digital transformation means progress, but it can also mean security gaps.
AI is often recognized for its ability to automate menial tasks, but its capabilities go far beyond that. Companies that invest in AI should be aiming higher, with goals that represent a proactive approach to cybersecurity. This includes deploying this technology as a means of discovering attacks before they occur, something that every organization could benefit from.
In the modern threat landscape, simply responding to cyberattacks using a purely reactive approach is not enough to effectively defend against today’s cyber threats. Instead, security teams must adopt a proactive approach to ensure they are doing everything they can to keep their assets safe.
One strategy that should not be underestimated is gathering threat intelligence and using this information to create defensive playbooks. Once they have gathered enough data to combine and correlate on their own, as part of an advanced threat intelligence feed, or even as part of an intelligence sharing consortium with other organizations, they can then use that data to look for known attack patterns using machine learning. Once an attack pattern is discovered, an AI system can then leverage those playbooks to predict the attacker’s next move – and even pinpoint the threat actors most likely to be behind the attack.
Blue team (defensive) and red team (adversarial) playbooks can also work off one another to form a winning strategy against present and future cyberattacks. By pairing AI with these playbooks, security teams can build an advanced, proactive protection framework that can not only respond in real-time to known threats, but also continue to evolve over time to provide more refined and granular responses even earlier in the attack cycle. The more these systems are used, the earlier they will be able to detect new threats, predict movements, intervene, and shut down all attack vectors in coordination with remote learning nodes across a network.
Similarly, the more organizations begin to share their incident response playbooks, the easier it will become for security teams across different organizations to defend against malicious cyberattacks. And due to their limited resources, unless a threat actor is state-sponsored, they will not be able to coordinate a response or find new vulnerabilities to exploit.
Despite still being in the early stages, headway is already being made in regard to playbooks. An example of this is the FortiGuard Labs playbook on Emotet as well as other playbooks from the team. Considering that this potent malware has been identified as one of the costliest and destructive of all time, the value of this level of analysis should not be underestimated.
The playbook shows how Emotet began life as a relatively simple Trojan, with an infection vector delivered via spam that contained a malicious download. It originally targeted a device and corrupted the registry as a means of evading detection. The most recent version, however, is much more sophisticated. For example, it can spread by inserting malicious emails into legitimate email threads to reduce the chance of detection.
Additionally, these emails include a ZIP file attachment with an infected Word document. FortiGuard Labs’ playbook describes how that Word document behaves, how the malware is dropped, how it exploits vulnerabilities, and how it evades detection. The playbook even lists other threat actors that have partnered with Emotet in its global spread. Overall, each of these factors plays an important role in helping to identify new instances of Emotet and stopping it before it spreads even further.
As threats become more sophisticated and more prevalent, sifting through enormous volumes of data will call for machine learning, the evolution of security playbooks, and the introduction of a much more proactive version of AI. Teams that want to keep up with the threats and stay proactive in their approach to security will need AI’s ability to quickly process data and act on the patterns it finds. By including this technology in their security strategy, IT teams can begin to leverage playbooks, which can be customized for their organizations, or even build their own, as a means of staying ahead of increasingly sophisticated and ever-evolving threats.
This is a summary of an article written for Threatpost by Derek Manky, Chief, Security Insights & Global Threat Alliances, FortiGuard Labs. The entire article can be accessed here.
Learn how FortiGuard Labs provides unmatched security and intelligence services using integrated AI systems.