Most traditional security systems and products are built to address known threats. When they see and detect something malicious, they block it. Now, to get past these products that block known threats, attackers are forced to innovate and come up with something never seen before.
Not a problem.
Experts report stumbling upon 300k to 700k new infected files per day, meaning that it averages few millions (unknown) threats per week. It’s now impossible to create signatures for that volume of threats. Ant it’s a pain to keep updated lists of known threats without performance impacts: just think about your RAM & CPU, with a product that would have to play with millions of signatures…
This urgent risk faces us in 2020- unknown threats.
Microsoft kicked the new decade with a boom. The first patch of 2020 addressed a dangerous flaw in Crypt32.dll that would allow malicious hackers to spoof signatures. Dealing with malwares, offensive hackers could thus create unknown weapons, making them look normal, like an official product.
Let’s take time to analyze the space of unknown cybersecurity threats and make what we can out of them.
Why signature-based antivirus programs are only useful "yesterday"?
As explained previously, signature-based antivirus systems rely on traditional detection means to stop threats. Attackers have become more sophisticated.
As an example, known for decades, they can use Darwin’s principle of survivors, but for malware.
Hackers create one strain of malware and then generate forks of the initial one with specific variations. They pass these through signature-based antivirus programs in their secret offline lab. A lot of viruses sound the alarm. But many go undetected.
Then, attackers take the survivors and fork them with new variations. Many such iterations lead to viruses generated from a basic strain, that will survive too many antivirus programs. This Polymorphic hacking behavior is one way to defeat traditional antivirus programs. This is like Darwin’s principle of survival applied to generate strong malware!
Polymorphic stuff is not an urgent threat, but it’s interesting. This practice opens up two main paths for an attacker-
- They could create unknown threats that look like legitimate programs and are difficult to detect.
- Or, in a more sophisticated setting, they might not use weapons at all! How to rob a bank with no weapon? Tip: Guards have weapons inside the bank. Hackers could first secure their access (through a vulnerable remote VPN entry with a bad password, phishing, exploits, etc). Then, they avoid the use of malware to remain fully stealth. All the while, they try to upgrade their access rights with “privileges escalation”. Then, they have the official/legal weapons inside the infrastructure: the admin rights.
This understanding compels us to move beyond legacy antivirus systems and think about more modern ways of threat management.
Deep Learning and Deep Thinking for New-age Cybersecurity
Deep learning is one of the most advanced branches of artificial intelligence today. Deep learning science is like trying to learn the way the human brain does. Taking in all the data and instilling learning from it intuitively and automatically. Therefore, deep learning does not need human assistance in making sense of new data presented to it.
In that sense, deep learning improves upon machine learning which requires a cybersecurity expert and also leads to a high false-positive rate owing to its reliance on feature extractions.
With AI and deep learning, we can leverage a fully autonomous system capable of learning from raw data, beyond the limits of a cyber expert’s understanding.
Deep learning makes the case for autonomous and advanced cybersecurity arrangement with intuitive prevention, detection, and response.
Here’s when deep learning proves useful:
- Large training data – Massive threat datasets are at our disposal today with millions of samples. Deep learning algorithms can put this data to use effectively.
- Intrinsic decision boundaries – Payloads and protocols are complicated in their nature. Deep learning can help make use of the complexities of threats and identify all kinds of threats when trained right.
- GPUs – With more sophisticated processing equipment available, the cost of underlying technology was never lower. Deep learning can make it feasible for us to train and validate models in hours or even minutes.
For a better cybersecurity posture, companies now need to look at the intuitiveness in their platform, instead of the reactiveness.
"...In this sense, deep learning is more effective than machine learning..."
Organizations today are locked in an arms race with cyber attackers. Guess who has the upper hand. That’s right- cybercriminals. We are witnessing a skyrocket-growth in zero-day threats.
As security teams contend with the threats they know of, they are grappling with an ever-increasing attack surface. More mobile and IoT devices are making it harder for security experts to protect entry points within any business.
How can security experts make sense out of the many noises they receive from siloed traditional systems, deliver critical business services without slowdowns, and handle security incidents as they go?
Deep learning systems can be engaged when many mission-critical systems fight for prioritization. Deep learning makes it possible to engage in a holistic cybersecurity program instead of focusing on each device, endpoint, or piece of infrastructure individually.
Another key piece to this puzzle is behavior analysis.
We need to prioritize behavior analysis both on and offline. An employee acts weird. Confront them. An administrative user wants to access sensitive data at unusual hours. That should look like a red flag.
Deep learning can raise red flags where a human would let it pass.
If you are looking to straighten your cybersecurity posture with deep learning, robotic process automation and artificial intelligence, contact TEHTRIS. Let’s get rid of this Cyber Fog of War and adapt the posture to the reality.