30 December 2019

Combining AI and Playbooks to Predict Cyberattacks

Derek Manky

Mature machine learning can analyze attack strategies and look for underlying patterns that the AI system can use to predict an attacker’s next move.

When organizations invest in AI, they are not only able to automate menial tasks like patching, but they can also create an automated system that looks for and discovers attacks, not only after the fact, but even before they occur. This predictive capability becomes increasingly necessary as cybercriminals get better at exploiting the expanding attack surface and the security gaps resulting from digital transformation efforts.

In the future, predicting cybercriminal methods will develop even further by marrying statistical analysis and machine learning. Organizations will be able to develop customized playbooks tied to their AI that can dramatically enhance threat detection and response. Blue team (defensive) playbooks will be used to predict tactics and map out responses to specific threats based on red team (adversarial) playbooks that are built and updated using collected data that profiles the unique attack patterns and strategies of different malware variants and cybercriminals.


IT teams can start by creating defensive playbooks that combine and correlate threat intelligence gathered from a variety of sources with local data, or leveraging playbooks from threat intelligence teams created for this purpose. This analysis can be extremely helpful for predictive mitigation. Eventually, more mature machine learning can be applied to analyze attack strategies and techniques to look for underlying patterns; the AI system can then use that to forecast where the next attack is likely to occur, predict an attacker’s next move and even determine which threat actors are the most likely to blame. Defensive playbooks can then developed to establish response protocols and even automate responses once an attack’s cyber-fingerprint has been identified.

Some organizations have already begun conducting statistical analysis of attacks using the MITRE attack framework to collect tactical sequencing. That way, when an adversary breaches a network, an attack strategy can be identified. And based on statistical probabilities, IT teams can the predict what their first and next set of moves are likely to be with a growing degree of certainty as data maps are refined over time. IT response teams can map out these attack behaviors like a heat map, using probabilities to understand the path of their movements before they even occur.

Once organizations include this data in a distributed AI learning system, not only will remote learning nodes – AI components distributed across the enterprise – be able to provide advanced, proactive protection, but data they collect can be added to the central threat database to refine the AI system even further. This iterative process will not only enable an AI system and its autonomous nodes to identify threats in the very early stages of an attack, but also predict movements, proactively intervene, and eventually in the future, work with other nodes to simultaneously shut down all attack vectors.

Of course, achieving this is still very futuristic; however, predictive mitigation is the holy grail. The trick will be in gathering the right kinds of information, establishing standards so this data can be shared and correlated between organizations, and tying it back to response models. While we are in the earliest stages of this process, plans are beginning to be formed and highly supervised models should emerge over the next few years.

Once we get down this road, however, this sort of sophisticated approach to the growing threat landscape will significantly reset the playing field, giving legitimate organizations a real advantage in the ongoing cyber-war for the first time. The fact is, malicious actors simply do not have the resources to develop a response to such an intelligent, coordinated defense, and as these profiles are shared between organizations, they will have a hard time finding another venue for attack.
A Playbook Example: Emotet

Playbooks are currently in their very early stages, but significant progress is being made. FortiGuard Labs, for example, recently released a playbook on Emotet, a malicious and highly active malware that began as a banking trojan but has evolved into what the U.S. Department of Homeland Security has identified as “among the most costly and destructive malware affecting state, local, tribal and territorial (SLTT) governments, and the private and public sectors.” This new Emotet playbook provides an example for analyzing of a specific attack campaign that can provide critical context for an attack and how it has changed over time.

Emotet’s original infection vector was simple – it was delivered via social-engineering techniques, such as malspam, with a link to a malicious download. The resulting download contained two payloads. One was a configuration file that contained a list of predetermined banks. The other was a DLL file that could be injected into various processes to intercept outbound network traffic, as well as gather details within a web browser.

In its first version, Emotet targeted a device and corrupted its registry; it continues to do so as a method of evasion as any exfiltrated data is encrypted and stored in the registry. Not only is this method highly effective in thwarting discovery, it allows the attackers to persist on a compromised device due to the complexity of finding any indicators of compromise. As a result, Emotet has now gained the serious attention of the antivirus industry, law enforcement and researchers alike for its ability to simultaneously include multiple malware families in its distribution syndicate. All of this information can be captured in a playbook that could then be fed into an AI system to develop a cyber-fingerprint of the Emotet attack strategy that would allow a defense system to identify it in the early stages of an attack and effectively intervene because the next steps as to where and how it will breach a network is already understood.

The latest variant of Emotet, for instance, is spread via automated social engineering techniques, primarily through email. As previously reported by several vendors, Emotet hijacks and inserts malicious email into legitimate email threads to appear more trustworthy to the recipient. The playbook goes on to describe how a ZIP file attachment in these emails contains an infected Word document. It then gives detailed information as to how the infected document behaves and what actions it takes, including the specific file names and locations it acts on.

It also references some of its unique characteristics, such as how malware is dropped, what processes it uses to exploit device vulnerabilities, and how it compromises the registry to evade detection. The playbook then concludes with details about Emotet’s global spread, including details as to the places it has been prevalent and what other threat actors it has partnered with. Additionally, this single campaign uses over a dozen command-and-control servers located around the world. All of these details provide valuable information for identifying and stopping it in the future.
AI-Powered Security

Of course, this is just one of countless evolving attacks that IT security teams need to be aware of. But AI specializes in its ability to quickly process and sift through mountains of data to identify and act on patterns. As the volume and variety of threats continue to be documented, and much of that process is taken over by machine learning, organizations that implement AI and automation will be able to significantly enhance threat detection and response. And because this is a continuous cycle, by using AI in their security strategy, organizations can not only use but also create customized playbooks to get the detailed information they need to stay ahead of cybercriminals.

No comments: