What is self-learning AI and how does it tackle ransomware? • The register
Sponsored There were two certainties in life – death and taxes – but thanks to online crooks around the world, there is a third: ransomware. This attack mechanic continues to gain traction due to its phenomenal success. Despite government admonitions, victims continue to pay using low-friction cryptocurrency channels, emboldening criminal groups even further.
Darktrace, the AI-based security company that went public this spring, aims to stop the spread of ransomware by preventing its customers from becoming victims. To do this, they need a defense mechanism that works at machine speed, says threat hunting director Max Heinemeyer.
According to Darktrace Ransomware Threat Report 2021 [PDF], ransomware attacks are on the increase. He warns that businesses will experience these attacks every 11 seconds in 2021, up from 40 seconds in 2016.
“Since 2017, ransomware has exploded,” he explains, adding that the rise of cryptocurrency has been a big factor. “Cryptocurrencies have become mainstream and much more accessible, making it much easier for ransomware players to collect ransoms.”
Criminal groups have gathered to take advantage of it. While high-profile attacks on big companies like Colonial and JBS Meats may capture the public’s imagination, they are only the tip of the iceberg. Many don’t see the thousands of smaller attacks that target small businesses. Ransomware recovery company Coveware reports that the median number of employees among ransomware victims was 200 in the second quarter of 2021 and has actually declined since the end of 2020.
The threat actors are also more diverse than you might think, warns Heinemeyer.
“The attacks sometimes come from sophisticated groups like REvil or BlackMatter that we see in the news, but often they come from unknown groups that don’t come forward,” he says. They are just opportunistic ransomware players. “
The diversity of groups makes it difficult to spot clear trends in attacks, he adds. Techniques vary between groups which often change tools over time. Their targets are also diverse.
For example, the FIN12 ransomware group has spent the pandemic attacking healthcare organizations, going against a trend that has seen other ransomware groups swear to weed out these vulnerable targets. It has also made the switch from using TrickBot as a post-breach exploitation tool to other software including Cobalt Strike Beacon.
Monetization tactics have also evolved, warns Heinemeyer. “They have become enormously professional at all levels. If data encryption is not enough to extort money, they are using a double threat, exfiltrating the data first to apply a second point of pressure,” he says.
If that’s not enough, some are starting to apply Distributed Denial of Service (DDoS) as a third pressure point to extort money. And some of the ransomware players have talked about trying to innovate with new ways to extort money by doxing their targets.
Some groups spend a lot of time in the networks of their targets exfiltrating data to extract the maximum income from the victims. Others, like FIN12, go for high-speed attacks, simply encrypting data but quickly hitting multiple targets.
The need for speed in the fight against ransomware
This range of tactics, techniques and procedures (TTP) makes ransomware unpredictable. Darktrace believes the problem is so serious that it is no longer possible to deal with it on a human scale. The novelty and speed of modern ransomware requires an AI approach, he says.
“Unfortunately, most companies are still not very good at defending themselves in 2021,” says Heinemeyer. “Even if you are a large company with all the budget in the world, that might not be enough to defend you against the ransomware players.”
A more complex ransomware landscape isn’t the only issue for advocates. The other issue is the complexity of IT, thanks to the dissolution of the network perimeter. With assets now located in the cloud and in remote offices and homes, the traditional iron ring that defined the edge of the network is becoming increasingly irrelevant. Instead, businesses need to protect everything, everywhere.
The other problem is the lack of resources. Attackers often strike outside of hours or just before important holidays, as was the case with the ransomware attack on remote monitoring service provider Kaseya. The attack, by the REvil group, surfaced on July 2, just before the July 4 long weekend, when many people were reportedly absent.
Responding to ransomware quickly is hard enough, and even more so when you are running your Security Operations Center (SOC) with a small team. Wait – you have a SOC, don’t you? Colin from IT doesn’t handle it all on his own?
An AI that learns to fight ransomware
These weaknesses in human defenses are one of the main reasons for the introduction of AI in cybersecurity defenses. Darktrace fights ransomware using what he calls “self-learning AI”.
The company likens its Antigena AI product to a digital immune system, which functions like the human body. Like the antibodies in your bloodstream, it recognizes what is normal and is constantly working to maintain that condition. It does this by detecting behaviors on your network that deviate from a normal baseline and resolving them.
Heinemeyer explains why this is useful in a ransomware scenario. With such a chaotic, fast-paced, and volatile attack landscape, it’s difficult to rely solely on known software signatures and network traffic patterns to spot likely attacks. Likewise, responding to these static models with predefined rules is inefficient because it does not deal with new evolving TTPs. He says the company’s AI allows companies to spot new, never-before-seen strains of ransomware.
Combating ransomware in practice
So what does this look like in practice? How does AI stop a real-world ransomware attack?
“The only thing you can do to stop ransomware players from being successful is to spot them early when they try to gain a foothold,” he says. Ideally, this happens before the ransomware infection occurs. Darktrace scans emails – one of the most popular distribution channels for ransomware – for abnormal patterns.
If organizations have chosen not to use Darktrace for pre-infection detection, the next best approach is to detect existing compromises as quickly as possible. The product will pick up the unusual communications that normally occur when a compromised endpoint needs to be infected by other computers.
This is what happened when ransomware attackers targeted a Darktrace client in the electronics manufacturing industry. Antigena, who was not using the product to detect the initial stages of an attack, still spotted the infected customer scanning himself abnormally on SMB. This meant that an encryption attack was in progress.
In this case, the company had chosen to activate Darktrace’s autonomous response capability. Heinemeyer distinguishes this from automated responses, which rely on predefined actions and are always based on human input.
“The stand-alone response will take action by integrating with existing controls such as firewalls or network access controls, or by using methods native to Darktrace, or by taking an EDR-related action,” did he declare. “But the logic behind the action, the decision making on what action to take, it all comes from Darktrace.”
These AI-based decisions focus on restoring the normalcy of the system. They will escalate over time depending on the behavior detected by the software, until a device is quarantined. This allows the software to take aggressive action appropriate to the speed of the machine without affecting the user experience more than necessary, he adds.
In the case of the electronics maker, Antigena immediately blocked the infected device’s abnormal connections, preventing it from encrypting most files on the network. He then quarantined the malicious device for 24 hours, containing the attack and giving the security team the opportunity to take further action.
Fighting future ransomware
Unfortunately, cybersecurity is a constant catch-up game. If the defenders use automation, you can be sure the attackers will follow. These attacks can start with automated rule-based attacks, but are likely to expand into AI-based attacks as sophisticated attack groups acquire these capabilities. This could include everything from using AI to craft more effective phishing emails for ransomware delivery, to supervised learning algorithms to identify and circumvent defense mechanisms on a network.
“Is this the most urgent priority for cyber defenders right now? Probably not. But it’s something they should think about because it will be a paradigm shift in the future,” warns Heinemeyer. “Once attackers start embracing even more automation than they already are, there’s almost no way around defensive AI.”
Ransomware will eventually give way to a new form of cybercrime that attackers have yet to think about, but there is still a lot of life in this criminal model. Companies are not prepared for it and attackers are constantly innovating. Heinemeyer hopes more companies explore Darktrace’s AI capabilities, and ideally before attackers call rather than after.
This article is sponsored by Darktrace.