The changing landscape of cyber threats and the benefits of AI and Machine Learning

Derek Manky, Head of Security Insights & Global Threat Alliances, FortiGuard Labs; and Jonas Walker, Security Strategist at Fortinet’s FortiGuard Labs, discuss the evolving threat landscape and the role of artificial intelligence and machine learning in combating today’s cyber threats.

Today, threat actors rely on new tools and techniques to improve the efficiency of their attacks. With attacks increasing in speed, agility and sophistication, it is critical to maximize artificial intelligence and machine learning approaches to defend against evolving attack techniques.

We spoke to Manky and Walker to ask some of the burning questions that cybersecurity leaders will be interested in knowing the answers to.

WWhat changes have you seen in the cyber threat landscape over the past three months?

manky: We see weekly changes driven by three key factors:

  1. We see more speed and speed can kill. We often talk about the fact that there is more sophistication and more threats. We know that, but what we’re seeing now is there’s a bit of agility here. Threats include entering a system, hitting the targets, exfiltrating data, making ransom demands and leaving a system – much faster than usual. This includes attackers taking advantage of new vulnerabilities, both zero-days and n-days. That’s one of the most disturbing elements is this theme of speed when it comes to offense.
  2. The second thing we see is more aggression. You can imagine if you combine these you get an even more potent mix, right? This is the problem. Yes, there is more speed, but there is also more aggression. This includes the double extortion, triple extortion themes and targeted attacks we also see.
  3. Thirdly, it is about the tactics, the scenarios. There are more tactical approaches and two-stage attacks that we see after reconnaissance for information, including information coming from social media, for example. In addition to everything we talked about earlier, we are still seeing more volume. All of that translates into more risk.

What new attack tactics do you see in the cyber threat landscape?

walker: When we look at the techniques, tactics, procedures (TTPs) and the playbook aspect, we actually have a big picture of this. We look at real data at a very detailed level. There are many developments, but dodging the defense is one of the top techniques that attackers focus on. There are 42 different techniques associated with it.

In 2022, wiper malware will be much more active than in recent years, which corresponds to the theme of aggression. This is destructive malware that wipes hard drives and master boot records from systems. We are also starting to see this tie in with the world of extortion. We’re not just talking about data that’s at risk, but also system infrastructure that’s now at risk.

Another popular attack pattern targets firmwares. Firmware attacks can come through a variety of vectors, from malware and rootkits to infected hard drives, damaged drives, and insecure firmware products. Hackers do not need to physically touch a device to launch an attack. They can do this through external connections such as Bluetooth and Wi-Fi. This means that the growing market of connected devices, such as game consoles, mobile phones and television, is becoming increasingly vulnerable to firmware hacking.

What can organizations do to protect against these attacks? How do AI and Machine Learning play a role in the defense equation?

manky: It is important to distinguish the differences and they are all necessary. First, you have at the basic level – automation. Consider a threat feed with threat intelligence and policies applied. Without it, organizations would, frankly, be lost. For example, we respond to 100 billion threats a day with FortiGuard Labs, and a majority of them are automated. Automation is largely intended to help with the volume of detections and policies needed quickly, reduce response time, and offload mundane tasks for SOC analysts.

Where Machine Learning and AI come into play is the threats that are unknown. The question here is: how do you lead the way? AI is the action piece while Machine Learning is the doctrine. Machine Learning works on models and each application can use a different model. Machine Learning for web threats is very different from Machine Learning for zero-day malware. Organizations need to be able to do them all to effectively protect against various attack vectors. By using Machine Learning and AI, you drastically reduce the risk. Plus, you take the cost away from your OpEx model, because you don’t have to look for a way out of the problem.

walker: The other part of that is the conversation about the skills gap. Machine Learning goes a long way in not just replacing those gaps, but filling them. We know that there is a global workforce shortage, not just in cybersecurity of course, but in cybersecurity specifically. How do you resolve that gap? Does it make sense to hire 20-30 people in your NOC or SOC – and even if you have the ability to do that, can you find the people? This is where Machine Learning solutions can support skilled employees. An integrated approach such as a security fabric is very powerful.

What are some additional safeguards you recommend to protect against today’s cyber threat landscape?

manky: During my conversations with CISOs, they often say, “I’m overwhelmed, there are a lot of attacks, a lot of information, how do we simplify this?” Actionable threat intelligence is the answer. Networks and security come together, so you need to associate actionable threat intelligence and security subscriptions with it. Being able to detect and respond to threats is the first priority and understanding the threat landscape. Essentially, these three should work in harmony: automation and orchestration, AI/ML, and escalation paths to SOC analysts for items escalated as high priority.

walker: Segmenting networks is something I recommend as a very effective practical approach to mitigating risk because many of these threats can potentially invade a single device system. If you segment it, it cannot spread and hit other systems and cause further downtime.

manky: Building on top of that, Zero Trust and ZTNA are a big topic these days. Lots of things happen on networks, devices going in and out, applications going in and out, etc. The idea that nothing should be inherently trusted can significantly increase security, trust has to be earned instead. In addition, simulation of breaches and attacks and having a plan in advance is crucial. We often say: ‘It is not a question of if, but when an attack will come’. Yes, you need to do all the prep work, but at the same time have a game plan.

walker: Employee education and security awareness training are, of course, all things that need to be implemented when tackling cyber threats. Employees are often the first line of defense in many cases.

Click below to share this article

Leave a Comment