China and Iran Hacks Demonstrate Need for Better AI-Based Defense
Two events that were uncovered recently — the cyberattack waged by Iran against the United States and the hack of 10 global telecommunications firms suspected by China — underscores the growing need to improve security in companies and government institutions. With a shortage of trained analysts in the public and private sectors and security woes set to explode under 5G networks, artificial intelligence could go from being a nice-to-have to a necessity for survival.
Earlier today, the US-Israeli security firm Cybereason released a report explaining how hackers that are suspected to be backed by the Chinese government infiltrated at least 10 global telecommunications carriers over multiple years to access customer information. “Operation Soft Cell,” as Cybereason called the attack, utilized “espionage and a web of theft targeting specific individuals on different continents likely working in government, law enforcement and politics,”
That came on the heels of a warning from the Department of Homeland Security urging American businesses to be aware of a wave of cyber-attacks from Iran and its proxies. “Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money,” stated Cybersecurity and Infrastructure Security Agency Director Christopher C. Krebs on June 22.
The rise in cyberattacks should not be surprising to anybody who’s paying attention. A rather bleak portrait of organized cybercrime was presented during a panel discussion at HPE Discover last week. James Morrison, the primary technical investigator for cybercrime at the Federal Bureau of Investigations, said the demographics of the perpetrators are changing.
A couple of years ago, half of the cybercrime was perpetrated by organized gangs and half by independent operators. Russia, China, and Iran were the major sources. But now, criminal cybergangs are operating out of places like India, Nigeria, and Indonesia, and they’re leveraging economies of scale to attack companies in the United States. “The cybercriminals are really rising up,” Morrison said. “It’s really getting to be more involved, more and more organized, from an organized crime standpoint.”
The bad guys’ capabilities are rapidly improving, he said. “I don’t really have to know how to program anymore,” he said. “I can go out on the Internet and buy 100,000 email addresses for, let’s say, $50. It’s not very expensive. Then I can go and rent ransomware.” Some of the black markets even offer 24/7 customer service on their ransomware rentals, he said.
“Now I have ransomware, I have email addresses and I fire this email address out with a link to whoever clicks,” he continues. “Let’s say there are 5,000 clickers – that’s actually a low number – and of those, 1,000 of them, maybe pay $400 for ransom. So I made $400,000 on a $250 investment. That’s the economy of scale that we’re really seeing.”
Companies used to be advised that the best defense from cybercrime was to build layers of protection around their most prized assets. That meant numerous firewalls, SIEMs, and intrusion protection systems. While those defensive elements are still necessary, they’re not enough to detect advanced persistent threats that live inside company’s networks for months at a time.
HPE now advocates a “zero trust” architecture that begins with the firmware that’s embedded into HPE servers. “We don’t trust anything and we verify everything and anyone by starting with the silicon,” said Bob Moore, HPE’s director of server software and product security, during the panel discussion on June 19.
The criminal is looking for persistence, Morrison said. “My first thing as a criminal when I get access to a network is how do I stay there?” he said. “How do I stay there, through all of your efforts to eradicate me?”
Visibility into network activity is absolutely critical to flushing out the bad guys, the FBI agent said.
“We have to be able to look at what’s running and what’s it trying to do,” he said. “Why is Computer A in finance communicating across the network with Computer B in HR? That’s not a normal conversation that should be occurring on your network. And that’s why I think some sort of automated system is going to help out.”
The best way to thwart the attacker or malware is by using advanced automated detection techniques to spot anomalies, said Larry Lunetta, vice president of marketing for security solutions at Aruba, which is owned by HPE.
“Once you have them in the financials, they’re trusted in the environment, and it’s only by changes in behavior that you can detect a problem,” he said during the panel discussion. “Attackers can cloak malware, go under the radar, and take days or weeks and months to unfold and do an attack. But sooner or later, their behavior changes. That credential is no longer behaving like it did, and that’s where artificial intelligence and machine learning comes in.”
Big companies still rely on humans to analyze security data and detect signs of compromise. But that approach doesn’t scale – especially considering the ease at which cybercriminals can do their nefarious deeds.
“First and foremost, the people just aren’t there,” said Drew Simonis, deputy chief information security officer for HPE. “Everybody is suffering from a talent shortage. Three-and-a-half million people that we need in the industry right now, growing to who knows what….Even if I could hire 100 analysts, which I can’t, I don’t need people sitting and analyzing the problem. I need a computer to analyze that problem and a person to make a decision on how to act.”
To make matters even worse, the bad guys are investing their ill-gotten gains back into their criminals enterprises so they can be even more effective at stealing money, Morrison said. They’re also utilizing AI to make their attacks more effective.
“As these criminal groups organize, they’re just like businesses,” he said. “They’re putting money back into their criminal business and they’re adding better computers, they’re adding data centers. They’re operating data centers that are bigger than a lot of the ones that you may operate. And they’re putting money back into AI.”
Criminals are using AI to optimize their operations with targeted recommendations and next-best-actions, he said. “I use AI from that standpoint just to give me little recon on my target so now I can develop a better attack structure,” he said. “Is ransomware right here? Is a crypto miner right? Is writing a harvest credential [app going to be effective]? There’s a whole bunch of things I can do once I’m here there, and I have to figure out who you are before I do that.”
Money is definitely in the balance with ransomware attacks, but in some cases the attacks are meant to disrupt and destroy, with no monetary reward for the bad actors. The 2017 NotPetya attack presented itself as a ransomware attack, but that was only to make the true intentions of the attackers, according to this excellent Wired story. The impact that NotPetya had on shipping giant Maersk’s systems –80,000 endpoints went down in over 500 countries — was simply collateral damage in Russia’s cyberattack attack on Ukraine.
With the advent of 5G networking and the expected explosion in the number of connected sensors, the potential attack surface available for cybercriminals to exploit will increase dramatically. According to Joel Windels, the CMO at NetMotion Software, the recent attack on global telecommunications firms is
“It’s commonly believed that 4G LTE and 5G networks are inherently more secure than WiFi,” Windels said. “However, this latest evidence of widespread carrier hacking shows that if bad actors can break into a carrier’s network – and stay undetected for months while they monitor and steal data – then the network itself isn’t the issue.”