A burglar who wants to enter a building, however well guarded it may be, will always end up achieving his ends: No bastion is impregnable and all these lines of defense that were said during the previous world war , impregnable, have shown their limits.
Why should it be any
different when it comes to the fortified digital systems that cyber attackers
seek to penetrate?
Therefore, rather than
seeking to further fortify what will always end up not being able to resist the
enemy, why not change approach and concentrate on what can and must be
protected within the enclosure, inside the systems?
During an attack, the
attacker is always one step ahead. So, if you search for all the internet
addresses that have been used by attackers, they can always come back with
other addresses and when they have succeeded in penetrating the stronghold, it
will be too late to ban this address which has become obsolete.
Don't they say that during a
ZERO DAY attack it takes 275 days to create a patch?
During this time, how much
damage could have been caused!
This is why we must focus on
saving what can and absolutely must be saved and the use of technology just as
advanced as the sophisticated methods used by attackers becomes a necessity.
The use of AI can perfectly
play this role and become the solution to this challenge.
To find its place for AI in
a defense system (cybersecurity) against cyberattacks, we must understand what
a cyberattack is, what it targets and how it goes about achieving its goals.
A cyber attack is the action
carried out by an individual, group of individuals or by a state with a view to
obtaining a gain which could not have been obtained by the use of
“conventional” means.
This gain will vary
depending on the desired goal.
It can simply be to destroy
what one's competitor or opponent has, in a spirit of revenge or in the spirit
of acquiring or maintaining a dominant place in a defined environment
(eradication of data and attack on operating systems).
It may be to obtain data
from a company (data leak) to make a profit by monetizing their non-disclosure
or by encrypting them, always for the same purpose (ransomware) or, in the case
of a state or from a competitor, to acquire knowledge of projects or
technologies developed by the victim (espionage).
What are the means used by
attackers?
In all cases, without regard
to the desired goal, the attacker must find a way to infiltrate his target's
system with a tool (virus or worm) that he can activate remotely in order to
destroy, steal, to encrypt or spy on or take over the entire system.
What it will penetrate into
the target system will be a code, which will always include an execution
command without which it will not be able to carry out its action. This code
and its execution command do not necessarily have to be in the same attack
packet, they can be sent at even distant intervals in time.
How to enter malicious code?
There are a number of
vectors that the attacker can use, ranging from phishing, in all its forms, to
social engineering (which requires action by a natural person who has an access
code to the target system). ), to systems that do not require human
intervention, such as brute force (to crack the target's access codes), attacks
carried out via a supply chain, exploitation of application vulnerabilities
(such as ZERO DAY) and systems accessible outside the company's perimeter, etc.
What will the attacker do
once inside the target system?
Everything will depend on
the goal he is looking for:
·
State or industrial espionage: the goal will be to
steal the target's data by leaking it or by spying on the actions of operators
using accessories such as the mouse, the keyboard or the camera incorporated in
the monitor).
·
Revenge or elimination of a competitor: the goal will
be to destroy your system, by rendering both the hardware and software
inoperable and destroying the data.
·
Gain by encrypting the data contained in the target's
servers.
Cybersecurity action will
therefore tend to protect:
·
Data against encryption and evasion (ransomware and leakage),
·
System components against any attack on their
integrity (manipulation of mice, keyboards, cameras with the aim of spying
and/or gaining access to servers).
·
The systems themselves against any attempt to take
them over by an attacker.
How AI can help protect?
As attackers use all
possible means to hide their intrusion and the malicious side of the codes and
its execution commands, in particular by using the process of obfuscation or
encryption, AI can help to discover obfuscations by analyzing the logical
sequence of the codes, deobfuscating them and revealing the real execution
command hidden by the obfuscation.
The deobfuscation system
that we created at PT SYDECO, using AI, allows a positive result of more than
98% in the discovery of hidden execution codes no matter in which language they
are created.
Regarding the packets which
enter the target system and whose signature or content is encrypted, here again
the system implemented at PT SYDECO, using AI, makes it possible to avoid their
entry into the system or to attract the attention of the security officer as
appropriate, always using the same method of scanning and analyzing the
content.
The best contribution of AI
in a cyber defense system is the detection of execution codes which in itself
is already an effective defense against any intrusion attempt: A virus without
its execution code is inoperative . And it is by scanning every entry into the
system and everything that circulates in the network and analyzing it using AI
that we can best protect this system. Whatever the aim sought by the attacker,
whatever the type of attack or whatever the family to which the malware used
belongs.
AI can also play a key role
in early detection of attacks and protection of systems.
In conclusion, we can
therefore say that AI has its place in a cyber defense system in that it allows
us to scrutinize and analyze what enters a system with a view to only letting
in what is not suspicious. AI can also play a key role in the early detection
of attacks and therefore of the content of systems, if not the systems
themselves.
We cannot ignore that an
error is always possible and that there will always be flaws in applications.
When we focus on defending
what can and must be defended in a system, whether the attack is of the ZERO
DAY type or not, whether it is a ransomware type attack or with a view to
installing a backdoor, you will get significantly better results than if you
waste your time tracking down the adversary before they have entered the
system.
No comments:
Post a Comment