Artificial Intelligence and Machine Learning

This section discusses how threat hunting will evolve. Organizations and MSSPs can look into these technological trends and build their capabilities for more effective hunting in the future:

• Artificial intelligence and machine learning
• Quantum computing
• Internet of Things (IoT)
• Operational Technology (OT)
• Blockchain
• Threat hunting as a service
• The evolution of the threat-hunting tool
• Potential regulatory guidance

There are numerous definitions of AI and a simple Internet search can provide many interpretations of this. As an academic and a researcher, the following definition of AI has always resonated with me. In essence, AI is the ability to provide:

• Reasoning: Learn and form conclusions with imperfect data
• Understanding: Interpret the meaning of data including text, voice, images, etc.
• Interacting: Interact with people in natural ways

AI is also often used interchangeably with the term machine learning (ML). ML is the ability to identify objects and data, such as files, images, etc., and to get better (or learn) as more diverse datasets are provided.

Machine intelligence approaches use machine learning that adapts and learns over time to react not only to the evolving threat, but also can be tuned based on human/analyst inputs as new insights are gleaned. Because threats evolve so rapidly, it's critical not to engage in a hunt with an outdated set of tools that will miss emerging threats. Additionally, machine intelligence can be used to consolidate a great deal of human-curated intelligence into robust, simplified machine-curated intelligence. Even though expert analysis is often required for intuition-based analysis, machine intelligence can help comb through large volumes of human intelligence or use human-defined frameworks to speed up the application of expert insight. This can alleviate the labor load on the human analyst, allowing them to focus only on tasks that demand their more complex thinking.

There are number of ML algorithms, and deep learning is a further subset of AI. We will specifically concentrate on ML advances in this chapter. The following are some examples of leveraging ML in the fight against cybercrime:

• Unsupervised learning helps remove human bias: ML algorithms can remove the human bias that comes with expertise to reveal unexpected insights.
• Anomaly detection: ML determines the norm for a variable and the average standard deviation, then identifies spikes that fall outside the standard. A couple of examples of anomaly detection are:
  • Malicious User Profiling: Malicious activity is often hard to detect with manually generated rules. These are due to complex attack patterns, diversity of valid virtual machine (VM) activities, and the rapid improvement in attacking tools. To overcome these challenges, we leverage ML capabilities to learn behavioral patterns of known malicious logins and execution sequences. The sources of malicious logins we use are GuardiCore honeypots, Brute Force scanners, and suspicious login–related alerts. These have the ability to dynamically adopt to new attacks and hacking tools. Later, these dynamically learned patterns are used to detect similar activities across cloud providers, such as Azure and AWS.
  • Compromised VMs: The defenders have the ability to detect and inform consumers that their VMs are compromised. These detections include outgoing port scanning from IP Flow Information Export (IPFIX) and outgoing spam and outgoing Distributed Denial of Service (DDoS). The outgoing spam detection is done in collaboration with cloud productivity tools such as Office 365 on Azure.
• Cyber threat-hunting activities after a compromise: Oftentimes, the window between compromise and detrimental effects is small, and hunt actors need to quickly identify where intrusions occurred, what likely attack vectors are moving forward, and how to quickly remediate exploited vulnerabilities. By utilizing machine intelligence, cyberthreat experts can deploy algorithms to sift through large amounts of data, bringing to the front the most applicable and important data. By training algorithms on historical data, machine intelligence can also rapidly uncover relationships in the data that are labor-intensive for a human to detect, helping to shrink the latency from compromise to remediation.

How ML Reduces False Positives

As mentioned earlier, false positives are the largest roadblock to attack disruption. The majority of Security Operations Centers (SOCs) are simply overloaded with false positive security signal data preventing (or at minimum distracting) resources to combat the “real threats.” As per Figure 9.1, the traditional SOC approach has been to hand-craft rules by security professionals to combat impending threats. However, these static rules do not adapt to the changes in their environments. Specifically, they do not adapt to changing attack vectors and introduction of new malware. SOC analysts are also exposed to large volumes of data. For example, some our Azure services generate an estimated 1000+ API calls a minute. These high-dimensional data are very challenging for an SOC analyst to visualize and spot the outliers.

ML is assisting us to address these challenges. ML has the ability to retrain itself by adapting to new environments as new data is provided. Providing relevant and actionable large datasets is the key success factor here. These large datasets include industry threat-hunting research alerts, domain expert alerts, customer feedback alerts, labels from other product groups (AWS CloudTrail logs, O365, Windows Defender ATP, Azure, etc.), red team exercises, automated attack bots, and Bug Bounty programs. The combination of all these rich datasets enables us to successfully minimize the false positives and “give back more time” to SOC analysts. Hence, they can target and eradicate the real threats without getting drowned in a sea of security alerts.

Advances in Quantum Computing

Paul Lipman says that quantum computing is based on quantum mechanics, which governs how nature works at the smallest scales. The smallest classical computing element is a bit, which can be either 0 or 1. The quantum equivalent is a qubit, which can also be 0 or 1 or in what's called a superposition—any combination of 0 and 1. Performing a calculation on two classical bits (which can be 00, 01, 10, and 11) requires four calculations. A quantum computer can perform calculations on all four states simultaneously. This scales exponentially: 1,000 qubits would, in some respects, be more powerful than the world's most powerful supercomputer.

The promise of quantum computing, however, is not speeding up conventional computing. Rather, it will deliver an exponential advantage for certain classes of problems, such as factoring very large numbers, with profound implications for cybersecurity.

Quantum computers are predicted to solve problems that are far too complex for classical computers according to the Quantum Exchange, a leading research body. This includes solving the algorithms behind encryption keys that protect data and the Internet's infrastructure. Much of today's encryption is based on mathematical formulas that would take today's computers an impractically long time to decode. To simplify this, think of two large numbers, for example, and multiply them together. It's easy to come up with the product, but much harder to start with the large number and factor it into its two prime numbers. A quantum computer, however, can easily factor those numbers and break the code. Peter Shor developed a quantum algorithm (aptly named Shor's algorithm) that easily factors large numbers far more quickly than a classical computer. Since then, scientists have been working on developing quantum computers that can factor increasingly larger numbers.

As the pace of quantum research continues to accelerate, though, the development of such a computer within the next three to five years cannot be discounted. As an example, according to MIT Technology Review, a 20 million-qubit computer could break a 2048-bit algorithm in 8 hours. What that demonstration means is that continued breakthroughs like this will keep pushing the timeline up. Quantum computing is expected to transform cybersecurity according to Paul Lipman in the following key areas:

• Random number generation is fundamental to cryptography: Conventional random number generators typically rely on algorithms known as pseudo-random number generators, which are not truly random and thus potentially open to compromise. Companies such as Quantum Dice and ID Quantique are developing quantum random number generators that utilize quantum optics to generate sources of true randomness.
• Quantum-secure communications: Sharing cryptographic keys between two or more parties to allow them to privately exchange information is at the heart of secure communications. Quantum-secure communications utilizes aspects of quantum mechanics to enable the completely secret exchange of encryption keys and can even alert to the presence of an eavesdropper. This is currently limited to fiber transmission over 10s of kilometers.
• Breaking public-key cryptography, specifically the RSA algorithm, which is at the heart of the ecommerce industry: RSA relies on the fact that the product of two prime numbers is computationally challenging to factor. It would take a classical computer trillions of years to break RSA encryption. A quantum computer with around 4,000 error-free qubits could defeat RSA in seconds. However, this would require closer to 1 million of today's noisy qubits. The world's largest quantum computer is currently less than 100 qubits; however, IBM and Google have road maps to achieve 1 million by 2030. A million-qubit quantum computer may still be a decade away, but that time frame could well be compressed. Additionally, highly sensitive financial and national security data is potentially susceptible to being stolen today—only to be decrypted once a sufficiently powerful quantum computer becomes available. The potential threat to public-key cryptography has engendered the development of algorithms that are invulnerable to quantum computers.
• Machine learning has revolutionized cybersecurity, enabling novel attacks to be detected and blocked: The cost of training deep models grows exponentially as data volumes and complexity increase. The emerging field of quantum machine learning may enable exponentially faster, more time- and energy-efficient machine learning algorithms. This, in turn, could yield more effective algorithms for identifying and defeating novel cyberattack methods.

As the future versions of quantum computers would have the power to crack passwords simultaneously, future cyber-physical systems must incorporate quantum computing–resistant designs of data security.

Advances in IoT and Their Impact

The recent IDC report by MacGillivray and Wright (Worldwide Internet of Things Connectivity Forecast, 2017–2021, IDC, 2017) suggest that the next decade promises the universal democratization of connectivity to every device. Significant drops in the cost of connectivity mean that every form of electrical device—every child's toy, every household's appliances, and every industry's equipment—will connect to the Internet. This Internet of Things (IoT) will drive huge economic efficiencies; it will enable countless innovations as digital transformation reaches across fields from childcare to eldercare, from hospitality to mining, from education to transportation. Although no person can foresee the full impact of universal device connectivity, anticipation of this new frontier is widespread.

The Internet of Things can be used to interconnect various physical devices as well as virtual objects that can be accessed through the Internet. IoT is rapidly growing and changing our lives. There has been a massive surge in the use of IoT devices, mainly in the homes and manufacturing sectors. IoT has penetrated every aspect of our lives and everything from your water sprinkler to your security system, which is connected to the Internet. With the overwhelming amount of new technologies popping up every day, IoT security often tends to be overlooked, which makes the users of these devices particularly vulnerable to security threats.

IoT creates a network of the physical objects, whose data is stored on the cloud. The devices connect to the surrounding objects and the extensive data around them. Since the data is being passed back and forth on thousands of devices, hackers are just one vulnerability away from exploiting all your personal data stored on the network. This may not appear as a major risk when your home automation system and other IoT devices may have negligible personal information stored on these devices. However, IoT items may consist of a camera or microphone and they may be compromised. This will enable hackers to monitor all your movements thus leading to a breach of privacy and exfiltration of personal information. Cisco analysts estimated that more than 50 billion devices were connected to the Internet in 2020. This quantity is far more than the number of people on the planet and it only emphasizes the scale of this vulnerability and the urgency needed to tackle the issue.

According to Cyberie research, nearly 70% of IoT devices are riddled with serious vulnerabilities. Protecting organizations and individuals against the increasing risks isn't going to be easy, but we can't afford to have so many exposed weaknesses waiting to be exploited. First, one needs to be aware of the threats they are facing. The Open Web Application Security Project (OWASP) has provided us with the Internet of Things Project where they highlight the key susceptible areas. The project explains the vulnerabilities as well as discusses prevention. The list is as follows:

• Insecure web interfaces
• Insufficient authentications or authorizations
• Insecure network services
• Lack of transport encryption
• Privacy concerns
• Insecure cloud interfaces
• Insecure mobile interfaces
• Insufficient security configurations
• Poor physical security

Many good security practices have been theoretically considered. These include the use of secure protocols, using a VPN, using identity management, and by providing timely latest updates and patches for the gadgets. The Cyberie research expands on how IoT devices can impact cybersecurity:

• At a workplace, a savvy user may manipulate the ID access process to get into a restricted area.
• IoT security also includes public infrastructure such as traffic lights and power plants, which may be manipulated by malicious users and disrupt the day-to-day lives of the mass population.
• All the data generated by IoT devices is collected and stored for machine learning algorithms that use the data to create better business solutions and improve quality of life. The volume of this data produced is immense. This is another attack vector for adversaries.

Even though most IoT security challenges are yet to be overcome, the industry has recognized these weaknesses in the devices. Fortunately, cybersecurity professionals are already adjusting to the new demands of this widespread network.

Operational Technology (OT)

ForcePoint defines Operational Technology (OT) as hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events in the enterprises. Gartner describes OT as common in Industrial Control Systems (ICS) such as a SCADA (Supervisory Control and Data Acquisition) System. In the world of critical infrastructure, OT may be used to control power stations or public transportation. As this technology advances and converges with networked tech, the need for OT security grows exponentially.

For many years, industrial systems relied on proprietary protocols and software, were manually managed and monitored by operators, and had no connection to the outside world. For this reason, they were a fairly insignificant target for hackers as there was no networked interface to attack and nothing to gain or destroy. The only way to infiltrate these systems was to obtain physical access to a terminal and this was no easy task. OT and IT integrated little and did not deal with the same kinds of vulnerabilities.

Today, it's a very different story as we see more industrial systems brought online to deliver big data and smart analytics as well as adopt new capabilities and efficiencies through technological integrations. Information Technology (IT) and Operational Technology (OT) convergence gives organizations a single view of industrial systems together with process management solutions that ensure accurate information is delivered to people, machines, switches, sensors, and devices at the right time and in the best format. When IT and OT systems work in harmony together, new efficiencies are discovered, systems can be remotely monitored and managed and organizations can realize the same security benefits that are used on administrative IT systems. This transition from closed to open systems has generated a slew of new security risks that need to be addressed.

Blockchain

The decentralized communication system, blockchain, was implemented first to authenticate bitcoin transactions, but the technology has now emerged to be the future of cybersecurity. The most common challenges enterprises face with their existing systems include the ease to locate an availability of multiple avenues for hackers to attack and overtake the system.

A blockchain is basically a decentralized, digitized, public ledger of all cryptocurrency transactions and uses what is known as the distributed ledger technology. This could potentially help enhance cyber-defense as the platform can prevent fraudulent activities via consensus mechanisms and detect data tampering depending on its underlying characteristics of operational resilience, data encryption, auditability, transparency, and immutability.

Owing to their distributed nature, blockchains provide no “hackable” entrance or a central point of failure and, thereby, provide more security when compared with various present database-driven transactional structures.

Blockchain technology can be used for a variety of reasons across a slew of industries. It helps prevent cyberattacks, data breaches, identity theft, and unfairness in title transactions, and makes sure your data is private and safe. This is only the beginning for blockchain. As new technology, it's only going to get smarter and better.

Another traditional weakness is eliminated through blockchain's collaborative consensus algorithm. It can watch for malicious actions, anomalies, and false positives without the need for a central authority. One pair of eyes can be fooled, but not all of them. That strengthens authentication and secures data communications and record management.

Threat Hunting as a Service

As discussed in the first chapter, the human element in threat hunting is foundational and one of the critical success factors. Threat hunting will continue to demand highly skilled and very experienced resources. And since these resources are hard to find, it seems like a lucrative upsell for managed services providers to offer “Threat Hunting as a Service.” Today there are many players in the market that provide Threat Hunting as a Service.

More services providers are getting ready to capitalize the market potentials. Some of them offer Endpoint Detection and Response (EDR) products have great overlap with threat hunting tools, since they can detect and analyze whatever happens on the endpoint. As such, EDR companies that are under great stress to differentiate likely offer “hunting modules” to complement “regular” EDR functions.

The Evolution of the Threat-Hunting Tool

SIEM (Security Information and Event Management) is likely the reason that customers need threat-hunting tools in the first place. As a centralized platform, SIEM should have all information logs “hiding” indicators of compromise. Yet regular SIEM systems are not flexible enough to conduct true hunting operations. Product vendors will add incremental capability to their existing SIEM automation platform, which will allow analysts to build any type of complex query from any data source.

If threat hunting will become a product category of its own, do hunters really need dedicated tools to conduct their operations?

Since threat hunting is mostly about sifting through communication data, it will be no surprise that network traffic analysis tools are offered as threat-hunting tools. Product vendors and services providers with a deep understanding of network traffic behavior can offer threat hunting as a by-product of their platform.

Potential Regulatory Guidance

39Policymakers and authorities may consider providing threat-hunting guidelines for organizations to set forth a structured and a cyclic program of monitoring the organizational activity longitudinally (from organization to the outside world) and laterally (inside the organization). They can provide guidelines to leverage external intelligence, best practices to analyze and correlate information, and a consistent approach to responding to the threats, whether they were actually spotted in the context of the threat-hunting activity or as a preparatory measure for blocking even before it occurred.

Imagine having visibility into threats across all your resources, AI that stitches signals together and tells you what's most important, and the ability to respond swiftly across the organization. With SIEM and extended detection and response (XDR), defenders can be armed with all the context and automation needed to stop even the most sophisticated, cross-domain attacks.