- Using Advanced Tools to Improve Application Security at the Edge
- The Role of ML and AI in Security
- Where Rules-Based, Signature-Based, and Firewall Solutions Fall Short
Why has there been such a sudden explosion of Machine Learning and Artificial Intelligence in security? The truth is that these technologies have been underpinning many security tools for years. Frankly, both tools are necessary precisely because there has been such a rapid increase in the number and complexity of attacks.
These attacks carry a high cost for business. Recent studies predict that global annual cybercrime costs will grow from $3 trillion in 2015 to $6 trillion annually by 2021.
This includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
Global spending on cybersecurity products and services for defending against cybercrime is projected to exceed $1 trillion cumulatively from 2017 to 2021.
The reality is that organizations have not been able to rely for a while on a “set it and forget it” approach to security using antiquated, inflexible, and static defenses. Instead, adaptive and automated security tools that rely on ML and AI under the hood are becoming the norm in security, and your security team must adapt to these technologies in order to be able to succeed.
Security teams are tasked with protecting an organization’s data, operations, and people. To protect against the current attack posture of their adversaries, these teams will need increasingly advanced tools.
As the sophistication level of malicious bots and other attacks increases, traditional approaches to security, like antivirus software or basic malware detection, become less effective. In this chapter, we examine what is not working now and what will still be insufficient in the future, while laying the groundwork for the increased use of ML and AI based security tools and solutions.
Where Rules-Based, Signature-Based, and Firewall Solutions Fall Short
To illustrate why rules-based and signature-based security solutions are not strong enough to manage today’s attackers, consider antivirus software, which has become a staple of organizations over the past 30 years. Traditional antivirus software is rules-based, triggered to block access when recognized signature patterns are encountered. For example, if a known remote access Trojan (RAT) infects a system, the antivirus installed on the system recognizes the RAT based on a signature (generally a file hash) and stops the file from executing.
What the antivirus solution does not do is close off the infection point, whether that is a vulnerability in the browser, a phishing email, or some other attack vector. Unfortunately, this leaves the attacker free to strike again with a new variation of the RAT for which the victim’s antivirus solution does not currently have a signature.
Antivirus software also does not account for legitimate programs being used in malicious ways. To avoid being detected by traditional antivirus software, many malware authors have switched to so-called file-less malware. This malware relies on tools already installed on the victims’ systems such as a web browser, PowerShell, or another scripting engine to carry out their malicious commands. Because these are well-known “good” programs, the antivirus solutions allow them to operate, even though they are engaging in malicious activity.
This is why many antivirus developers have switched detection to more heuristic methods. Rather than search just for matching file hashes, they instead monitor for behaviors that are indicative of malicious code. The antivirus programs look for code that writes to certain registry keys on Microsoft Windows systems or requests certain permissions on macOS devices and stops that activity, irrespective of whether the antivirus has a signature for the malicious files.
Firewalls work in a similar way. For example, if an attacker tries to telnet to almost any host on the internet, the request will most likely be blocked. This is because most security admins disable inbound telnet at the firewall. Even when the telnet daemon is running on internal systems, it is generally blocked at the firewall, meaning external attackers cannot access an internal system using telnet.
Of course, attackers can use telnet to access systems that are outside of the firewall, such as routers, assuming the telnet daemon is running on those systems. This is why it is important to disable the telnet daemon directly on the devices, in addition to blocking the protocol at the firewall.
Generally, firewalls are inadequate to defeat today’s attacks. Firewalls either block or allow traffic with no regard for the content of the traffic. This is why attackers have moved to exfiltrate stolen data using ports 80 and 443 (HTTP and HTTPS, respectively).
Almost every organization has to allow traffic outbound on these ports, otherwise people in that organization cannot do their jobs. The attackers know this, and they’ll normally open their backdoors and establish command and control communications with their victims using ports 80 and 443. As a result, data can be stolen out of the net‐ work through the firewall.
This is also the reason why phishing attacks are so rampant today. Attackers in most cases can’t get in through the firewalls from the outside-in to attack an internal computer; therefore, they phish people and get them to do the work for them. The victims click, they are directed to a malicious site, and the return “malicious” traffic is allowed through the firewall. It’s just the way firewalls work. Most often the return traffic is an exploit for a known vulnerability and some additional code that will be executed by the victim, opening up a backdoor on the system.
In comparison, when firewalls are deployed in front of websites and applications, organizations must leave ports 80 and 443 wide open to the internet. These ports must be opened “inbound” so that users on the internet can access the services running on the downstream servers and applications. Because these ports must be left open to support web services, inbound attacks and malware exploits, among other threats, pass through the firewall undetected. In this case, fire‐ walls provide little, if any protection inbound.
When it comes to malicious bots and other more sophisticated threats targeting web applications, traditional approaches such as using firewalls do not work, because the attackers know how to get around them. Today’s advanced malicious actors can find an access path that can easily defeat rule- and signature-based security plat‐ forms. Attackers understand how traditional security technologies work and use this knowledge to their advantage.