Gaining momentum recently, one of cybersecurity's most nefarious malwares, TrickBot, responsible for some of the worst financial-related cyberattacks has resurfaced with a new variant that has exposed over 250 million email accounts and put them at risk. Guy Caspi, CEO and co-founder of Deep Instinct, spoke with VMblog and gave us the lowdown on the attacker, their tactics and intentions, and why applying a deep learning approach to cybersecurity is crucial to the protection of our personal data.
VMblog: Please tell us a bit about yourself, your background and your role at Deep Instinct.
Guy
Caspi: I am the CEO and founder of Deep Instinct, the first and only
company to apply end-to-end deep learning to cybersecurity. I have
specialized in artificial intelligence and deep learning for much of my
career, spearheading companies through their entire life-cycle,
accelerating their growth, and even seeing them through to IPO on
NASDAQ.
VMblog: Artificial
Intelligence and Machine Learning have started to dominate the
conversation around the digital transformation of IT, especially when it
comes to cybersecurity. What makes Deep Instinct different?
Caspi: Deep
Instinct is the first and only company to apply end-to-end deep
learning to cybersecurity, creating the ultimate zero-time threat
prevention solution. Deep learning is the most advanced subset of
artificial intelligence (AI), taking inspiration from the human brain.
It's the first and only AI-based method capable of training on raw
data. Unlike traditional machine learning, it doesn't require feature
engineering by a human expert and can scale to hundreds of millions of
training samples. The deep learning model provides high detection rates
while ensuring the lowest false positives, and prevents first-seen
threats for either file-based or file-less attacks.
VMblog: What are some of the biggest misconceptions around AI, machine learning, and deep learning?
Caspi: The
biggest misunderstanding around artificial intelligence (AI), machine
learning and deep learning is less of a misconception and more of
a confusion around differentiating the meaning and purpose between them
all. AI is a big world and includes many different types of algorithms.
One needs to understand the differences of each one and their respective
advantages and disadvantages given the particular context.
Deep
learning is part of a broader family known as machine learning, which
in turn, is a subfield of AI. AI is a function that imitates the way the
human brain works in the sense of processing data and creating patterns
for decision making. Machine learning is a technique that gives
computers the ability to learn without being explicitly programmed to do
so. While deep learning uses a deep neural network, it provides an
architecture that is like the human brain, including layers of neurons
and synapses.
Deep learning
achieves greater results of predictive accuracy because it analyzes all
the raw data in a file, rather than just the engineered features that
have been extracted from a file by a human. Traditional machine learning
requires feature engineering, where a human expert effectively "guides"
the machine through the learning process by extracting the features
that need to be learnt. As it's based on human analysis, it's highly
limited and relies solely on the data that being fed to
it. Additionally, it is not limited to simple linear correlations but
can analyze multiple levels of non-linear complex data patterns and
features, resulting in greater predictive accuracy.
VMblog: Can you describe the key benefits enterprises might realize with your solution?
Caspi: Unlike
detection and response-based solutions, which wait for the attack to
happen before reacting, Deep Instinct's solution works preemptively. By
taking a preventative approach, files and vectors are automatically
analyzed prior to execution, keeping customers protected in zero time.
This is critical in a threat landscape, where real-time is too late.
In tests conducted by an external industry authority,
the deep learning-based solution achieved unmatched efficacy against
any threat, with a 100% detection rate and zero false positives for
new and previously unseen files. This represents an unparalleled feat
that is yet to be claimed by even the best traditional machine learning
solutions available.
Offering unlimited
protection, the solution can be applied to any environment regardless
of existing architecture. The solution is fully operational irrespective
of network or Internet connection. It can be delivered air gapped NW,
provided in a multi-tenancy or VDI environment, and deployed on premise
or through a cloud native design.
Versions
of the solution are available for all major operating systems
(Windows, MacOS, Android and ChromeOS). The location-agnostic, light
weight agent can be applied to any type of environment - be it networks
or devices (endpoints, mobiles, and servers) - and is equipped to
identify any type of file and file-less attack, without requiring any
modifications or adaptations.
VMblog: Can you explain this latest TrickBot threat and why it is so significant? What were some of the tactics used by the attacker?
Caspi: TrickBot
is a highly sophisticated, modular piece of malware with
an ever-growing arsenal of tools - one for practically every task
imaginable (for a malware operator). Trickbooster is the latest tool in
the arsenal and has some great advantages for the operators of TrickBot.
The advantages of Trickbooster are two-fold: 1) vastly increased
ability to distribute your own malware; and 2) monetization. Harvested
email addresses can be sold and the spam bots themselves can be "rented
out" to other actors.
An interesting
tactic observed here is the use of signed malware binaries to make the
malware appear more legitimate and lower the chance of it being
detected.
VMblog: How come Deep Instinct was able to get exclusive access to the attacker's server and database?
Caspi: Following
discovery of a Trickbooster attack prevented by Deep Instinct at one of
our customer's sites, we started a deep analysis of the malware and its
supporting infrastructure. From the details we uncovered, we
cross-referenced infrastructure information relating to
the Trickbooster campaign and took advantage of an op-sec failure on the
side of the attacker.
VMblog: Have you reached out to any of the authorities regarding this attack? What were their reactions?
Caspi: We
have reached out to some of the authorities affected by this attack and
they are investigating the matter. We are in the process of contacting
other companies and organizations whose emails have been found amongst
the 250M compromised emails in the database.
VMblog: How are you sure that the attack has been stopped? Are the victims still at risk?
Caspi: We
are taking measures to stop the attack and notify the victims. As
mentioned above, we are in the process of contacting companies and
organizations whose emails have been found in the database of 250M
compromised emails. We have contacted the issuers of the
certificates that were used to sign the Trickbooster executables and
these certificates have been revoked. We are also contacting the hosting
company which stores the attacker's server to bring down the server.
Customers of Deep Instinct are fully protected from this attack.
VMblog: Given
the complexity of these threats, are we at risk of AI-based attacks? Is
Deep Instinct's solution capable of thwarting another AI-based threat?
Caspi: First
of all, it is important to point out TrickBooster and TrickBot are not
AI-based attacks, and real-world AI-based attacks have not been seen in
the wild yet. However, the threat landscape is evolving extremely fast
as attackers are looking for new attack techniques, so AI-based attacks are going to become a reality very soon.
Deep
Instinct is currently training their deep learning "brain" to identify
such AI-based attacks and ensure protection against it.
VMblog: What
are some of the biggest challenges that organizations must address now
when it comes to cybersecurity? What is Deep Instinct doing to help?
Caspi: There are more than 350K new machine-generated malware created
every day with increasingly sophisticated evasion techniques, such as
zero-days and APTs. According to recent research, nearly two-thirds of enterprises have been compromised in the past year by
attacks originating at endpoints, representing a 20% increase from the
previous year. Likewise, zero-day attacks are four times more likely to
compromise organizations. These breaches have incurred $1.3 billion in financial loss in the U.S. alone.
Most
solutions available today are woefully under-prepared to overcome the
complexity of attacks and cause huge operational challenges as they
can't adequately fight against complex zero day and APTs. Added
to this is the shortage of cybersecurity experts; 69% of CISOs say
their cybersecurity teams are understaffed and this skill gap is
expected to grow. By 2021, it is anticipated that there will be around
3.5 million cybersecurity job openings, and only a fraction are likely
to be filled.
Deep
Instinct's solution addresses all these problems though its dedicated
deep learning framework is purpose built for cybersecurity. However
advanced an attack vector may be, Deep Instinct's solution has been
expecting it. The prediction first approach is part of a multi-layered
process that includes detection and response, followed by a final layer
of analysis and remediation. The entire process happens autonomously.
The deep learning-based solution can analyze enormous amounts of data
and detect any type of anomaly automatically with unparallel accuracy.
This approach not only reduces the need for human intervention as the
management and remediation process is dramatically minimized, but the
comprehensive analysis achieves superior protection.
##