By Dave
Martin
Welcome to the
year 2022. We are all getting our bearings after a pandemic affected the entire
world for longer than anyone expected. We're starting to go out again and
socialize, but things have changed dramatically as we move forth with a new
skepticism, keenly aware that unpredictable events catch us off guard at the
most inconvenient times. However, there have been positive changes and benefits
to the world since COVID that prompt new considerations.
One example is
the shift to remote work (whether it be work from home or a hybrid design),
which has become the new normal and is projected to prevail at least through 2023.
Remote work has met with success overall and the job market has seen a boon.
Experts say these new work styles are not a passing trend for many companies
and they will be sticking around. The downside is that there are more points of
entry for cyber attackers than ever before as it is increasingly difficult to
shore up a company's network and protect all its critical assets with employees
working from multiple locations. As a result, cybersecurity threats are growing
in volume, variety and sophistication. Due to the craftiness of bad actors, a
rise in artificial intelligence (AI) based attacks can catch an organization by
surprise. The power of those breaches is their machine-scale speed.
Keeping
Up With Cyber Attackers
The reasons threat actors have
started using AI are that they are able to change tactics rapidly and they've
developed novel ways to avoid detection faster. Security professionals need to
keep up, accounting for hacks configured with AI's machine learning (ML) while remaining
vigilant about traditional attacks that are common due to their simplistic-yet
effective-nature (i.e., theft of login credentials through password spraying
and phishing, adding malicious code to vendor software, etc.). Combating AI
attacks with AI cybersecurity alone is not the answer to maintaining a good
overall security posture, and it is crucial to establish that because how we
handle IT complexity now will provide a model for how we respond to more
complex, AI-driven attacks in the future.
Enter the
monitoring, detection and response (MDR) service provider, an asset to any company
that cannot handle multiple approaches to fully operationalizing cybersecurity
by itself. A good MDR provider accounts for any and all types of breaches with
eagle-eyed, round-the-clock vigilance and a team of engineers in its security
operations center (SOC). It is attuned to AI-based threats while looking out
for the more traditional ones and is prepared to thwart attacks and always
remain one step ahead, even when the speed of ML is a complicating factor.
While AI is used by the MDR provider to detect AI-based attacks and intercept
them with an even more rapid approach than the cybercriminal employs, a good
MDR provider is also armed with the most competent, mission-driven human
engineers to weed out any false positives that ML might yield. It is crucial to
combine human expertise with AI because the technology simply is not good
enough yet without human oversight. The human engineer also can determine what
is normal versus abnormal in an organization's specific environment. That
awareness is key to immediately detecting a threat, then either stopping it in
its tracks or going into remediation mode.
The
Benefits Of 24/7 Support
Threat actors
will employ ML in the development of malware used to conduct attacks and a good
MDR provider not only combines vigilance with speed to combat that but employs
AI capabilities to protect organizations and their critical assets, providing
24/7 support from the most skilled and knowledgeable SOC engineers. This approach
is not AI-specific; it accounts for every attack method from the most
basic to the most intricate, the optimal approach to fully operationalizing
cybersecurity. Some of the most nefarious hackers act so stealthily that they
catch organizations by surprise time and again, leaving professionals baffled
afterward.
In a nutshell,
when defending against an AI-based attack, the fundamentals are the same that
the MDR service provider has always had: to develop a single source of truth in
the environment for sensing suspicious behavior, to ensure the MDR provider has
the right data to work with and to decide whether something is malicious or not
enriching. Data enrichment is an important process; it brings you more
meaningful insights and contextual information about attacks.
As mentioned
above, it is essential to have a detection methodology regardless of how the
attack is crafted. AI only changes the equation to the extent that it allows
threat actors to bury their tactics and commit their actions faster. The
approach is not one of "how do I use AI or ML to replace the human who is
coming to the conclusions?" Rather, it is one of "how do I arm human
engineers to succeed against AI-based attacks?" A good MDR provider does
that by using ML to reduce noise and amplify signals for the human, enabling
the human to oversee, analyze and work to restore order. AI is an aid while the
human engineer looks out for any flaws requiring their expertise.
Pivoting And Switching Tactics
Speed is not the
sole challenge of AI-based attacks. Engineers also need to be attuned to the
ability of bad actors to pivot from one tactic to another. Often, the
threat actor attempts to infiltrate a network and establish a foothold and then
do reconnaissance, assessing the overall environment and getting to know it
well enough to manipulate it in more sophisticated ways. Depending on what they
see, they'll launch different types of attacks. Therefore, AI allows them to
shorten the learning cycle and pivot more easily to even sneakier attacks as
they learn to evade detection. They may try to identify the servers in the
environment and then once they do, they identify the domain controller housing
identity information. This allows them to launch specific attacks on the
identity layer once they've established critical assets. In this example,
pivoting means they get in and they learn; then they turn to the next phase of
the attack.
For an MDR
provider, cybersecurity consists of devising the best countermeasures to
attacks and cyber breach attempts at the highest levels. Defenders assess what
is going on and threat actors develop countermeasures for evading that
detection and prevention layer, and it's a never-ending cycle. As a result,
from an MDR provider's perspective, it is necessary to continually enhance
detection capabilities to keep pace with the evolving nature of how threat
actors commit their attacks.
The importance
of round-the-clock security from the MDR provider, especially with AI breaches,
is that bad actors sneak up on companies when they aren't looking. An MDR
provider offers threat feeds that are monitored for new zero-day disclosures of
an attack mapped back to its detection and prevention model. It is all about
remaining one step ahead and being cognizant of new and evolving methods
attackers use to breach the environment. A good security operations center
(SOC) engineer then addresses these questions: "What is the methodology?
What tactics am I trying to observe? What data do I need from the environment
to identify those new tactics?" They bear in mind that traditional risks
are a concurrent factor as breaches evolve in sophistication. They then scan
for vulnerabilities of any nature, prioritizing a company's critical assets to
protect the organization. A highly skilled MDR service provider is armed at the
ready with detection engineering functions and a thorough understanding of the
latest tactics cyber attackers are using, bearing in mind that successful
traditional ones haven't gone out of style.
##
ABOUT THE
AUTHOR
Dave Martin is vice president of managed detection and response (MDR) at Open Systems, which has been providing managed security services for more than 30 years. He is responsible for the strategic direction and product roadmap of SaaS, hardware and software cybersecurity products.