Cyber-attacks are getting personal. The usual opportunistic “spray and pray” attacks that reach many would-be targets at once are still present, but as cyber defence has advanced, today’s more sophisticated campaigns take precise aim at a particular company.
Threat actors willingly put in extra time and effort to realize a bigger payday at the end of it, but developments in the tools they have at their disposal are also making targeted, personal attacks easier.
CAPTCHA-breaking AI techniques like computer vision and convolutional neural networks can be used to gather information on an organization’s attack surface, and Generative AI is able to perform OSINT collection on a specific target, or targets, within an organization. Once inside, attackers can further leverage AI to automatically tweak attacks and create novel, highly targeted threats that elude defenses.
A new white paper, The CISO’s Guide to Cyber AI, explains how CISOs and their teams can make smarter use of defensive AI and machine learning (ML) to protect today’s digital environments from these and more advanced novel threats.
Today’s threats don’t necessarily resemble past attacks
Darktrace analytics pointed to a sharp rise in novel cyber-attacks earlier this year. Generative AI and large language model (LLM) tools continue to lower the barrier to entry for threat actors, making it easier than ever to build smarter, faster, more targeted attacks.
But while attacks are getting personal, security tools that apply AI in the wrong way won’t see these attacks coming.
Here’s why: most cyber security tools and platforms rely on a combination of supervised machine learning, deep learning, and transformers to train and inform their systems. This entails shipping your company’s data out to a large data lake housed somewhere in the cloud where it gets blended with attack data from thousands of other organizations. The resulting homogenized data set gets used to train AI systems — yours and everyone else’s — to recognize patterns of attack based on previously encountered threats.
At its conception, this was a reasonably smart way of approaching cyber security. For a long time, the assumption that today’s threats will resemble yesterday’s attacks was a valid one. But in an age where the commoditization of cyber-crime has lowered the bar-to-entry for attackers, and where Generative AI and other open-source tools are enabling personalized attacks at scale, this is no longer the case.
Darktrace has seen evidence this year of a marked rise in more sophisticated attack techniques. Between May and July this year, our Cyber AI Research Centre observed that multistage payload attacks, in which a malicious email encourages the recipient to follow a series of steps before delivering a payload or attempting to harvest sensitive information, have increased by an average of 59% across Darktrace customers. Some of this will be QR code phishing, the latest trend in attack tactics, others will include automation. The speed of these types of attacks will likely rise as greater automation and AI are adopted and applied by attackers.
This ‘historical’ approach is not able to identify threats that haven’t been seen before: attacks that use new malware, novel social engineering, and those that are targeted to your organization. There are no indicators of compromise (IoCs) to teach your system to recognize these kinds of attacks.
IoC-based defenses won’t necessarily spot strange and unusual activity by an authorized user, device, or known IP address until threat actors tip their hand — and by then it’s too late. Looking for repeat patterns works well for detecting threats that resemble past attacks, but this increasingly won’t be the case. The only way to spot unique and novel threats is to build cyber security that’s tailored to you, and that requires a whole new approach.
Smarter use of AI levels the playing field
Security teams and adversaries continue to innovate to gain the upper-hand, and the advantage of time.
Since AI equips even novice cyber criminals to mount sophisticated attacks, AI must evolve to do three things:
- Understand and continue to learn what “normal” looks like for your unique digital environment
- Detect and alert on any anomalous behavior the instant it occurs
- Initiate a targeted response to contain threats and give your analysts more time, without disrupting the flow of business
Darktrace uses Self-Learning AI to understand what constitutes ‘normal’ for everyone and everything in your business, including cloud resources, identities, email accounts, endpoint devices, and even OT controllers. As the name suggests, Self-Learning AI trains itself, developing and maintaining deep understanding of ‘patterns of life’ for your business environment. Used in combination with other AI methods such as LLMs, generative AI, and supervised ML, Self-Learning AI identifies novel cyber-threats most static (backward-looking) tools miss.
The technology learns ‘on the job’ and from scratch, without relying on historical data or a massive upfront effort by your team to train the system. Probabilistic mathematics revise assumptions about behavior on a constant basis so the system keeps itself up-to-date without repeat efforts by your team.
The result is that areas of risk, as well as real-time emerging attacks, are brought to the surface – regardless of whether those attacks have been seen before in the wild.
Surgical attacks warrant surgical response
Supervised ML continues to serve a purpose, but the dawning age of novel and AI-led attacks favors a more proactive approach to securing the cloud. Tools must take greater responsibility for their own education and greater initiative via autonomous response.
What some solutions call response ultimately amounts to sending alerts and opening tickets that create more needless work for analysts. Other tools claim to automate response, but either take very limited actions like automating the process of ticket creation, or overly ambitious steps like quarantining entire systems.
Darktrace’s dynamic understanding of your environment enables a truly autonomous and precise cloud-native response. Its understanding of ‘normal’ for every user and device allows it to enforce ‘normal’ – cutting out only the malicious activity, while allowing normal business to continue functioning.
How this response will take place will depend on where Darktrace is deployed in your environment. In the network, it might mean blocking specific, anomalous connections over a certain port. In the cloud, it could mean detaching EC2 instances and applying security groups to contain only assets at risk. In email, this could be locking links or flattening attachments.
Get personal with ‘One on One’ Security
The widespread accessibility of generative AI has altered the threat landscape permanently, allowing cyber-criminals to deploy unique and personalized attacks at scale and at machine speed. In the near future, we can expect to see more novel and sophisticated phishing attacks, new automated creation of malicious code, sustained attack campaigns targeting an individual or company, and even deep fakes designed to elicit human trust.
To meet the needs of today and tomorrow, cyber security needs to leverage AI deeply and intelligently – not just using it to automate outdated historical approaches, or bolting generative AI onto existing products to keep up with the latest trend. Since 2013 Darktrace has been using AI in a fundamentally unique way: a system that learns your unique organization and understands what’s normal at a granular level. Only with this personalized understanding can you be confident in your ability as an organization to identify and shut down novel threats on the first encounter.
This form of personalized, ‘One on One’ security is a no longer a ‘nice to have’ for defenders. ‘Spray and pray’ tactics will continue to exist, but the attacks most likely to slip through the net and cause you damage are the sophisticated, the personal, and the never-before-seen. That’s what Self-Learning AI was built for – learning your business to deliver personalized cyber security, meeting every attack one-on-one.
The CISO’s Guide to Cyber AI overviews the differences between common AI approaches in cyber security and offers a high-level checklist for choosing the ideal solution for stopping attacks — including new novel threats. To learn more about making the smartest use of AI to stop novel and targeted cloud attacks, download the guide today.