In this Q&A, FortiGuard Labs’ Derek Manky and Jonas Walker discuss the changing threat landscape and the role of artificial intelligence and machine learning in fighting today’s cyber threats.
What changes have you seen in the cyber threat landscape over the last three months?
Derek: We’re seeing weekly changes driven by three major factors.
- One, we’re seeing more speed and speed can kill. We often talk about the fact that there’s more sophistication and more threats out there. We know that, but what we’re seeing now is that there’s an agility piece here. Threats are getting into a system, hitting the targets, exfiltrating data, demanding ransom, and getting out of a system, much quicker than normal. This includes attackers capitalizing on new vulnerabilities, both zero-days and n-days. That’s one of the most concerning elements is this theme of speed when it comes to the offense.
- The second thing that we’re seeing is more aggression. You can imagine when you combine these together, you’re getting an even more potent mix, right? This is the problem. Yes, there is more speed, but there is more aggression as well. This includes the double extortion, triple extortion themes, and targeted attacks that we’re seeing too.
- Third, it’s about the tactics, the playbooks. There are more tactical approaches, and dual-stage attacks that we’re seeing after doing reconnaissance for information, including information that’s coming from social media works, for example. In addition to everything that we talked about before, we’re still seeing more volume. All of that translates to more risk.
What new attack tactics are you seeing used in the cyber threat landscape?
Jonas: If we look at the techniques, tactics, procedures (TTPs) and the playbook aspect, we actually have some big picture perspective on this. We’re looking at real data at a very granular level. There are a lot of developments but defense evasion is one of the top techniques that is being focused on by attackers. There are 42 different techniques associated with that.
In 2022, wiper malware has been much more active than recent years which ties into the theme of aggression. This is destructive malware that’s wiping out hard drives and master boot records of systems. We’re starting to see this tying into the world of extortion too. We’re not just talking about data at risk, but systems infrastructure at risk now.
Another popular attack pattern is targeting firmwares. Firmware attacks can come through various vectors, from malware and rootkits to infected hard drives, corrupted drives, and insecure firmware products. Hackers do not have to physically touch a device to carry out an attack. They can do so through remote connections like Bluetooth and Wi-Fi. This means that the growing market of connected devices, such as game consoles, mobile phones, and television, is increasingly becoming vulnerable to firmware hacking.
What can organizations do to protect against these attacks? How do AI and machine learning factor into the defense equation?
Derek: It’s important to distinguish the differences and they are all necessary. First, you have at the basic level – automation. Consider a threat feed with threat intelligence and with policies being applied. Without that, organizations would be lost, quite frankly. For example, we’re responding to 100 billion threats a day with FortiGuard Labs, and a majority of that is automated. Automation is largely to help with the volume of detections and policies needed at speed, reducing reaction time and offloading mundane tasks from SOC analysts.
Where machine learning and AI come into place are for the threats that are unknown. The question here is: how do you get ahead of the curve? AI is the action piece, whereas machine learning (ML) is the learning piece. Machine learning works on models, and each application can use a different model. Machine learning for web threats is entirely different than machine learning for zero-day malware. Organizations need to be able to do them all to effectively secure against various attack vectors. By utilizing machine learning and AI, you’re reducing risk dramatically. Also, you are offloading costs from your OpEx model since you don’t need to hire your way out of the problem.
Jonas: The other piece of that is the skills gap conversation. Machine learning goes a long way to not only replace, but fill those gaps. We know there’s a shortage in the workforce globally, not just in cybersecurity, of course, but specifically in cybersecurity, how do you address that the gap? Does it make sense to go and hire 20 to 30 people in your NOC or SOC – and even if you have the ability to do that – can you find the people? This is where machine learning solutions can support skilled employees. An integrated approach such as a security fabric is very powerful.
What are some additional protection measures you recommend to protect against today’s cyber threat landscape?
Derek: During my conversations with CISOs, they often say, “Derek you know I’m overwhelmed, there’s a lot of attacks out there, a lot of information, how do we simplify this?” Actionable threat intelligence is the answer to this. Networking and security are converging and that’s why you have to have actionable threat intelligence, and security subscription services tied into that. Being able to detect and respond to threats is the first priority and to understand the threat landscape. Essentially, you need all three of these working in harmony together: automation & orchestration, AI/ML, and escalation paths to SOC analysts on items that have been escalated as high priority.
Jonas: Segmenting networks is something that I recommend as a very effective practical approach to reducing risk, because a lot of these threats can penetrate potentially one device system. If you segment it, it won’t be able to spread and hit other systems and create further downtime.
Derek: Building on top of that, zero-trust and ZTNA are a big topic nowadays. There are a lot of things happening on networks, devices coming in and out, applications coming one and off, etc. The idea that nothing should be trusted inherently can significantly increase security, instead it should be earned trust. In addition to that, breach and attack simulation and having a plan ahead of time is critical. We often say, “It’s not a matter of if, but when, there’s going to be an attack.” Yes, you should do all the preparation work, but at the same time, have a game plan.
Jonas: Employee education and security awareness training is all something that should be implemented when addressing cyber threats of course. Employees are often the first line of defense in many cases.