The concept of using artificial intelligence (AI) in cybersecurity is not new. Indeed, many organizations use AI as part of an in-depth security protocol. The trouble is, hackers now have easy access to the same sophisticated techniques that enterprises do, and they are nothing if not motivated. As malware becomes more stringent, smarter, and undetectable, are enterprise teams and tools ready for the challenge?
Although primitive, hackers have already included components such as building countermeasures into malware to detect runtime environments or sense detection attempts.
These early actions serve as a foundation for the development of more-critical thought about adaptive and evasive technologies and sophisticated situational awareness. As adversaries attempt to outsmart the companies and researchers trying to thwart them, using a combination of research and deep targeting is likely the future of malware.
Adaptive and Evasive Technology
Malware has always adapted to its environment, and AI has provided malware authors with a range of new opportunities. The days of using code to analyze behavior are coming to an end. The combination of a network card and specific geolocation is enough for malware to begin reconnaissance, so why risk getting caught doing resource development when those resources may not produce the results the malware author desires?
Suppose, for example, that the intended target is the corporate campus in Milwaukee, Wisconsin, and the malware senses it is in Berlin, Wisconsin. That 82-mile difference could mean the infected host is nearby but not exactly where the author intends to carry out the next move. In this case, the malware might sleep for 15 days and try again. If that attempt fails, the malware will adapt to its host environment and employ other resource development behaviors. This chess game is often complicated, but readily available models and actions make it easier for malware authors to play it successfully.
Marketers have used deep-targeting tactics for decades now. Learning the behaviors, habits, and values of individuals or groups is the staple of successful advertising campaigns. It stands to reason that this type of research and technology would bleed over to bad actors and malware authors.
There are numerous ways to use deep targeting against (often) unsuspecting victims. End-user behavioral analysis (UBA) is a product or tagline for many cybersecurity companies, because professionals who spot deviations can trigger security alerts.
Cybercriminals also use UBA to learn user behaviors and blend into their targets’ surroundings. The era when malware woke up at 3:00 a.m. to execute its attack is long gone. Now, 3:00 p.m. is when the user is busiest, which gives hackers better cover for slipping in a few illicit data packets here and there.
Another consideration with deep targeting is where to launch the initial hack. Social media is a treasure trove of useful metadata and behaviors. Getting users to click on a topic they feel passionate about is much easier than getting someone to interact with an off-topic post. Blending into social, political, and economic conversations takes little effort, and branching those topics opens many potential pathways for targeting victims. Now it is just a matter of cybercriminals prepping the audience and biding their time to launch the real objective: a nefarious campaign.
Spear Phishing via a Service
Spear phishing via a service employs third parties rather than targeting enterprise email channels directly. Unfortunately, mining social media (both personal and professional) is both simple and effective. Mapping an executive’s profile to a favorite charity gives a clear roadmap into content that has a high probability of ensnaring a new victim.
Determining Physical Location
Information about a target’s physical location can include various details, including the position of critical resources and infrastructure. This data may also indicate whether the victim operates within a legal jurisdiction or authority. Knowing those specifics allows adversaries to act quickly.
Hackers may environmentally key payloads or other malware features to evade defenses. This method uses cryptography to constrain execution or actions based on specific adversary-supplied conditions present in the target area.
This tactic focuses on destroying files on specific network systems and interrupting availability of services and resources. By overwriting content from local and remote drives, cybercriminals render stored data unrecoverable by forensic techniques.
Are You Ready for the Challenge?
Thankfully, the answer is more likely “yes” than “no.” The fundamentals still apply; the challenges will likely just come faster and with more variety. The past months have shown us that our strategies and biases are tested continuously. As noted, the vast majority of the time, the security fundamentals win. When they fail, however, there is the chance that they will fail massively. Mapping AI-based malware and campaigns via tried-and-true frameworks is a great way to remain informed as adversaries change tactics, employ new techniques, and attempt to use norms against their target.
Learn more about managing threats across your digital infrastructure
- Threat Intelligence