P RE D I C T I V E I NTELLIGEN CE
Rather, detecting when credentialled
users enter parts of these applications
where they don’t belong requires AI
security systems that understand
their typical online behaviour well
enough to spot subtle anomalies. And
as employees’ responsibilities and
privileges inevitably change, such
systems must be able to adapt while
‘on the job’.
The necessity of this AI-driven approach
to cyberdefence recently came to light
when a serious threat was detected by
AI on the network of a European bank.
After stealing credentials or otherwise
gaining access to a SaaS service, the
cybercriminals frequently ran scripts
to identify files containing keywords
like ‘password’ to find files that stored
unencrypted passwords.
As they had already breached the
network, the attackers could have
reasonably expected to be in the clear
– having already successfully bypassed
any conventional security controls.
However, while these attackers would
likely have exploited the cleartext
passwords to escalate their privileges
The interactivity
of cloud services
renders them an
attractive target
for advanced
cybercriminals, who
can often leverage
a single user’s
SaaS credentials to
compromise dozens
of other accounts.
34
The latest AI
cyberdefences shine
a light on even the
most nebulous traffic
in the cloud.
and further infiltrate the organisation,
Artificial Intelligence was able to flag
the activity as anomalous for the bank’s
particular network because it breached
the following model: ‘SaaS/Unusual
SaaS Sensitive File Access’.
Ultimately, the AI’s nuanced and
evolving understanding of what
constitutes ‘unusual’ behaviour for each
of the bank’s users and devices proved
critical, given that the suspicious file
access may well have been benign in
other circumstances.
Social engineering
Perhaps the most difficult cloud-based
attacks to counter are those that rely on
social engineering, since they involve
deceiving employees into handing over
their credentials and other lucrative
information voluntarily.
In these cases, AI anomaly detection
is the optimal security strategy, as
thwarting a social engineering threat
before it’s too late means protecting
employees from their own mistakes.
In 2018, a device on the network of a
property development company that had
attempted to connect to a rare external
domain was detected, just two seconds
after landing on office365.com.
The domain had a suspicious name and
offered HTTP connections to a form
containing sensitive data transmitted in
plain text, which would be vulnerable to
a man-in-the-middle (MITM) attack.
Further investigation indicated that an
employee at the property development
company had been tricked by a
shortened URL in a phishing email to
visit the suspicious domain.
Despite the user actively clicking on
the URL to visit the page, Artificial
Intelligence flagged the event as
threatening due to the rarity of the
destination domain in comparison to the
company’s normal network activity.
Issue 16
|
www.intelligentciso.com