Recognizing and Defending Against Automated Cybercrime

Automated Technologies Used in Cyberattacks

Several years ago, cyberattacks enabled by malware named WannaCry and NotPetya captured the attention of cybercrime watchers everywhere.

Designing and installing advanced cyber security strategies to combat these threats became the need of the hour. Why? Times and cybercrime were changing:

• Attack targets have changed. Attacks started with customer data and IP at enterprise companies but shifted to SMBs and government agencies. Now, the emphasis is on ransomware and phishing attacks, often at smaller companies.
• Cyberattacks became more efficient. Cybercrooks have been using automation to do more harm to more targets in less time.
• Business, legal, and compliance consequences continue to grow. It simply doesn’t pay to practice cyberattack denial.

Malware attacks + automation = big trouble for network users

For years, cybercriminals have tweaked malware so that security software can’t discover it or identify it as malicious.

Large-scale threat intelligence efforts were launched to spot every variation of known malware and put copies of it into databases so that each instance could be identified and neutralized.

But identifying millions of bits of malware is difficult, especially when they are deliberately disguised. Increasingly, security pros started using machine learning to stop familiar and new, unknown types of malware.

Knowing an effective tool when they see one, cybercriminals started using machine learning, too. Unfortunately, they adapt and deliver software that is more adaptable and sophisticated than that of legitimate developers.

Now, the bad guys developed machine learning-enabled attacks and are using them against businesses and government agencies.

The use of automation and related technologies are familiar exploits. But this is old news. What makes automated cybercrime riskier for smaller-scale business operations?

A Europol report warns that artificial intelligence (AI) and other forms of automation could make cyberattacks more dangerous and difficult to spot.

For example, machine learning-based malware can automatically send phishing email messages to learn what language works best in cyberattacks and how to design attacks for specific types of targets.

Modern cyberattacks use several types of automation: robotic process automation, artificial intelligence, and machine learning, a specific subset of AI.

Each contributes its capabilities to finding, organizing, analyzing, and distributing huge volumes of data at lightning speeds.

Robotic Process Automation

This is a process in which software intelligently automates (outsources) boring, repetitive tasks—typically performed by humans—to mechanical devices or other software programs.

RPA is important because it can delegate manual, boring tasks to bots, which can perform them without humans having to monitor or control them.

RPA role in automated cybercrime. Outsourcing tasks to non-human workers saves enormous amounts of time and money and enables many tasks humans cannot perform. (Example: Scanning 1.2 million instances of malware in a threat intelligence database.)

However, the convenience that RPA provides encourages a “set it and forget it” mentality and all its security risks.

Bots often get access to sensitive network data and systems. RPA bots use privileged access to perform tasks, moving data between systems and processes.

RPA bots provide a handy pipeline to an organization’s data when exploited. Because RPA bots need access to different applications to handle data, access credentials are often hard-coded into scripts or pulled in from insecure locations.

These worst practices are common sources of illegal entry into networks and data stores.

Machine Learning

Machine learning is the umbrella term for the ability of computers to adapt, learn, and respond to changes in the environment without being specifically programmed for specific tasks.

In modern cybercrime, machine learning takes center stage with machine learning-enabled attacks (MLEA). By using machine learning, hackers can automate some or all steps in the data breach process, including:

• Discovering vulnerabilities, finding a weakness in the targeted network.
• Exploiting initial weaknesses, using a weakness to get into the network.
• Exploiting a targeted weakness, finding vulnerabilities within the network.
• Stealing data, removing sensitive or valuable data from the network.

The security trade press notes these MLEA-related trends and predictions:

• With MLEA, phishing attacks are also expected to become more sophisticated. Computer programs can learn enough about you to accurately imitate a boss, coworker, friend, or reputable organization with increasing precision.
• Hackers increased the number of attacks they carry out in each campaign. Hackers use machine learning techniques to carry out a greater number of attacks with a higher rate of success.
• SMBs are preferred targets for hackers. Hackers view smaller businesses as lacking IT resources, which makes them easier to exploit with mass automation and machine learning tools.

Artificial intelligence

Cybercriminals now use AI to scale up their social engineering attacks and make them more efficient. Some forward-looking hackers also use AI to identify new weaknesses in networks, devices, and applications as they emerge.

By rapidly identifying opportunities for human hackers, keeping information secure is made much tougher. Real-time monitoring of all network access and activity combined with frequent, consistent patching is vital to combat these emerging threats.

Cloud-Based Services

The cloud isn’t an attack technology but provides a new and fertile IT environment where automated cyberattacks occur with greater and greater frequency.

Little assumptions create big dangers

Small-office business operators often assume that compromised cloud services create less disruption than more traditional on-premises services do.

This mistake can lead administrators and IT ops teams to cut corners when secure cloud infrastructure is concerned.

There’s also a naïve belief that hosted service providers take responsibility for the security of client data.

Cloud-hosted services still require ongoing monitoring, risk management, backups, upgrades, and maintenance as traditional IT infrastructures do.

If it’s been a while since you reviewed your cloud resource security, now is a good time. Attacks are now so highly automated that significant damage can be done in little time.

This applies to attack targets and collateral damage (compromised servers are used to stage further attacks).

Types of Automated Cyberattacks

So, what forms do automated cyberattacks take? Researchers studied underground cyber economies and listed 10 of the most common automation services hackers use. Most of these tools and services are part of active hacking campaigns.

Or they are traded in dark web forums. Why automate? It’s the simplest, fastest, most efficient way to launch more attacks and generate larger amounts of profit.

Data breaches and database sales

Hackers who distribute stolen databases often use automation to choose and offer the most valuable data (email addresses, payment card data, passwords, and other personal information.

• Brute force attacks.
  
Credential stuffing and brute force attacks are commons way that threat actors use automation in cyberattacks. By using lists of stolen or frequently used passwords, hackers fully automate the account break-in process with automated password cracking tools, which do all the work.
• Loaders and cryptors
.
  These bits of software enable hackers to deliver and hide other malicious software from antivirus programs. Malware authors automate attack processes in advance, enabling hackers to install the malware without hands-on effort.
• Stealers and keyloggers
.
  These types of malware provide cybercriminals with preconfigured tools that steal login credentials from popular websites or monitor every keystroke on a specific website.
• Banking injects
.
  Widely available on the dark web, these modules are typically bundled with banking trojans (viruses) that inject HTML or JavaScript code into a process. The malware reroutes users from legitimate financial websites to fake ones designed for data theft. Dark web operators provide users with an automated exploit kit—no IT experience required.
• Exploit kits
.
  These comprehensive tools include several types of exploits, which infect damage to known web browser weaknesses without human attention or effort. Like the Fallout exploit kit (a big favorite of hackers), these tools can be found for sale on the dark web.
• Spear phishing.
  Spear fishing is a type of social engineering exploit that requires more complex techniques than spam attacks. Hackers address this complexity by automating several steps of a phishing attack and using templates and frameworks easily bought on the dark web.
• Bulletproof hosting services
.
  These third-party services are a cornerstone of the cybercrime economy. With the promise of a haven to cyber criminals, BHS providers hide malicious activity and prevent law enforcement shutdowns. BHS services often run on automated techniques such as geo-spoofing, which prevents all detection methods.
• Credit card sniffers.
  
Underground forums provide full-service trade-in sniffers. This malware steals card-not-present data from checkout pages of online websites. Attackers use this valuable data themselves or sell it to others.
  The sniffing process uses a malicious JavaScript injection, automatically collecting payment card information and personal data. The data is sent directly to an attacker-controlled command-and-control system for later use.

But, as threat actors use automation to scale their efforts, network security defense teams are not sitting on their hands. They are using a similar approach and many of the same automated tools as the criminals.

Automated Defense Technologies and Solutions

Increasingly powerful; cyber-defense measures can help organizations avoid or reduce the damage of cyberattacks. And automated tools and solutions can make cyber-defense measures more efficient and effective.

Automation provides impressive defense capabilities to IT security professionals everywhere.

Automated Cyber-defense Technologies and Processes

It’s safe to say that high-end hackers have gone corporate. With their research budgets, 21st-century cyber-thieves constantly improve their products. Malicious software and processes are stealthier, smarter, and more able to cripple IT infrastructures.

Criminals are using cloud services and automated technology to speed up attacks, decreasing the time enterprises get to identify and respond to a data breach or disruption attack.

Security specialists constantly develop innovative ways to win much of that time back. They use automated technologies to defend data and network infrastructures from harm.

Cyberdefense technologies

Here’s the lineup of technologies that play important roles in cybersecurity defense.

Artificial intelligence/deep learning. AI plays an increasing role in cybersecurity. Data analytics tools engage in high-speed, high-volume processes to identify, gather, and analyze data from millions of cyber incidents. Results help to identify potential threats—an employee account acting strangely when someone clicks on a phishing link or a new malware variant, for example. AI now defends network cybersecurity by:

• Identifying abnormal network behavior patterns
• Identifying new malware.
• Responding to and limiting damage of suspected incidents in real time.

Deep learning-based tools detect threats or unwarranted activities by analyzing logs, transaction data, and real-time communications.

Network behavior analysis. This technique, which targets social media and online advertisements to a carefully defined audience, also has a place in cybersecurity.

When combined with machine learning methods, behavioral analytics helps security pros detect harmful system or network behavior patterns and respond to cyber threats in real-time.

Internet-connected devices (IoT). IoT devices enable organizations to connect devices to networks and transfer data without human intervention. They drive automation, productivity, and efficiency, making them valuable in cybersecurity efforts.

Embedded authentication hardware. Embedded authenticators are emerging technologies that confirm a user’s identity. First introduced in 2016 as Intel’s sixth-generation vPro chip, this approach to hardware authenticators was claimed to offer better protection from interference and manipulation than their software equivalents.

These powerful user authentication tools are embedded into a device’s hardware. Each device uses several levels and authentication methods that work together. Now, interest and the market value for this technology are growing rapidly.

Automated cybersecurity processes

Automating these IT processes give organizations remarkable improvements in their cybersecurity defenses.

Detecting malware and disruptive activity. Implementing good data governance through automated techniques limits total risk when an incident happens. However, it would help if you wanted to detect and try to stop an attack before it advances.

Unfortunately, when security defenders use conventional techniques such as virus scanners, modern malware such as Sodinokibi is hard to detect.

One reason for this difficulty is that the malware takes advantage of existing Windows software such as PowerShell and other standard utilities.

Responding to attacks in real-time. Machine learning-based, defensive software identifies and reacts to suspected problems almost immediately, preventing potential issues from disrupting business without relying on humans having to monitor everything at once.

Advanced security software compares data that describes current application behavior against baseline data stored online. (This includes all aspects of a web application’s normal behavior, such as directories, URLs, parameters, and acceptable user inputs.)

Rules-based analysis determines if app behavior is “safe.” If the situation isn’t safe, the application blocks attacks within seconds.

Advanced Cyberdefense Capabilities

With their R&D budgets, 21st-century cyber-thieves are always improving their product, making them faster, stealthier, and smarter about detecting and deleting backups and crippling other defenses.

Finding sensitive data for millions of files, adjusting permissions, and then monitoring for threats in these enormous corporate file systems is beyond the capabilities of IT teams. That is unless they have significant help from software automation.

Detecting malicious software and disruptive processes

Uncovering new kinds of malware isn’t the only way machine learning can boost cybersecurity. Important capabilities also include:

• Describing typical network behavior. AI-based network monitoring tools can also track what users do daily: build a picture of typical network behavior, against which they can detect anomalies and react accordingly.
  AI can be highly effective in detailed network monitoring and analytics, establishing a baseline of normal behavior and flagging discrepancies. The difference between machines and humans: efficiency. AI tools can do many more operations in a short time (think milliseconds) with fewer false positives.
• Learning when alerts are effective. As the data set grows and receives more feedback on its decision-making, it can gain more experience and get better at the task of defending your network.
• Finding and neutralizing intrusions. Rapid response times provide the best chance of limiting the many types of damage that hackers, break-ins, and stealth exploits can do. Advanced security software gives software users the authority to nullify threats and block intrusions in real-time.

Role of automated tools and processes

One important first step is to have automated data governance practices: software for efficiently scanning file systems, determining employee access patterns, and then setting permissions that limit access to those who need it.

In addition, cyber defense software should be able to classify corporate data to find sensitive information — credit card numbers, passwords, and other account data — and lock these files down with special permissions.

Resource Requirements

The benefits of using infrastructure as a service (IaaS) provider are obvious. There’s no need to spend money buying and maintaining expensive servers and computing power to manage your data and IT operations. And you get a general sense that your data is safe. After all, it’s in the cloud.

Well, maybe. Business owners: take a long look at the fine print in your service contract. Your data might not be as thoroughly protected as you think.

When you post your data in the cloud, the IaaS (cloud hosting) provider is responsible for the protection of the basic IT infrastructure that contains your data and apps.

You, the business owner, are responsible for protecting your own data. Look at this graphic. (Source: Amazon Web Services)

This model clearly portrays how the customers and cloud services communicate with each other. The IaaS provider can support you by giving you secure infrastructure, bandwidth access, and disaster recovery, but it is up to you to be aware of the limitations of cloud computing and how you protect your information.

Engaging a Third-Party Managed Security Services Provider

Small to mid-sized businesses continue to face a threat from cybercrime. Security technical reports and white papers share a gloomy outlook for SMB owners. And your chances of flying under the radar of cyber crooks are not good.

The current demand for reliable security services has created one more as-a-service: the MSSP. Managed security services providers sell specialized cloud-based services to organizations of all sizes. MSSPs support some or all aspects of their clients’ security functions, which typically include some level of:

• Continuous security monitoring.
• Vulnerability risk assessment.
• Threat intelligence monitoring.
• Intrusion response and management.

Before you groan, “But I can’t afford that!” consider this: In terms of time, money, and on-premises talent, can you afford to:

• Assemble the tools and talent to monitor your network security on a 24 x 7 basis? Cyber crooks (or rather, their automated bots) don’t sleep.
• Hire the talent that performs preliminary risk assessments, tests the security capabilities of your software and hardware assets, and finds vulnerabilities in your network assets?
• Do all the security-related administrative tasks you hate (patching!) thoroughly and consistently?
• Assemble the latest tools and software to minimize the damage of a breach or ransomware?

We understand if you answer “no” to any of these questions. But ultimately, it all comes down to judging the costs of ongoing security support services versus the expected value of Something Going Wrong at your business.