SOT

SOT

SOAR
Security Orchestration, Automation and Response

Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach

NG SOAR
Next Generation SOAR

Automation of response to information security incidents with built-in basic correlation (SIEM), vulnerability Scanner (VS), collection of raw events directly from information security tools, dynamic playbooks, building an attack chain and an object-oriented approach. AM and VM are included

AM
Asset Management

Description of the IT landscape, detection of new objects on the network, categorization of assets, inventory, life cycle management of equipment and software on automated workstations and servers of organizations

VS
Vulnerability Scanner

Scanning information assets with enrichment from any external services (additional scanners, The Data Security Threats Database and other analytical databases) to analyze the security of the infrastructure.

VM
Vulnerability Management

Building a process for detecting and eliminating technical vulnerabilities, collecting information from existing security scanners, update management platforms, expert external services and other solutions

FinCERT
Financial Computer Emergency Response Team

Bilateral interaction with the Central Bank, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

GovCERT
Government Computer Emergency Response Team

Bilateral interaction with the state coordination center for computer incidents, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

Mail us to sales@securityvision.ru or get demo presentation

SDA

SDA

TIP
Threat Intelligence Platform

Cybersecurity threat data collection, analysis, enrichment, infrastructure detection, investigation and response.

UEBA
User and Entity Behavior Analytics

Building behavior models and detecting deviations from them using several dozen built-in static analysis rules.

AD + ML
User and Entity Behavior Analysis

Dynamic behavioral analysis to search for anomalies using machine learning and to search for possible incidents.

Mail us to sales@securityvision.ru or get demo presentation

GRC

GRC

RM
Risk Management

Formation of a register of risks, threats, protection measures and other control parameters, assessment using the chosen methodology, formation of a list of additional measures to change the level of risk, control of execution, periodic reassessment.

ORM
Operational Risk Management

Accounting and recording of operational risk events, monitoring of key risk indicators and self-assessment/control

CM
Compliance Management

Audit of compliance with various methodologies and standards

BCM
Business Continuity Management

Automation of ensuring continuity and restoration of activities after emergencies.

OTS
Operational Technology Security

Operational Technology Security

Mail us to sales@securityvision.ru or get demo presentation

DEMO
presentation

SOT

Technology
SOAR

Security Orchestration, Automation and Response
NG SOAR

Next Generation SOAR
AM

Asset Management
VS

Vulnerability Scanner
VM

Vulnerability Management
FinCERT

Financial Computer Emergency Response Team
GovCERT

Government Computer Emergency Response Team

GRC

Processes
RM

Risk Management
ORM

Operational Risk Management
CM

Compliance Management
BCM

Business Continuity Management
OTS

Operational Technology Security

SDA

Analytics
TIP

Threat Intelligence Platform
UEBA

User and Entity Behavior Analytics
AD + ML

User and Entity Behavior Analysis

All products

SOT

Technology

SOAR

Security Orchestration, Automation and Response

NG SOAR

Next Generation SOAR

AM

Asset Management

VS

Vulnerability Scanner

VM

Vulnerability Management

FinCERT

Financial Computer Emergency Response Team

GovCERT

Government Computer Emergency Response Team

GRC

Processes

RM

Risk Management

ORM

Operational Risk Management

CM

Compliance Management

BCM

Business Continuity Management

OTS

Operational Technology Security

SDA

Analytics

TIP

Threat Intelligence Platform

UEBA

User and Entity Behavior Analytics

AD + ML

User and Entity Behavior Analysis
All products
Clients FAQ

Current cybersecurity trends in 2021

Current cybersecurity trends in 2021
28.09.2021

  |  Listen on Google Podcasts  |   Listen on Mave  |   Listen on Yandex Music  |     


Ruslan Rakhmetov, Security Vision


The speed of development and changes in cyberspace in recent years amazes not only inexperienced users, but also venerable IT and IS specialists. Not even the amount of data processed, the number of devices or applications/services connected to the Internet, but the concepts and technologies themselves are evolving exponentially, and comprehensive digitalisation and the shift of most businesses online due to the pandemic have only accelerated this trend.


The evolution of today's cyberspace and cyber threat landscape is driven, among other things, by the development of tools to create new, more advanced technologies, which, in turn, entails further acceleration in the creation of the next generations of technologies and tools. The widespread use of high-level and ultra-high-level programming languages, powerful frameworks and development environments, the development of cloud infrastructures and virtualisation and containerisation technologies make it possible to release a new application or service in an unprecedentedly short time.


Cyber threats are also multiplying at the same rate, as attackers use the same high-performance development tools, but for their own purposes. This brings the level of cyber countermeasures to a new level: if earlier the confrontation with attackers could be described as a battle of wits and customised information security tools, now it can be called a full-fledged ‘war of the machines’, in which artificial cyberintelligences fight. In this article we will talk about current cybersecurity trends in 2021: attacks on supply chains and third parties, attacks on elements of the Internet of Things and cloud infrastructure protection, security of personal data (including biometric data), countering various crypto-extortionists and illegal cryptocurrency mining, and the use of artificial intelligence in IS. Let's go!

1. supply chain attacks

Modern large high-tech companies try to competently build information security processes, such as cyber risk management, vulnerability and update management, working with information security tools, collecting and analysing logs, and IS audits. However, even for a highly qualified specialist, much modern software remains a ‘black box’: they are often forced to blindly trust vendors - manufacturers of operating systems, application software and even developers of security tools. Few companies have dedicated employees who can reverse-engineer software products to understand what functions a particular component performs. And if we take into account that updates for software solutions are released almost every day, it becomes clear that it becomes almost unreal to check such volumes of code. Thus, companies willy-nilly become dependent on the competences and cyber security state of the vendor.


Recent examples of such supply chain attacks are the notorious hacks of IT giants SolarWinds and Kaseya. In both cases, attackers made malicious changes to the source code of these companies‘ software solutions, which resulted in all consumers - customers of these IT solutions - becoming vulnerable to unauthorised attackers’ influence: the infected systems contained the so-called ‘backdoor’, i.e. a malicious module that receives control commands from the hackers' server. Thus, even a well-built IS system would be powerless in this case - all software updates from SolarWinds and Kaseya containing the malicious module were signed with a correct digital signature, and there was no reason to distrust them. Moreover, even the employees of these IT vendors themselves did not know that unauthorised changes had been made to the source code of their software.


Another example: GitHub repositories containing the source code of open source projects, i.e. programmes based on open source code, available for everyone to read, and usually distributed for free. These repositories are also potential sources of supply chain attacks - an attacker need only get hold of a GitHub user account that has the authority to make changes (known as commit) to the source code of a project. Having made malicious changes, the attackers only have to wait for the project code to be uploaded by the vendor of the software solution under attack, as it is no secret that many commercial products use open source components under the bonnet.


An option to protect against attacks on supply chains would be a set of measures aimed at checking the reliability of the software vendor and analysing the state of information security processes built by the vendor. To verify reliability, classic economic security tools can be used, including informal audits of financial records, data requests in systems such as Interfax-SPARK and Contur-Focus, and meetings with company management. To analyse the state of information security in vendors, you should prepare a questionnaire (checklist) in which you should formulate all the IS requirements of your company in the form of questions, for example: whether the company has agreed risk management and cybersecurity procedures; what are the software and vulnerability management processes; whether developers follow secure software development life cycle rules (SSDLC - secure software development life cycle) and, if so, what are they; what is the process of creating product documentation; whether static and/or dynamic software is used; what is the process of creating product documentation; what is the process of creating product documentation?


To solve the problem of malicious modules deployed by vendors using technical measures, we can recommend that customer companies analyse the anomalous behaviour of installed software components, especially recently updated ones, with UEBA (user and entity behaviour analysis) and IDS/IPS (intrusion detection system / intrusion prevention system) class systems. If suspicious patterns are detected in software network interaction, when running various additional utilities, possibly downloaded ‘on the fly’ from Internet repositories, or when attempting to perform undocumented operations, you should promptly perform a check.

2- Third Party Attacks

Third party attacks are similar to the supply chain attacks discussed above, but the difference is that the attacked counterparties (suppliers, contractors, partners, even customers and clients) may unknowingly become a ‘springboard’ for hackers. This can happen in the following way: let's say your company has a contractual relationship with a contractor. This implies some kind of document flow, which will most likely be done electronically, and for this purpose, again, most likely, some kind of trusted connection will be configured - most often a VPN tunnel or an account in your internal infrastructure for an employee of the contracting organisation. Thus, some part of your IT infrastructure and internal resources will be available to your contractor - for example, shared network drives, internal web portals, some business applications. Or, the contractor's employees will connect to your IT infrastructure using an account issued to them, thus accessing your company's internal systems and resources. Attackers who originally planned to compromise your infrastructure may take a roundabout way when they realise that your systems are sufficiently protected: the hackers will first try to attack your contractor's IT systems, which may be less secure, then, once they have a strong foothold there, they will try to reach the original target using either a configured VPN tunnel or a stolen login and password for an account with remote access to your infrastructure. In this way, the attacked company acts as a ‘proxy’ for the attackers, allowing them to access assets of interest (documents, finances, personal data) on behalf of your contractor.


This attack differs from supply chain attacks in that it can be easily prevented by applying the Zero Trust principle to all entities that appear in your IT infrastructure. This means checking all accounts, all devices, all network connections, and all running processes regardless of who initiates them. For each entity, be it an executive account, an engineer's smartphone, or even a printer in a conference room, you can calculate a scoring score of trustworthiness that is reduced when connecting from previously unknown locations (atypical cities and countries), after hours, or when there are active cyber incidents on the device. If you look at the problem more broadly, the laptop of your employee who works from home and downloads various files from the Internet to his computer outside of working hours, which then connects via VPN to the corporate network, can become a ‘proxy server’ for attackers. In applying the zero trust principle, we are guided by the paradigm of checking all entities in our IT infrastructure based on several factors such as OS version, OS updates and software patches installed, presence of a working anti-virus tool on the device connecting to the network, time of connection, country of connection, and deviations in normal device behaviour (again, anomaly and pattern analysis systems such as UEBA solutions can help).


Organisational measures, however, can also be applied to this type of attack - the questionnaire described in the previous paragraph can be used as a basis. This checklist should include questions about the counterparty company's agreed information security and risk management policies, OS and software update procedures and rules, the information security tools used, applicable legal provisions and internal regulations. The answers to these questions will help to understand the overall IS maturity level of the counterparty company, and this level should be taken into account when deciding whether or not to cooperate with this contractor, supplier or client. If the cybersecurity requirements of the counterparty company are clearly not fulfilled, but it is necessary to interact with it, it would be very reasonable to treat all incoming information flows from this counterparty like any other unauthenticated, possibly malicious, information from the Internet. For such a counterparty you should not create accounts in internal IT systems or create a dedicated VPN channel to provide access to internal resources, but handle it like any untrusted entity from the Internet, passing it through the entire set of perimeter defences (firewalls, sandboxes, anti-virus protection, etc.). A legally correct ‘non-disclosure agreement’ (NDA - Non-disclosure agreement) should not be underestimated, which should clearly specify the measures to ensure information security when working together, the responsibility for violation of this agreement, as well as describe the procedure for compensation of potential damage from the realisation of cybersecurity risks during interaction.


3 Attacks on IoT elements

The term ‘Internet of Things’ (IoT) refers to a large number of consumer-level electronics that are continuously connected to a variety of networks, including the Internet, to interact with each other, with the owner, and with a variety of Internet services. Examples of IoT devices include smart TVs, smart speakers, fitness trackers, smart home elements (sensors, home appliances, security systems), webcams, automotive and transport systems, etc. With the development of 5G networks, the number of IoT devices will only grow, as next-generation networks support high-speed data transmission with low power consumption and the interaction of devices directly with each other.


Of particular concern from a cybersecurity perspective are IoT elements that have Internet access functionality and allow for external connectivity, and whose firmware does not receive security updates from the manufacturer. An example of such a vulnerable device could be a low-end webcam developed, for example, in China and used, say, for monitoring the situation in a garden plot: it can be connected to the Internet to view the image, it has a simplified web server to control the camera itself (for example, to rotate the camera or zoom in), but the manufacturer probably does not spoil customers with frequent firmware updates, and if this model is no longer produced, you may not even wait for a software update at all. Searching for vulnerabilities in the web server installed on the camera will most likely not be difficult, because the hardware ‘stuffing’ of home appliances, as a rule, is not the most productive and supports installation of only the simplest software with reduced functionality, and manufacturers in a highly competitive environment are forced to save on literally everything to form the most attractive price, including the quality of firmware, secure software development processes and work to eliminate vulnerabilities in it.


So, if a vulnerability is found in the software code of the web server installed in the camera, the only way the owner can protect himself is by disconnecting the camera from the Internet or completely turning off his device. In the case of simple home electronics it is not difficult, but what about, for example, owners of a large fleet of such cameras, which are necessary to fulfil a certain business function, for example, control of an important object? Most likely, such a camera will remain connected to the Internet, and after some time it will be hacked through the found vulnerability. Then the camera will be controlled by the attacker - he can both view the camera image with impunity or simply switch it off, and use the device for his own purposes - for example, make it part of a botnet that performs DDoS attacks at the behest of the attacker, or simply start mining cryptocurrency, consuming the power of its unsuspecting owner. It should be taken into account that all responsibility for the consequences of malicious activity of the device will fall on the owner of the device, even if the infection occurred without his knowledge. The picture becomes even more dramatic if you imagine that, for example, a device of the ‘wearable electronics’ class is infected: a portable glucometer (a device for measuring blood glucose levels) or a pulse oximeter (a device for measuring blood oxygen saturation levels). Thus, the issue of protecting IoT devices already goes beyond standard business risks and touches on human life and health, which is an absolute imperative priority.


To protect IoT devices from cyberattacks, it is generally worth paying attention to the following:

- The device's country of manufacture and manufacturer: the better known the manufacturer, the higher the likelihood of timely software updates and the lower the likelihood of unpatched vulnerabilities that the vendor is aware of.

- Presence of legal documents on the official website: privacy regulations for processed data, personal data processing policies, statements on compliance with certain legislative norms, etc.

- Ability to configure firmware to disable external Internet connections to the device - remote control, administration, status viewing, etc.

- Availability of firmware updates on the manufacturer's official website, the frequency of their release, the date of the last update.

- Availability of a community of enthusiasts who release unofficial, ‘customised’ firmware for this device.


In case of application of ‘Internet of Things’ devices for fulfilment of business tasks, one should carefully consider the choice of manufacturer, giving preference to the one who regularly releases firmware updates, offers extended technical support and on-site visits of its specialists, provides a long warranty and recommendations on secure device configuration, as well as having up-to-date documents describing the implemented information security measures and accepted methods of secure development.


If IoT devices are used for personal purposes, it is necessary to assess whether this or that functionality of remote work with the device is really required, how easy it will be for the end user (for example, a child or an elderly person) to configure the device securely, whether the manufacturer provides detailed recommendations and instructions on how to configure the device to limit and control its ‘dangerous’ functionality.

4. Cloud infrastructure protection issues

The topic of cloud infrastructure protection is also extremely relevant at the moment, and this is undoubtedly due to the popularity of cloud platforms and solutions that attract customers with the ease of horizontal scaling, transparent cost planning, the ability to shift some of the tasks of infrastructure maintenance to Cloud providers. In addition, many well-known players have recently entered the domestic market of cloud infrastructures, offering Cloud solutions and services designed, among other things, to process personal data, work as part of GIS (state information system), as well as to process confidential information protected from unauthorised access. Such offers allow even government agencies to use cloud services, but for many companies the possibility of working with cloud infrastructures is still a question mark. The main challenges are the issues of compliance with legislation, confidentiality of corporate information for both the service provider and ‘neighbours’ in the infrastructure, the complexities of migration from on-prem infrastructure, and the subtleties of setting up cloud cybersecurity systems.


Cloud infrastructures can be divided by the principle of operation into the following types:

- Public cloud - a cloud service provider provides its infrastructure and services to the customer on a commercial basis, usually on a subscription basis.

- Private cloud - an organisation hosts part of its infrastructure in its own or a leased data centre and has full control over all hardware and software components.

- Hybrid cloud - An organisation combines both public and private clouds, hosting its applications and data according to its convenience and needs in one or the other infrastructure.

- Multi-cloud - An organisation uses multiple cloud service providers for reliability and resilience, for example, hosting its core infrastructure in one public cloud and backups and backup services in another.


Cloud infrastructures are typically provided with the following options:

- IaaS (infrastructure as a service) - providing a service under the ‘infrastructure as a service’ model, when the cloud provider provides only its hardware, network access and virtualisation system hypervisor, and customers are given the opportunity to install their own operating systems, application and system software, and business applications.

- PaaS (platform as a service) - provision of services on the model ‘platform as a service’, when the cloud provider provides the installed operating system (usually, giving a choice of several OS options based on Winows and Linux), and customers install only their software.

- SaaS (software as a service) - provision of services under the ‘software as a service’ model, when the cloud provider provides the end customer with a pre-installed business application with some opportunities to customise and modify it.


Also in the context of information security we can distinguish such terms:

- SECaaS (security as a service) - provision of cybersecurity services to customers on a subscription basis, with the protection systems themselves hosted in the cloud provider's cloud, for example, backup systems, vulnerability scanners, authentication and access control systems, solutions for collecting and analysing IS events.

- FWaaS (firewall as a service) - provision of firewall in cloud infrastructure on a subscription basis.

- MaaS (malware as a service) is a term introduced by attackers to mean that some attackers develop some malicious tool and provide subscription access to other attackers who then use it in their attacks. For example, in the case of a ransomware virus, this technique would be called RaaS (ransomware as a service).


Specialised solutions are available in the market for cyber security in various cloud infrastructures:

- CASB (cloud access security broker) - cloud access security brokers that provide IS in the cloud by authenticating users (including multifactor), controlling the granting of access to data, logging actions, providing reporting, as well as by controlling software API access by applications and services.

- CSPM (cloud security posture management) - cloud security posture management systems that help analyse cyber risks based on data about cloud infrastructure settings, assess compliance of current cloud system settings with legal requirements and vendor recommendations, help visualise the state of IS in Cloud infrastructure.

- CWPP (cloud workload protection platform) - cloud service protection systems that control the settings of elements (servers, containers, applications) placed in the cloud, analyse their vulnerabilities, segmentation at the network level, activity control, and threat elimination.

- SASE (secure access service edge) - secure access edge services that provide users with convenient and secure access to corporate cloud resources using multifactor authentication, with verification of the connecting device for compliance with company requirements (so-called ‘posturing’), using the functionality of intrusion detection/prevention systems and network traffic control.


5. Security of personal data (including biometric data)

The issues of personal data confidentiality began to be raised almost immediately after the beginning of wide application of computer technology for processing of data concerning natural persons. That is why the Convention No. 108 of the Council of Europe on the Protection of Individuals with regard to Automatic Processing of Personal Data was signed back in 1981. Of course, with the development of information technologies, reliable protection of personal information has become a prerequisite for the successful work of both commercial and government structures - neither a customer of an online shop nor a user of a government service will want to become a victim of a leak of his personal data. The high social importance of ensuring information security of personal data has been and remains the driver of state legislative initiatives - it is enough to recall the domestic Federal Law No. 152 ‘On Personal Data’ dated 27.07.2006, European norms GDPR (General Data Protection Regulation) or, for example, such regional regulatory requirements as CCPA (California Consumer Privacy Act). At the same time, legal regulations are continuously updated to keep pace with the changing cyber threat landscape; for example, in Russia, important additions to the 152-FZ have been introduced several times by the following Federal Laws: 261-FZ of 25.07. 2011 (significant changes were made to the basic tenets of personal data protection), 242-FZ of 21.07.2014 (introduction of a ban on the primary processing of personal data outside the territory of the Russian Federation) and 519-FZ of 30.12.2020 (introduction of new requirements for the processing of personal data authorised by the subject for dissemination). Another trend is the gradual increase of penalties for violation of legal requirements to personal data processing - for example, under GDPR regulations, a fine can be up to 4% of a company's annual turnover.


From the business point of view, protection of personal data of clients and employees is an important task not only in the context of compliance with the legislation - today it is often the accumulated data on consumers that represent one of the main intangible assets of a company, and the loyalty of employees and clients is formed, among other things, by the measures taken by the company to protect their accounts, personal data, and payment information. An even more important task is the protection of biometric personal data - biological, physiological, behavioural characteristics of a person used to establish identity (identification, authentication). Biometrics is already widely used by financial organisations for remote banking services within the framework of the Russian ‘Unified Biometric System’, which also allows to perform a number of other legally significant actions remotely, as well as in the transport sector to ensure security, in passenger recognition projects at airports and contactless payment for metro fares. Commercial companies often use biometric personal data of their customers to confirm their identity (passport scans or selfies with an open passport in hand), as well as to control access of their employees to premises (video surveillance, biometric fingerprint scanners). Security of biometric personal data can be based, for example, on the principle of processing not the initial physiological characteristics of the subject (storage of fingerprints, photographs of the face, samples of gait and figure, etc.), but the biometric template - descriptor, which can be simplistically compared to the calculation of a one-way hash function, the value of which does not allow to restore the argument, i.e. the original data. At the same time, biometric characteristics have an important feature - unlike classical authentication methods (e.g. passwords), they cannot be easily replaced, which makes the issues of correct processing and protection of biometric personal data critical.


To protect personal data in a modern IT infrastructure, the principles of information protection at all stages of its processing can be used:

- Data storage (English: Data at rest): Protection of information when it is stored on storage media may include the use of full-disk encryption, encryption of databases and individual files, use of access rights management tools, mobile device management systems (MDM platforms), data leakage control tools (DLP products) and cloud access security brokers (CASB solutions).

- Data in transit: Data protection in transit primarily involves securing data transmission channels, e.g. by using TLS, VPN solutions with traffic encryption, email security systems (S/MIME, PGP) and collaborative information processing (DRM/RMS solutions).

- Data processing (Data in use): Data protection during data processing may include a variety of access control and delimitation models (e.g. Role-based access control, Risk-based access control, Conditional access), Identity and access management solutions, as well as access rights management systems (IRM solutions).


To protect personal data in cloud infrastructures, in addition to the above-mentioned principles, it is also possible to use SOAR solutions to automate cyber incident response processes, implement a network access model with ‘zero trust’ (Zero Trust model), and use cryptosystems with homomorphic encryption. You can also be guided by the standard GOST R ISO/IEC 27018-2020 ‘Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors’, which corresponds to the international standard ISO/IEC 27018:2019 ‘Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors’.


6. Countering cryptojacking and cryptocurrency mining

The protection of personal data is closely linked to the current cyber threat of crypto-ransomware viruses. The authors of these malicious viruses rightly believe that the personal data of a company's customers, employees, and partners is of special value, and they base their attacks not only on the direct encryption of IT infrastructure (including media with personal data), but also on the preliminary theft of valuable information in order to blackmail the victim into disclosing the stolen data. Often the attacked companies, on the one hand, are ‘in the grip’ of regulators, who may fine the organisation upon learning about the leak of personal data, and, on the other hand, risk losing customers who are angry about the leak. At the same time, the direct suspension of operations as a result of a crypto-ransomware attack also leads to serious reputational damage, as this fact quickly becomes public knowledge. At the moment, the threat of cyberattacks by encryption viruses is being discussed at the level of top US officials, where in recent months alone there have been a number of high-profile cyber incidents, the exact damage of which has yet to be assessed. Malware is usually distributed using the RaaS (Ransomware-as-a-Service) model, which means that one cybercriminal group, which is the direct author of the virus and maintains its infrastructure, can be partnered with a large number of smaller hacker teams, paying a percentage of the ransom to the authors. Darknet sites are also where attackers interact with those who sell so-called ‘access’ to compromised infrastructures, i.e. valid credentials to companies' IT systems obtained through phishing attacks or exploitation of vulnerabilities. There you can also find ads for programmers willing to develop malware, ads for buying/selling 0-day exploits for which vendors have not yet released patches, and offers of ‘crypto’ services that promise to provide protection against detection by anti-virus tools (FUD, fully undetectable) by encrypting the internal structures of malicious modules.


From a technical point of view, encryption viruses are no different from ordinary, less destructive viruses: as a rule, they first launch a reconnaissance module (‘dropper’) in the context of a low-privileged user, such as an employee who opened a file sent in a phishing email, or a service account from which a web server attacked through a vulnerability is launched. The dropper is not detected by antivirus software, because from a formal point of view it does not perform illegitimate actions - it collects information about the system it has entered, such as domain name, account name, and host characteristics. Then, if this infrastructure is interesting for attackers, the dropper, at the command of the controlling hacker's C&C server, downloads additional modules that help to gain a foothold in the attacked system, increase privileges and infect other hosts in the network. Then, in the case of a ransomware virus, it searches for information of interest on all infected systems and uploads the found files to an external server (either owned by the attackers or to a legitimate information sharing service, such as DropBox). The virus then encrypts all infected devices on the network, often using legitimate tools with a key set by the attackers; there have been cases of irreversible encryption, where even a ransom paid did not recover the data.


A recent report by the Ransomware Task Force states that the fight against encryption virus attacks must be fought by building a comprehensive international defence strategy, properly preparing for and responding to attacks, and disrupting the attackers' business model and reducing their illicit revenue. The latter can be discussed in more detail: the paper proposes to make it much more difficult for attackers to withdraw ransom payments by controlling cryptocurrency transactions. Indeed, cryptocurrency is widely used on darknet sites for mutual settlements between buyers and sellers of illegal goods and services, and, as a rule, it is in cryptocurrency that attackers demand ransom from hacked companies. Once the cryptocurrency is obtained, it must be converted into ‘fiat’, i.e. fiat currencies such as dollars or euros, thus legalising and cashing in the proceeds of illegal activity. According to the US FBI, after the Colonial Pipeline attack, that agency managed to recover almost half of the $4.4 million bitcoin equivalent ransom paid - possibly just at the withdrawal and cash-out stage. Cryptocurrency buying and selling transactions are conducted either through crypto exchanges, which are subject to government regulation, or through crypto ATMs, which can also be monitored, or through OTC trading (Over the counter, literally ‘bypassing the counter’), where the seller-owner of the cryptocurrency and the buyer negotiate the transaction directly. Foreign state regulation in the financial sphere implies such norms as KYC (Know your customer), AML (Anti-money laundering), CFT (Combating financing of terrorism). In Russia, a similar set of measures is partially formulated in Federal Law No. 115 ‘On Combating Legalisation (Laundering) of Proceeds of Crime and the Financing of Terrorism’ of 07.08.2001. Attackers, aware of possible state barriers, take a number of countermeasures: they use cryptomixer services, which allow them to split one cryptocurrency transaction into many smaller ones, perform several internal exchange operations and thus hide the original origin of the funds, perform exchange operations with single cryptocurrencies, and use cryptocurrencies in the form of cryptocurrencies. At the same time, many attackers are aware of the ability to track transactions in some cryptocurrencies: in particular, bitcoin is not an anonymous means of payment, as it allows to track the addresses of recipients and senders of cryptocurrency through the blockchain registry, to obtain data on the amount of transfers, transaction history, the amount of funds on bitcoin wallets. Some anonymous cryptocurrencies, such as Monero, Zcash, Dash, provide attackers with more opportunities to hide illegal proceeds, however, ransom demands in such cryptocurrencies are hampered by the ability of attacked companies to acquire them - internal compliance procedures and government regulation in many cases simply will not allow organisations to perform transactions with them.


Another of the attack vectors for attackers to generate illegal revenue in cryptocurrencies is cryptomining or cryptojacking, i.e. the unauthorised use of infected devices to generate cryptocurrency by performing mathematical operations. If attackers have gained access to the infrastructure of the attacked company but do not yet consider it appropriate to launch an attack using a cryptojacking virus, they can covertly launch a cryptominer virus that will generate cryptocurrency in favour of the attackers. The attacked IoT devices we discussed in the last article can be leveraged in a similar way - the large number of infected devices compensates for their low processing power. Some time ago, a JavaScript Mining attack was also popular, where JavaScript code was run in a website visitor's browser to generate Monero - this is how attackers partially monetise their successful attacks on websites. Recently, however, hackers have become less and less likely to use such methods, partly because of the increased computational complexity of mining some cryptocurrencies, partly because it is easier and faster to monetise an attack, for example by selling stolen credentials or using a DDoS attack device.


7. Application of artificial intelligence in information security

Talks about the practical application of artificial intelligence, including in information security, have been going on for a long time, but these tools entered the market when the maturity of such products allowed them to be used in corporate environments, the accuracy of their work began to justify their cost, and the capabilities of attackers became so broad that it became possible to effectively and promptly counter them only with the use of this technology. If we turn to history, the prerequisites for the creation of the concept of artificial intelligence were scientific research in the field of building a mathematical model of an artificial neuron and neural network based on observations of living organisms and natural neurons. In 1943, American neurophysiologists Warren McCulloch and Walter Pitts in their scientific article ‘Logical calculus of ideas relating to nervous activity’ suggested that a network consisting of artificial neurons similar to natural neurons could perform logical and mathematical operations. The outstanding British scientist Alan Turing in 1948 published the article ‘Intelligent Machinery’ (English ‘Intelligent Machinery’), and in 1950 - the work ‘Computing Machinery and Intelligence’ (English ‘Computing Machinery and Intelligence’), which describe the concepts of machine learning and artificial intelligence. The term ‘Artificial Intelligence’ itself was introduced by American computer scientist John McCarthy in 1956. It was one of the first attempts to ‘digitise’ a living organism and present a living being as a set of algorithms that can be analysed and reproduced. Since then, science has made significant advances in the creation of artificial intelligence: landmark events include the chess victory of IBM's Deep Blue supercomputer over grandmaster Garry Kasparov in 1997 and the victory of Google's DeepMind program AlphaGo over professional player Lee Sedol in 2016. In this case, the first victory was achieved in a well-algorithmised chess game, where it is enough to know all possible combinations and moves to win, and the second - due to machine learning, which was used by AlphaGo for self-training in the game of go.


So, let's give modern definitions to a few terms related to Artificial Intelligence (AI).

- Artificial intelligence (AI) implies that information systems perform decision-making and learning tasks, similar to the intelligence of living beings.

- Neural network is an interconnected set of artificial neurons performing simple logical operations, which has the ability of machine learning.

- Machine learning (ML) is a technique of training an information system on the basis of provided datasets without using predefined rules, it is a special case of artificial intelligence. The general task of machine learning is to build an algorithm (programme) based on the provided input data and given correct/expected results - thus, the process of ML-system operation is divided into the initial training on the provided datasets and the subsequent decision making by the already trained system.


There are several ways of machine learning, for example:

- Supervised learning (Supervised learning) is a method of machine learning, which uses labelled datasets (proclassified objects with selected characteristic features), for which a certain ‘teacher’ (a human or a training sample) indicates correct question-answer pairs, on the basis of which it is required to build an algorithm for providing answers to further similar questions.

- Unsupervised learning is a method of machine learning that does not use labelled data sets, does not specify correct question-answer pairs, and requires the information system to find various relationships between objects based on their known properties.

- Semi-supervised learning is a method of machine learning that combines a small number of labelled datasets and a large number of unlabelled datasets. This approach is justified by the fact that obtaining high-quality marked-up datasets is a resource-intensive and time-consuming process.

- Reinforcement learning is a special case of learning with a teacher, in which the ‘teacher’ is the operating environment that gives feedback to the information system depending on its decisions.


Machine learning can also use other algorithms, such as Bayesian networks, Markov chains, gradient bousting:

- Deep learning is a special case of machine learning that uses a complex multi-layer artificial neural network to emulate the human brain and process speech (natural language processing), audio (speech recognition) and visual images (computer vision). Computer vision is now widely used in security systems, transport and passenger control. Natural language processing and speech recognition systems help Siri or Alice voice assistants to answer users' questions.

- Big Data is a large amount of structured and unstructured data in digital form, characterised by volume, velocity and variety. Specialised software tools such as Apache Hadoop / Storm / Spark, Kaggle, NoSQL class DBMS can be used to process Big Data. It is believed that to increase business-value when using Big Data it is necessary to move from heterogeneous data to structured information and then to knowledge (information). A processed, structured and labelled dataset derived from a relevant Big Data set is a necessary (and one of the most valuable) component for machine learning in modern systems.

- Data mining - structuring and extraction of useful information from heterogeneous and unstructured data, including Big Data.

- Fuzzy logic - application of non-strict rules and fuzzy answers to solve problems in artificial intelligence systems and neural networks. It can be used to model human behaviour, for example, to narrow or limit the conditions of searching for an answer to a question depending on the context.


Having considered the basic definitions and principles, let us move on to the issue of practical application of AI systems in cybersecurity. The use of AI in cyber security is justified primarily by two factors - the need for prompt response in the event of a cyber incident and the shortage of qualified cyber defence specialists. Indeed, in today's reality, it is quite difficult to fill staffing levels with qualified IS specialists with the necessary experience, and large-scale IS incidents can develop rapidly: the count is often in minutes. If a company does not have a 24/7 shift of IS analysts on duty, it will be difficult to provide quality protection after hours without a system for rapid autonomous response to cyber incidents. In addition, attackers may perform a distraction before their attack, such as launching a DDoS attack or active network scanning, distracting cyber specialists. In such situations, an artificial intelligence-based cyber incident response system that can simultaneously process a large number of IS events, automate routine actions of IS analysts and provide rapid response to incidents without human intervention can help. For example, our IRP/SOAR Security Vision solution makes extensive use of artificial intelligence and machine learning mechanisms: the platform, trained on previously resolved incidents, will suggest to the analyst the appropriate response action depending on the type of cyber incident and its properties, will assign the optimal response team from colleagues with the most relevant knowledge, and if atypical suspicious events are detected, the system itself will create the corresponding incident and notify the IS department staff about it. The IRP/SOAR Security Vision solution uses algorithms for predictive response to cyber incidents: the trained system can predict the attack vector and its subsequent development in the infrastructure, show trends, and then automatically stop malicious actions and advise SOC-centre analysts.


Artificial intelligence-based defence systems will be indispensable for detecting anomalies in a large number of information security events, for example, by analysing security logs, data from SIEM systems or SOAR solutions. This information, together with data from already worked and closed IS incidents, will constitute a high-quality marked-up dataset on which the system can be easily trained. As a rule, classical systems of deviation analysis are based on some rules predetermined by operators: for example, exceeding the volume of specific traffic, a certain number of unsuccessful authentication attempts, a certain number of consecutive triggers of protection systems. Systems based on artificial intelligence will be able to make decisions independently, without ‘looking back’ at the rules previously created by IS employees, which may have lost their relevance and do not take into account the changed IT infrastructure. Anomaly detection can help protect user data - for example, an online banking service can collect and analyse data on customer patterns (characteristics, patterns) in order to quickly identify compromised accounts. For example, if a user has been connecting to the service from a Russian IP address on weekdays during business hours and using Internet Explorer browser for the last year, then if the user is connecting from China using Mozilla Firefox browser at night, the user's account may need to be temporarily blocked and an alert sent to the user. Financial institutions can also use machine learning and artificial intelligence systems for borrower scoring, financial risk analysis, and anti-fraud systems. Another model of using artificial intelligence systems in cybersecurity is working with internal intruders: knowing the typical behaviour of a user, the system can send a warning to IS analysts in case of a significant change in the employee's work pattern (visiting suspicious sites, prolonged absence from the work PC, changing the circle of communication in the corporate messenger, etc.). Protection systems equipped with computer vision and speech processing will be able to promptly notify security guards about attempts to pass through the gatehouse by outsiders or employees using other people's passes, analyse the work activity of employees using web cameras, assess the correctness of communication between managers and clients by phone.


At the same time one should not

We should not forget that systems based on artificial intelligence are also used by cybercriminals.

cybercriminals: there are known fraudulent methods of using Deep fake (creating a realistic virtual image of a person's face).

(creation of a realistic virtual image of a person) to deceive anti-fraud

systems, fake voices for fraudulent calls to relatives of attacked individuals asking them to transfer money, fraudulent use of Deep fake

fraudulent calls to relatives of the attacked persons with a request to transfer money, use of IVR-technologies for phishing and theft of funds.

phishing and theft of funds. The malware also uses

elements of artificial intelligence that allow attackers to increase their privileges, move around, and

to escalate their privileges, navigate the corporate network, and then find

and steal data of interest. So the technologies that have become

available to the general public are being used for both good and bad, which

which means that these trained cybercriminals can and should be combated with the most sophisticated means and tools.

with the most sophisticated defence tools and techniques.

Recommended

SOAR technology and its place in the SOC
SOAR technology and its place in the SOC
information security SOAR SOC

20.05.2024

Review of NIST Publication SP 800-83 "Guide to Malware Incident Prevention and Handling for Desktops and Laptops"
Review of NIST Publication SP 800-83 "Guide to Malware Incident Prevention and Handling for Desktops and Laptops"
information security

27.12.2022

Features of the new version of the Security Vision UEBA product
Features of the new version of the Security Vision UEBA product
information security SOAR UEBA (User and Entity Behavior Analytics)

04.04.2024

Visualisation: best practices
Visualisation: best practices
information security

30.11.2023

Practical protection of personal data. Evaluate the effectiveness of measures taken to ensure the security of personal data
Practical protection of personal data. Evaluate the effectiveness of measures taken to ensure the security of personal data
information security

12.07.2021

Vulnerability Management module on the Security Vision platform
Vulnerability Management module on the Security Vision platform
information security

28.04.2022

Features of the new version of the Asset and Inventory Management product on the Security Vision 5 platform
Features of the new version of the Asset and Inventory Management product on the Security Vision 5 platform
information security

13.05.2024

IRP/SOAR by law. CII
IRP/SOAR by law. CII
information security

25.10.2021

Gamification of the SOC
Gamification of the SOC
information security SOC

04.09.2023

SGRC by law. GIS, PDN, GOST project
SGRC by law. GIS, PDN, GOST project
information security

22.11.2021

The usefulness of IT systems in the work of an IS analyst
The usefulness of IT systems in the work of an IS analyst
information security SOC

26.02.2024

Access control and user identification. IDM systems
Access control and user identification. IDM systems
information security SOAR

16.01.2023

Recommended

SOAR technology and its place in the SOC
information security SOAR SOC

20.05.2024

SOAR technology and its place in the SOC
Review of NIST Publication SP 800-83 "Guide to Malware Incident Prevention and Handling for Desktops and Laptops"
information security

27.12.2022

Review of NIST Publication SP 800-83 "Guide to Malware Incident Prevention and Handling for Desktops and Laptops"
Features of the new version of the Security Vision UEBA product
information security SOAR UEBA (User and Entity Behavior Analytics)

04.04.2024

Features of the new version of the Security Vision UEBA product
Visualisation: best practices
information security

30.11.2023

Visualisation: best practices
Practical protection of personal data. Evaluate the effectiveness of measures taken to ensure the security of personal data
information security

12.07.2021

Practical protection of personal data. Evaluate the effectiveness of measures taken to ensure the security of personal data
Vulnerability Management module on the Security Vision platform
information security

28.04.2022

Vulnerability Management module on the Security Vision platform
Features of the new version of the Asset and Inventory Management product on the Security Vision 5 platform
information security

13.05.2024

Features of the new version of the Asset and Inventory Management product on the Security Vision 5 platform
IRP/SOAR by law. CII
information security

25.10.2021

IRP/SOAR by law. CII
Gamification of the SOC
information security SOC

04.09.2023

Gamification of the SOC
SGRC by law. GIS, PDN, GOST project
information security

22.11.2021

SGRC by law. GIS, PDN, GOST project
The usefulness of IT systems in the work of an IS analyst
information security SOC

26.02.2024

The usefulness of IT systems in the work of an IS analyst
Access control and user identification. IDM systems
information security SOAR

16.01.2023

Access control and user identification. IDM systems

Other articles

Situational awareness in cyber security
Situational awareness in cyber security
information security

13.09.2021

What is an authentication factor, why do you need a second one and how many are there in total
What is an authentication factor, why do you need a second one and how many are there in total
information security

17.04.2023

Measuring the effectiveness of cybersecurity processes. IS metrics. Part 3
Measuring the effectiveness of cybersecurity processes. IS metrics. Part 3
information security

26.07.2021

Review of the publication NIST SP 800-61 "Computer Security Incident Handling Guide". Part 1.
Review of the publication NIST SP 800-61 "Computer Security Incident Handling Guide". Part 1.
information security

21.11.2022

Anatomy of visualisation. Part One: From Task to Execution
Anatomy of visualisation. Part One: From Task to Execution
information security

09.05.2024

More alive than ever: business continuity
More alive than ever: business continuity
information security

16.05.2024

Quality metrics for dynamic playbooks
Quality metrics for dynamic playbooks
information security MITRE

11.07.2024

Threat Database Overview
Threat Database Overview
information security MITRE

25.03.2024

Review of the publication NIST SP 800-167 "Guide to Application Whitelisting"
Review of the publication NIST SP 800-167 "Guide to Application Whitelisting"
information security

11.10.2022

Other articles

Situational awareness in cyber security
information security

13.09.2021

Situational awareness in cyber security
What is an authentication factor, why do you need a second one and how many are there in total
information security

17.04.2023

What is an authentication factor, why do you need a second one and how many are there in total
Measuring the effectiveness of cybersecurity processes. IS metrics. Part 3
information security

26.07.2021

Measuring the effectiveness of cybersecurity processes. IS metrics. Part 3
Review of the publication NIST SP 800-61 "Computer Security Incident Handling Guide". Part 1.
information security

21.11.2022

Review of the publication NIST SP 800-61 "Computer Security Incident Handling Guide". Part 1.
Anatomy of visualisation. Part One: From Task to Execution
information security

09.05.2024

Anatomy of visualisation. Part One: From Task to Execution
More alive than ever: business continuity
information security

16.05.2024

More alive than ever: business continuity
Quality metrics for dynamic playbooks
information security MITRE

11.07.2024

Quality metrics for dynamic playbooks
Threat Database Overview
information security MITRE

25.03.2024

Threat Database Overview
Review of the publication NIST SP 800-167 "Guide to Application Whitelisting"
information security

11.10.2022

Review of the publication NIST SP 800-167 "Guide to Application Whitelisting"

This website uses cookies to ensure you get the best experience.