The contribution of AI to a cyber defense system
A burglar who wants to enter a building, however well guarded it may be, will always end up achieving his ends: No bastion is impregnable and all these lines of defense that were said during the previous world war , impregnable, have shown their limits.
Why should it be any different when it comes to the fortified digital systems that cyber attackers seek to penetrate?
Therefore, rather than seeking to further fortify what will always end up not being able to resist the enemy, why not change approach and concentrate on what can and must be protected within the enclosure, inside the systems?
During an attack, the attacker is always one step ahead. So, if you search for all the internet addresses that have been used by attackers, they can always come back with other addresses and when they have succeeded in penetrating the stronghold, it will be too late to ban this address which has become obsolete.
Don’t they say that during a ZERO DAY attack it takes 275 days to create a patch?
During this time, how much damage could have been caused!
This is why we must focus on saving what can and absolutely must be saved and the use of technology just as advanced as the sophisticated methods used by attackers becomes a necessity.
The use of AI can perfectly play this role and become the solution to this challenge.
To find its place for AI in a defense system (cybersecurity) against cyberattacks, we must understand what a cyberattack is, what it targets and how it goes about achieving its goals.
A cyber attack is the action carried out by an individual, group of individuals or by a state with a view to obtaining a gain which could not have been obtained by the use of "conventional" means.
This gain will vary depending on the desired goal.
It can simply be to destroy what one’s competitor or opponent has, in a spirit of revenge or in the spirit of acquiring or maintaining a dominant place in a defined environment (eradication of data and attack on operating systems).
It may be to obtain data from a company (data leak) to make a profit by monetizing their non-disclosure or by encrypting them, always for the same purpose (ransomware) or, in the case of a state or from a competitor, to acquire knowledge of projects or technologies developed by the victim (espionage).
What are the means used by attackers?
In all cases, without regard to the desired goal, the attacker must find a way to infiltrate his target’s system with a tool (virus or worm) that he can activate remotely in order to destroy, steal, to encrypt or spy on or take over the entire system.
What it will penetrate into the target system will be a code, which will always include an execution command without which it will not be able to carry out its action. This code and its execution command do not necessarily have to be in the same attack packet, they can be sent at even distant intervals in time.
How to enter malicious code?
There are a number of vectors that the attacker can use, ranging from phishing, in all its forms, to social engineering (which requires action by a natural person who has an access code to the target system). ), to systems that do not require human intervention, such as brute force (to crack the target’s access codes), attacks carried out via a supply chain, exploitation of application vulnerabilities (such as ZERO DAY) and systems accessible outside the company’s perimeter, etc.
What will the attacker do once inside the target system?
Everything will depend on the goal he is looking for:
· State or industrial espionage: the goal will be to steal the target’s data by leaking it or by spying on the actions of operators using accessories such as the mouse, the keyboard or the camera incorporated in the monitor).
· Revenge or elimination of a competitor: the goal will be to destroy your system, by rendering both the hardware and software inoperable and destroying the data.
· Gain by encrypting the data contained in the target’s servers.
Cybersecurity action will therefore tend to protect:
· Data against encryption and evasion (ransomware and leakage),
· System components against any attack on their integrity (manipulation of mice, keyboards, cameras with the aim of spying and/or gaining access to servers).
· The systems themselves against any attempt to take them over by an attacker.
How AI can help protect?
As attackers use all possible means to hide their intrusion and the malicious side of the codes and its execution commands, in particular by using the process of obfuscation or encryption, AI can help to discover obfuscations by analyzing the logical sequence of the codes, deobfuscating them and revealing the real execution command hidden by the obfuscation.
The deobfuscation system that we created at PT SYDECO, using AI, allows a positive result of more than 98% in the discovery of hidden execution codes no matter in which language they are created.
Regarding the packets which enter the target system and whose signature or content is encrypted, here again the system implemented at PT SYDECO, using AI, makes it possible to avoid their entry into the system or to attract the attention of the security officer as appropriate, always using the same method of scanning and analyzing the content.
The best contribution of AI in a cyber defense system is the detection of execution codes which in itself is already an effective defense against any intrusion attempt: A virus without its execution code is inoperative . And it is by scanning every entry into the system and everything that circulates in the network and analyzing it using AI that we can best protect this system. Whatever the aim sought by the attacker, whatever the type of attack or whatever the family to which the malware used belongs.
AI can also play a key role in early detection of attacks and protection of systems.
In conclusion, we can therefore say that AI has its place in a cyber defense system in that it allows us to scrutinize and analyze what enters a system with a view to only letting in what is not suspicious. AI can also play a key role in the early detection of attacks and therefore of the content of systems, if not the systems themselves.
We cannot ignore that an error is always possible and that there will always be flaws in applications.
When we focus on defending what can and must be defended in a system, whether the attack is of the ZERO DAY type or not, whether it is a ransomware type attack or with a view to installing a backdoor, you will get significantly better results than if you waste your time tracking down the adversary before they have entered the system.