Intelligent CISO Issue 16 - Page 34

P RE D I C T I V E I NTELLIGEN CE Rather, detecting when credentialled users enter parts of these applications where they don’t belong requires AI security systems that understand their typical online behaviour well enough to spot subtle anomalies. And as employees’ responsibilities and privileges inevitably change, such systems must be able to adapt while ‘on the job’. The necessity of this AI-driven approach to cyberdefence recently came to light when a serious threat was detected by AI on the network of a European bank. After stealing credentials or otherwise gaining access to a SaaS service, the cybercriminals frequently ran scripts to identify files containing keywords like ‘password’ to find files that stored unencrypted passwords. As they had already breached the network, the attackers could have reasonably expected to be in the clear – having already successfully bypassed any conventional security controls. However, while these attackers would likely have exploited the cleartext passwords to escalate their privileges The interactivity of cloud services renders them an attractive target for advanced cybercriminals, who can often leverage a single user’s SaaS credentials to compromise dozens of other accounts. 34  The latest AI cyberdefences shine a light on even the most nebulous traffic in the cloud. and further infiltrate the organisation, Artificial Intelligence was able to flag the activity as anomalous for the bank’s particular network because it breached the following model: ‘SaaS/Unusual SaaS Sensitive File Access’. Ultimately, the AI’s nuanced and evolving understanding of what constitutes ‘unusual’ behaviour for each of the bank’s users and devices proved critical, given that the suspicious file access may well have been benign in other circumstances. Social engineering Perhaps the most difficult cloud-based attacks to counter are those that rely on social engineering, since they involve deceiving employees into handing over their credentials and other lucrative information voluntarily. In these cases, AI anomaly detection is the optimal security strategy, as thwarting a social engineering threat before it’s too late means protecting employees from their own mistakes. In 2018, a device on the network of a property development company that had attempted to connect to a rare external domain was detected, just two seconds after landing on office365.com. The domain had a suspicious name and offered HTTP connections to a form containing sensitive data transmitted in plain text, which would be vulnerable to a man-in-the-middle (MITM) attack. Further investigation indicated that an employee at the property development company had been tricked by a shortened URL in a phishing email to visit the suspicious domain. Despite the user actively clicking on the URL to visit the page, Artificial Intelligence flagged the event as threatening due to the rarity of the destination domain in comparison to the company’s normal network activity. Issue 16 | www.intelligentciso.com