When Every Attack Is a Zero Day
Stopping malware the first time is an ideal that has remained tantalizingly out of reach. But automation, artificial intelligence, and deep learning are poised to change that.
The collective efforts of hackers have fundamentally changed the cyber defense game. Today, adversarial automation is being used to create and launch new attacks at such a rate and volume that every strain of malware must now be considered a zero day and every attack considered an advanced persistent threat.
That's not hyperbole. According to research by AV-Test, more than 121.6 million new malware samples were discovered in 2017. That is more than 333,000 new samples each day, more than 230 new samples each minute, nearly four new malware samples every second.
When malicious, morphing malware is unleashed at that scale, traditional defenses are quickly overwhelmed. Signature-based detection only works for known threats. Sandboxing-based detection techniques can't keep up because there isn't enough time and resources to analyze and identify attack signatures when your enterprise is being bombarded with malware variants that have never been seen before.
Stopping malware attacks the first time is an ideal that has remained tantalizingly out of reach, and so success measured over time became the standard—a standard that has been obviated by the insidiously effective nature of malware. If an attack succeeds once but is stopped on 99 subsequent attacks, that's a 99% success rate. To achieve that, however someone has to be "Patient Zero." Someone must take one for the team so that the intelligence gained from that first attack can be shared and used to prevent subsequent attacks. But when attacks are launched at a massive, global scale, and when there are more than 121 million new samples every year, there's never just one Patient Zero. And it's no fun if you happen to be among them.
Thanks to advancements in the development of automation, artificial intelligence and deep learning, there may be hope. (Editor's note: Blue Hexagon is one of several early innovators developing security products based on deep learning.)
Deep learning is a type of machine learning that uses artificial neural networks to make decisions. Artificial neural networks are not new, but recent advancements in processing have increased their capabilities. At the same time the costs of the underlying tech have lowered, putting deep learning applications within the reach of many industries — including cybersecurity. In fact, deep learning's capabilities are an ideal application for addressing many of the challenges that continue to stymie efforts to secure networks against hacking's daily onslaught.
Fundamentally cybersecurity is about data and patterns, and there is a huge pool of threat data available through threat intelligence services and repositories that has been aggregated over the years and that can be used to inform deep learning-based defenses. By exposing neural nets to the vast threat data set, deep learning can learn to identify malicious traffic, even if the specific attack is brand new.
This is not theoretical. Deep learning has been applied at network entry points — both on-premises and in the cloud — to inspect traffic in early, live customer deployments, where it has successfully detected and blocked polymorphic malware, including Emotet variants, on first encounter. The underlying architecture ensures that threat analysis, verdict, and prevention occur in seconds, keeping malware out of the network in real time.
It's early days yet, and while there has been no independent testing disclosed to date, the potential for deep learning to make a quantum leap is in evidence. In our lab and beta test environments, we have consistently achieved nearly 100% detection rates for all threats encountered, including both known samples and zero days, regardless of OS or application. We are also pursuing independent testing to verify these results.
This is important because hackers have developed techniques to evade and defeat traditional defenses such as sandboxes and signatures. These results suggest that the industry may have reached a point where stemming the tide of threat escalation is achievable and the traditional game of cybersecurity whack-a-mole — where threat actors create and distribute new malware, security vendors identify the new strain and distribute its signature, and threat actors would respond by creating more new malware strains — may be at an end.
When attackers realized they could use automation to generate and distribute malware variants faster than the industry could react, they embraced their new ability with enthusiasm. If deep learning gives our industry the means to return fire and blunt their attacks with overwhelming speed and intelligence, we should likewise embrace our newfound power.
Related Content:
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024