Darktrace Describe The Alarming Future AI Attack Scenario

AI has the potential to bring a select set of advanced techniques to the table when it comes to cyber offense, researchers at Darktrace say in a very interesting Report they have recently published – The Next Paradigm Shift – AI-Driven Cyber-Attacks. 

In the report, the cybersecurity firm documented three active threats in the wild which have been detected within the past 12 months. Analysis of these attacks, and a little imagination, has led the team to create scenarios using AI which could one day become reality.

AI’s Attack Profile
In the future, AI-driven malware will self-propagate via a series of autonomous decisions, intelligently tailored to the parameters of the infected system. 

Imagine a worm-style attack, like WannaCry, which, instead of relying on one form of lateral movement (e.g., the EternalBlue exploit), could under- stand the target environment and choose lateral movement techniques accordingly. If EternalBlue were patched, it could switch to brute-forcing SMB credentials, loading Mimikatz or perhaps install a key-logger to capture credentials. 

AI-driven malware will then choose whatever method appears most successful for the target environment and use this to move laterally. Instead of utilising exploits, it might find PsExec is regularly used between certain devices at specific times of day. 

By learning this and then using PsExec for lateral movement, during times when it would normally be used, identification of the malware will become almost impossible. PsExec can of course be replaced by RDP, SSH or any other administrative toolkit that represents normal for a given environment. 

The malware can learn context by quietly sitting in an infected environment and observing normal business operations, such as the internal devices the infected machine communicates with, the ports and protocols it uses, and the accounts which use it. 

Able to make those decisions autonomously, no C2 channel will be required for the attack to propagate and complete its mission. By eliminating the need for C2, the attack will become stealthier and more dangerous. Trickbot has displayed the first signs of utilizing multiple payloads for monetization – stealing banking details and locking machines for ransom. Malware authors can maximize their profits if their malware can choose autonomously which payload will yield the highest profit based on the context of the environment and infected machine. 

As Trickbot is modular and under active development, why not add the capacity to make smarter decisions? Narrow AI can learn that if it infects the laptop of a VIP, such a user is likely to conduct a lot of email communication revolving around financial information. 

On a VIP’s device, it will be more pro table to silently steal information or lock the machine and thus grind the company to a halt. However, if the malware identifies it has been dropped onto a server that is not processing any mission-critical information, it might just install a crypto-miner, as locking the server will only lead to investigation. Semantic analysis and contextual awareness allow software to make these distinctions and autonomously make these kinds of decisions. 

How do we tell where an automated attack stops, and an interactive session starts? As this case of Trickbot lever- aging Empire Powershell demonstrates, the previously clear distinction between automated malware and human-driven attacks is no longer viable. 

Darktrace:       ZDNet:

You Might Also Read:

 

 

« Dozens of Spies Killed Thanks To Flawed CIA Comms System
Good News About Voting Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Chatham House Cyber Conference

Chatham House Cyber Conference

14 June 2023 - Connect with cyber security experts and senior policymakers to explore the role of cyber security in the global economy and how to deliver an open and secure internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

WEBINAR: How To Build And Implement An Effective Endpoint Detection And Response Strategy

WEBINAR: How To Build And Implement An Effective Endpoint Detection And Response Strategy

Join this webinar to learn how the cloud threat landscape is evolving and organizations are deploying more advanced and capable security controls at scale.

iStorage

iStorage

iStorage is the leading global provider of PIN Activated, hardware encrypted, portable data storage solutions.

Digital Forensics Inc (DFI)

Digital Forensics Inc (DFI)

Digital Forensics Inc. is a nationally recognized High Technology Forensic Investigations and Information System Security firm

Information Security Forum (ISF)

Information Security Forum (ISF)

The ISF is a leading authority on information security and risk management.

Information-Technology Promotion Agency (IPA) - Japan

Information-Technology Promotion Agency (IPA) - Japan

IPA is an implementing agency in Japan with a role to address Information Security, IT Systems Reliability and IT Resource Development.

Nexcom International

Nexcom International

Nexcom operates six global businesses - IoT Automation, Intelligent Digital Security, Internet of Things, Intelligent Platform & Services, Mobile Computing Solutions, Network & Communications.

CERT NZ

CERT NZ

CERT NZ supports businesses, organisations and individuals affected by cyber security incidents, and provide trusted and authoritative information and advice.

SecurityHQ

SecurityHQ

SecurityHQ (formerly known as Si Consult) is a Global Managed Security Service Provider (MSSP) that monitors networks 24/7, to ensure complete visibility and protection against your cyber threats.

ETSI

ETSI

ETSI is a European Standards Organization dealing with telecommunications, broadcasting and other electronic communications networks and services including cybersecurity.

Proton Data Security

Proton Data Security

Proton Data Security is a certified small business specializing in the design, manufacturing and sales of data security products for permanent erasure of hard drives, tapes and optical media.

SIS Certifications (SIS CERT)

SIS Certifications (SIS CERT)

SIS Certifications is an ISO certification body serving more than 10,000 clients in over 15 countries worldwide.

Carson McDowell

Carson McDowell

Carson McDowell are one of Northern Ireland's leading law firms. We are the law firm of choice for many of Northern Ireland's Top 100 companies as well as international companies doing business here.

PT Sydeco

PT Sydeco

At PT SYDECO we create a complete range of products that secure computer and industrial networks, servers, programs and data against any type of computer attack.

Coretelligent

Coretelligent

Coretelligent is a leading providers of Managed and Co-Managed IT, cybersecurity and private cloud services.

Eunetic

Eunetic

Eunetic IT security solutions - we secure your websites, emails, domains and data.

SGTech

SGTech

SGTech is the leading trade association for Singapore's tech industry, offering focused support and development to both strategic and emerging sectors in the industry.

Sendmarc

Sendmarc

Sendmarc automates the process of protecting your domain from being used in email impersonation and phishing attacks.