Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Carbon Black warns of over reliance on 'nascent' machine learning security

Tamlin Magee | March 31, 2017
It would be a mistake for businesses to over-rely on these systems, a report said.

Carbon Black recommends that security teams looking into using machine learning tools make sure they have the existing data to properly train the technology with. That includes a "massive body of baseline data, a torrent of detonation data, and statistics and comparisons among behaviours for validation" to generate the best patterns of malicious behaviour.

"I think the important thing to remember with AI is this," said McElroy. "It is a thing we're all going to start using and will eventually put me out of a job. How far on the horizon that is, I have no idea. But today if you're solely dependent on AI to make your security decisions you're going to be in a bad way."

The report also found a dramatic increase in non-malware attacks since the start of 2016. Carbon Black noticed that almost every one of its customers had been targeted by a non-malware attack throughout 2016, which was part of the reasoning behind commissioning the report.

A non-malware attack is one that doesn't place executables on the target endpoint but uses existing software, applications or authorised protocols to carry out the attack. Powershell, a system administrator tool that is on every Windows box, is a good example.

"About five or six years ago at Black Hat some researchers said Powershell is going to be the thing and they wrote a tool to leverage Powershell attacks," McElroy said.

In 2016, these attacks evolved into the Powershell-based ransomware, Powerware. And the Squiblydoo attack was similarly built to wriggle past application whitelisting processes by exploiting existing system tools, where it is then able to run unapproved scripts.

Respondents told Carbon Black that they had seen some other particularly creative non-malware attacks, including efforts to affect a satellite transmission, impersonating the CSO while trying to access corporate intellectual property, and spoofing login systems so login information was immediately made available to the attacker.

"Spoofing logins to appear authentic - we call that living off the land," said McElroy. "The best thing I want to do as an attacker is look exactly like your system administrator, and if I can get that level of access I can do what I want for years and you'll never detect me."

Some efforts to address non-malware attacks included providing employee awareness training, turning to next-generation antivirus, more of a focus on patching, and locking down personal device usage when appropriate.


Previous Page  1  2 

Sign up for Computerworld eNewsletters.