The use of artificial intelligence (AI) in cybersecurity, while often overhyped, is not a new concept. Hackers have included countermeasures in malware since its inception to detect runtime environments or sense detection attempts. Early actions were primitive compared to what we know today, but they laid the groundwork for more critical thought about adaptive and evasive technologies and sophisticated situational awareness. This lethal combination of research and deep targeting is likely the future of malware as adversaries attempt to outsmart the companies and researchers trying to thwart them.
Adaptive and Evasive Technology
Malware has always adapted to its environment, and the inclusion of artificial intelligence has provided authors with a range of new opportunities. The days of using code to analyze behavior are coming to an end. The combination of a network card and specific geolocation is enough for malware to begin reconnaissance. Why risk getting caught doing resource development when those resources likely would not produce the results the malware author desires?
Suppose the intended target is the corporate campus in Milwaukee, and the malware senses it is in Berlin, Wisconsin. The 82-mile difference could mean the infected host is nearby but not exactly where the author intends to carry out the next move. In this case, the malware would sleep for 15 days and try again. If that attempt fails, the malware will adapt to its host environment and employ other resource development behaviors. This chess game is often complicated, but readily available models and actions make it easier for malware authors.
Marketers have used this tactic for decades now. Learning the behaviors, habits, and values of individuals or groups is the staple of successful advertising campaigns. It stands to reason that this type of research and technology would bleed over to bad actors and malware authors.
There are numerous ways to use deep targeting against (often) unsuspecting victims. End-user behavioral analysis (UBA) is a product or tagline for many cybersecurity companies because professionals who spot deviations can trigger alerts.
Cybercriminals also use this technique to learn user behaviors and blend into their targets’ surroundings. The era when malware woke up at 3:00 AM to execute its attack is long gone. Now 3:00 PM is when the user is busiest, so hackers slipping a few illicit data packets here and there are much more challenging to detect.
Another consideration with deep targeting is where to launch the initial hack. Social media is a treasure trove of useful metadata and behaviors. Getting users to click on a topic they feel passionate about is much easier than getting someone to interact with an off-topic post. Blending into social, political, and economic conversations takes little effort, and branching those topics opens many potential pathways to target victims. Now it is just a matter of prepping the audience and biding one’s time to launch the real objective: a nefarious campaign.
Spear Phishing via a Service
Mining social media (both personal and professional) is child’s play. Mapping an executive’s profile to a favorite charity gives a clear roadmap into content that has a high probability of ensnaring a new victim. Spear phishing via a service employs third parties rather than targeting enterprise email channels directly.
Determining Physical Location
Information about a target’s physical location can include various details, including the position of critical resources and infrastructure. This data may also indicate whether the victim operates within a legal jurisdiction or authority. Knowing those specifics allows adversaries to act quickly.
Hackers may environmentally key payloads or other malware features to evade defenses. This method uses cryptography to constrain execution or actions based on specific adversary-supplied conditions present in the target area.
This tactic focuses on destroying files on specific network systems and interrupting availability of services and resources. By overwriting content from local and remote drives, cybercriminals render stored data unrecoverable by forensic techniques.
Many organizations use AI as part of an in-depth security protocol, but hackers now have easy access to the same sophisticated techniques to achieve their malicious goals. As malware becomes more stringent, smarter, and undetectable, are enterprise teams and tools ready for the challenge?
Thankfully, the answer is more likely “yes” than “no.” The fundamentals still apply; the challenges will likely just come faster and with more variety. The past months have shown us that our strategies and biases are tested continuously. As noted, the vast majority of the time, the fundamentals win. When they fail, however, there is the chance that they fail massively. Mapping AI-based malware and campaigns through tried-and-true frameworks is a great way to remain informed as adversaries change tactics, employ new techniques and attempt to use norms against their target. Stay vigilant – stay safe.