AI is making it harder to detect malware and phishing – but it can also be used to fight them

19 Dec 2023, by Slade Baylis

In the world of cyber-security, things only ever seem to go in one direction with threats only seeming to increase in their numbers and the dangers that they pose.  However, luckily this ever-increasing risk is more often than not matched by an equal increase in efforts by cyber-security vendors to remain that one step ahead.

As part of these efforts, in the latter half of 2022 we released an article going into detail about the threats to look out for in 2023.  We touched on the ever-growing threat of ransomware, the heightened cyber threat environment happening globally, and new threats such as malware distribution frameworks.  Our aim was to make sure you were informed of the latest threats so you could take actions to protect your organisation from them.

And we want to make this an ongoing tradition for the end of each year.  Being December now, it's a good time to go over what’s changed on the threat landscape and then focus on the primary things that you’ll need to watch out for in 2024.

AI and ML will continue to complicate malware, ransomware, and phishing detection 

In the world of  IT, at the top of everyone’s mind has been AI - which is of no surprise given this year every second headline seems to have something to do with it!  And when it comes to cyber-security, as was always going to be the case, AI has unfortunately been embraced by malicious actors in order to both create and increase the effectiveness of their cyber-attacks.

As reported by CheckPoint¹, threat actors have been experimenting with AI (Artificial Intelligence) and ML (Machine Learning) in many ways – such as using deepfake technologies to take phishing and impersonation attacks to the next level.  We touched on this in our own How AI voice cloning has opened the door to a horrific new type of phishing scam article earlier this year, when we covered how new developments with AI-powered voice cloning was allowing criminals to create fake kidnapping calls, in order to trick relatives into paying out ransom fees!

But targeted phishing attempts aren't the only thing that have been empowered by deepfake developments – another thing reported was that “Deepfakes are often weaponized to create content that will sway opinions, alter stock prices or worse.”  Due to this, we expect to see further experimentation with these technologies done by both state and non-state threat actors, to not only target individuals but also the general public more broadly.

When considering malware itself, AI unfortunately is also being used to develop more cost-efficient malware.  “Cost efficient” may seem like an odd term to use for malware, but even cyber-criminals will try to reduce their costs in order to increase their “profits” - and being able to create new variants of malware through AI helps them to this end. 

In our The latest AI craze - why does ChatGPT have cyber-security professionals concerned? article from earlier this year, we speculated that we were not far off a world where all that a criminal need do is ask their AI to create malware to exploit a newly discovered security flaw and then have it moments later - which unfortunately is now the case.  With language-models like ChatGPT first demonstrating their ability to generate fully functional code when it was released, it didn't take long for the cyber-criminals to take note and start creating their own language-model variants and add them to their toolkits!

As reported by Barracuda², the number of reported successful ransomware attacks has doubled since 2022 in the categories of municipalities, healthcare and education – and compared to the same time in 2021, it has more than quadrupled!  One of the drivers behind these increases is the use of generative AI tactics, such as using the writing capabilities of language models to strike faster, with less spelling errors and grammatical issues in phishing emails.  With phishing being the primary attack vector used in 76% of successful attacks, as reported in the Acronis Cyberthreats Report³ – this means that the common tactics used by many to spot phishing attacks - may not likely work for spotting them in the future.

Fighting fire with fire – AI and ML will be needed to defend ourselves against them

In light of all these developments, the role of AI in the detection and prevention of cyber-attacks is clear – as the days of being able to use “signature matching” to detect malware are now gone.  Instead, the way forward will be through detecting attacks via recognising patterns of malicious behaviour by utilising AI and ML.  As reported by Wired⁴, similar to the AI-based plagiarism detectors like GPTZero that teachers have had to quickly learn to use in order to prevent cheating in the classroom - similar AI to this is now being integrated into cyber-security software in order to help prevent AI-assisted cyber-attacks. 

As an example of this, Ars Technica⁵ recently reported about an upgrade to Gmail’s spam filters, which Google is calling "one of the largest defence upgrades in recent years".  Without getting into too much technical detail, the upgrade was the addition of a new “text classification system” called RETVec (Resilient & Efficient Text Vectorizer).  RETVec is an AI model trained to detect spam through identifying spam much like a human would, visually analysing the content of an email rather than looking at the actual character content.  The good news is that using this approach has apparently led to big improvements, allowing them to catch spam that would have otherwise evaded traditional spam filters.

Other cyber-security vendors are also investing significantly in AI for enhancing cyber-security.  Sergey Shykevich, the Threat Intelligence Group Manager from Check Point Software Technologies, commented on this stating: “Our reliance on AI for cybersecurity is undeniable, but as AI evolves so will the strategies of our adversaries.  In the coming year, we must innovate faster than the threats we face to stay one step ahead.”

Sophos, another global leader in cyber-security, is also pushing the field forward with their SophosAI initiative, which was formed in 2017 in order to produce breakthrough technologies in data science and machine learning for information security.  One of their AI-powered services is their Impersonation Protection⁶ service, which is designed to protect against email spearphishing attacks – wherein influential people are impersonated to trick recipients into taking some harmful action for the benefit of the attacker. 

And these are just a few examples - there are many more avenues in which AI is being used to overcome cyber-attacks that are themselves being empowered by AI.

Cyber Resiliency vs Cyber Security

When discussing digital threats to your organisation, the focus is often the different ways to protect systems and infrastructure from being attacked.   The reason for this is obvious, as the best cure for the damage caused by cyber-attacks is to look to prevent it before it occurs, and the familiar term used for this concept is what we all refer to as “cyber-security”.   However, a relatively new term that is now gaining traction is “cyber-resiliency”.  This new term encompasses all of the existing approaches for detecting and preventing cyber-attacks, but also includes a focus on the planning for the recovery from and response to a cyber-attack, should they ever occur.

The reason for "recovery" being an added focus for cyber-security incidents is clear - especially when you think of some of the recent high-profile data breaches that have occurred to large companies like Optus, Medibank, Harcourts and more.  It becomes understandable that other organisations would also be cautious and worried about their own security posture – with the concern being if large companies like this weren’t able to protect their systems with their large budgets "what chances does a small business like me have?"  

The good news is that there are things you can do to protect yourself from the issues that hit these big organisations.  For those interested, we went into detail about how exactly you can do this in our Optus, Medibank, and now Harcourts – If they can be breached, what can you do to prevent it? article at the time.

For cyber-security threats more generally, there are many things that can be done to make your organisation more resilient.  As noted by ASIC⁷, the Australian Securities & Investments Commission, good practice when it comes to cyber resiliency planning includes the following:

• Strategy and Governance – This should include periodic reviews to assess progress and success, increasing fluency in the language of cyber-resilience and the potential threats to organisations, as well as making sure governance processes were responsive to the rapidly changing cyber-risk landscape.
• Risk Management and Threat Assessment – This should include being guided by intelligence gathering through the use of third-party experts, as well as being driven by routine threat assessments, including of relevant third parties. On that last point, ASIC noted that organisations that fostered close collaborative relationships with their suppliers rather than relying on contract terms obtained more timely threat intelligence.
• Protective Measures and Controls – One trend noted by ASIC was that many organisations have already implemented (or have made it a priority to implement) the "Essential Eight" which has been developed by the Australian Signals Directorate (ASD) and outlines strategies designed to mitigate targeted cyber incidents. This is accompanied by the 'Essential Eight Maturity Model' which enables organisations to self-assess their relative maturity against the Essential Eight recommendations.
• Response and Recovery Planning – Whilst some areas of response and recovery are usually covered by DR (Disaster Recovery) and BC (Business Continuity) planning, ASIC noted that response planning for cyber risks is different from standard business continuity planning because the scenarios are not as predictable, in part due to the range of threat sources and the speed at which attacks are becoming increasingly sophisticated.

With that said, we explained what should be included in an organisation's DR and BC plans in our in our previous How to make sure your business can survive adversity article, and these recommendations actually encompass a lot of the aspects that should be covered within "cyber-resiliency" planning.due to our own focus on cyber-security.

Have any questions about cyber-security, or looking to improve your own?

If you have any questions about anything we’ve gone over in this article, or are looking to find out how you can improve your own security posture, let us know! You can email us at sales@micron21.com or call us on 1300 769 972 (Option #1).

We’re always happy to answer any questions you have and help you come up with a strategy to make you more secure!

Sources

1, CheckPoint, “Into the Cyber Abyss: Check Point’s Riveting 2024 Predictions Reveal a Storm of AI, Hacktivism, and Weaponized Deepfakes”, <https://blog.checkpoint.com/artificial-intelligence/into-the-cyber-abyss-check-points-riveting-2024-predictions-reveal-a-storm-of-ai-hacktivism-and-weaponized-deepfakes/>
2, Barracuda, “Threat Spotlight: Reported ransomware attacks double as AI tactics take hold”, <https://blog.barracuda.com/2023/08/02/threat-spotlight-ransomware-attacks-double-ai-tactics>
3, Acronis Cyber Protect, “The Role of AI and ML in Ransomware Protection”, <https://www.acronis.com/en-sg/blog/posts/role-of-ai-and-ml-in-ransomware-protection/>
4, Wired, “How to Tackle AI—and Cheating—in the Classroom”, <https://www.wired.com/story/how-to-tackle-ai-and-cheating-in-schools-classroom/>
5, Ars Technica, “Gmail’s AI-powered spam detection is its biggest security upgrade in years”, <https://arstechnica.com/gadgets/2023/12/gmails-ai-powered-spam-detection-is-its-biggest-security-upgrade-in-years/>
6, Sophos, “Sophos Announces 4 New Open Artificial Intelligence Developments”, <https://www.sophos.com/en-us/press/press-releases/2020/12/sophos-announces-four-new-open-ai-developments>
7, ASIC, “Cyber resilience good practices”, <https://asic.gov.au/regulatory-resources/corporate-governance/cyber-resilience/cyber-resilience-good-practices/>