Beating cybercriminals with your own weapons – a guide from BlackBerry

Palo Alto Networks veröffentlicht Cortex XSOAR TIM 2.0

Threat Defense

How AI and ML can be used effectively to ward off threats to IT security

Ransomware is one of the most varied attack tactics in the field of cybercrime: The BSI states that more than 400,000 new types are being developed every day – and the trend is rising. The latest developments around a new threat actor are the subject of the latest research results from BlackBerry, a leading provider of security software and services for the IoT. Its research and intelligence team has recently uncovered an unusual link between the actions of three different threat groups, centered on a fourth actor named Zebra2104.

The latest finding: the cybercriminals network with each other, exchange information, constantly develop new malware and revise their own phishing methods. The fact that AI and ML applications are now demonstrably able to write better phishing emails than a human shows how clever cybercriminals are when it comes to infiltrating malware into foreign networks. This raises the question of whether intelligent systems are not the more dangerous hackers in the future. Despite all the progressive development in the threat scenarios segment, there is little change in the requirement for IT security experts to always be the decisive step ahead of the attackers if possible in order to effectively thwart attacks.

Countering targeted attacks with clustering and classification

If attackers are increasingly relying on AI and ML, as confirmed by reliable analyses, companies are conversely well advised to use first-class tools for defense, which are also based on AI and ML technologies. Example Clustering analysis: Its purpose is to divide data samples into discrete groups or clusters based on previously unknown similarities between their main characteristics or attributes. The more similar the samples are, the more likely it is that they belong to the same cluster. Cylance’s AI and ML-based models are based on more than 1.4 trillion data, for example, and almost 20 billion features have been extracted so far and are being woven into the data model.

People experience the world in three spatial dimensions. This makes it possible to determine the distance between any two objects by measuring the length of the shortest straight line connecting them. Clustering algorithms work quite simply by assigning coordinates in a feature space to data samples and measuring the distance between them.

After the analysis is completed, the security experts are presented with a set of clusters with different amounts of content. Since malicious behavior is rare, the clusters with the largest number of samples are generally associated with benign activities. Clusters with few contents may indicate abnormal, potentially malicious activity that requires further analysis. In this respect, clustering works as a mathematically strict approach to recognizing patterns and relationships between network, application, file and user data that are difficult or impossible to recognize in other ways.

Classification of characteristics

In the area of security, a systematic classification of characteristics makes it possible to predict whether an e-mail should be classified as spam, or whether a network connection is benign or belongs to a botnet. In the ML context, the various algorithms used for categorization are called classifiers. To create an accurate classification model, data scientists need a large amount of labeled data that has been correctly collected and categorized. The samples are then usually divided into two or three different sets for training, validation and testing. As a rule of thumb, the larger the training quantity, the more likely it is that the classifier will create an accurate model that can be used to make reliable assignments.

Starting point for the development of smart defense strategies of tomorrow

These two examples provide an introduction to the world of tools and processes that data scientists at BlackBerry are currently using to solve complex cybersecurity challenges. What makes the decisive difference in individual cases is the expertise of the developers as well as the constantly growing stock of proprietary security data available for modeling. Thanks to these resources, experienced experts can correctly classify security challenges and develop solutions that help companies minimize their cyber risks and optimize their resilience.

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: