Malware sophistication is increasing as adversaries begin to weaponise cloud services and evade detection through encryption, used as a tool to conceal command-and-control activity. Cyber security people report that they will increasingly use and spend more on tools that use AI and machine learning, according to the 11th Cisco 2018 Annual Cybersecurity Report (ACR).
While encryption is meant to enhance security, the expanded volume of encrypted web traffic (50 percent as of October 2017) — legitimate and malicious — has created more challenges for defenders trying to identify and monitor potential threats. Cisco threat researchers observed more than a threefold increase in encrypted network communication used by inspected malware samples over a 12-month period.
Applying machine learning can help enhance network security defenses and, over time, “learn” how to automatically detect unusual patterns in encrypted web traffic, cloud, and IoT. Some of the 3,600 IT security people interviewed for the Cisco 2018 Security Capabilities Benchmark Study report, stated they were reliant and eager to add tools like machine learning and AI, but were frustrated by the number of false positives such systems generate. While still in its infancy, machine learning and AI technologies will mature and learn what is “normal” activity in the networks they are monitoring, the IT company says.
Cisco says that while cloud offers better data security, attackers are taking advantage of the fact that security teams are having difficulty defending evolving and expanding the cloud. Attacks can persist for months or even years, the report warned. IT should be aware of the potential risk of using software or hardware from organisations that do not appear to have a responsible security posture, the company added.
John N Stewart, Senior Vice President and Chief Security and Trust Officer at Cisco, said: “Last year’s evolution of malware demonstrates that our adversaries continue to learn. We have to raise the bar now – top down leadership, business led, technology investments, and practice effective security – there is too much risk, and it is up to us to reduce it.”
Comments
Erik Westhovens, Enterprise Architect at Insight, said: “What’s clear from Cisco’s latest research is that the cyber-security environment is moving at an unprecedented speed, with malignant actors and defenders engaged in an arms race that would make Cold War strategists blush. The past few months has seen the focus shift once again, from ransomware to malware, resulting in new requirements for defending against cyber-attacks.
“Whereas ransomware is designed to make its presence felt by its victims, malware often works in far more insidious ways, such as hijacking computing power to fuel bitcoin mining. And because this puts a premium on rapid detection and analysis to uncover these shadowy threats, it is therefore reassuring to see that time to detection (TDD) has been trending downwards.
“However, the inventiveness of cyber-attackers means that the threat is always evolving. AI and machine learning are key to detecting novel methods quickly and finding ways to contain and neutralise them, and this is reflected in security leaders’ increasing reliance on these technologies. Scale is vital for effectiveness – security providers such as Microsoft, who can draw on a large customer base and massive data sets on user behaviour, not only have a higher chance of picking up on a threat but have more data to feed into their algorithms. This help with developing more accurate assessments of what constitutes a potentially threatening pattern of, for example, web traffic, and more sophisticated mechanisms for combating threats.
“While technology has a huge role to play, people should remain the first line of any cyber defence strategy. Consider the modern flexible employee – accessing company information on the move and working with sensitive data every day, regardless of job function. Because malware frequently takes advantage of employee’s ignorance, organisations need to focus their security strategy both on detection technology and on educating their workforce on how to avoid becoming an ‘easy route in.'”
Kirill Kasavchenko, principal security technologist, EMEA at NETSCOUT Arbor, said: “With processes and services increasingly shifting into the digital sphere, safeguarding networks against disruption is now critical for many organisations. For me and the NETSCOUT Arbor team, we are acutely aware that availability is everything. A website or server being knocked offline for just a few minutes can have far-reaching consequences. This is why we continuously seek to improve and evolve DDoS mitigation technologies and best practices.
“It’s great to see this Cisco report signal that security leaders are increasingly leveraging automated, machine learning, and AI technologies to defend against threats. We strongly believe that automation is a key for DDoS protection, not only from detection point of view, but also for provisioning and management of the service. In the advanced threat detection space, the shift to automation is also critical, however humans still play an active role due to complexity of the attacks. Machines are great at handling the initial detections, but we also need to be able to quickly understand the context of those detections so that we can establish how ‘real’ they are and what the next step should be.
“Despite the progress in the DDoS mitigation space, this research hammers home the reality of an expanding IoT population, and the difficult mismatch between the growing risk and awareness. Organisations are still failing to appreciate the very real risk these devices pose. Hackers are using IoT botnets to launch DDoS attacks of ever-increasing size, frequency and complexity, yet only 13pc of organisations see IoT botnets as an imminent threat. We must all appreciate that IoT botnets could be lurking in wait – which is why every organisation must have a robust plan in place to quickly contain a DDoS attack if it happens.”
