According to Guy Rosefelt, the Chief Product Officer at Sangfor Technologies, weaponized artificial intelligence (AI) is a real-world problem and something that organizations need to be aware of. While conversations about ChatGPT and its impact on civilization happens frequently, the use of AI in malicious activities is something that deserves more attention.
Advanced persistent threats (APTs) have weaponized AI by using it to evaluate the environment the malware is running in to determine if the environment is conducive to attack. This is not just a theory or science fiction but is happening in reality. Previously, the typical level of intelligence that malware had was to watch the system clock and activate the payload on a certain date and time.
However, with AI, the malware can detect if it is running on a virtual sandbox, specific hardware, and environmental factors including the domain the system belongs to, user accounts on the system, security software running, and the ability to disable it. This becomes an insidious issue, as APTs can use this to disable security software like Windows Defender. They have a batch script called Defeat-Defender that can shut down Windows Defender in any windows system.
APT goes to sleep for a specific period and then wakes up to evaluate whether Defender has become active again. If Defender has not been restarted, then the malware will continue its check to determine whether it should activate. If Defender has been reactivated, then the APT will go back to sleep never to return. This is an example of how cybercriminals are using sophisticated techniques to bypass security systems and achieve their goals.
The best example of weaponized AI being leveraged is the SolarWinds Supply Chain Attack. This attack targeted numerous organizations in the United States and Europe, including hi-tech companies, communications companies, banks, schools, and government departments. FireEye and Microsoft detected lateral movement attacks in December 2020 that were later found to be a global operation attributed to threat group APT29.
The attackers implanted malicious code into a core SolarWinds DLL file and distributed backdoor software through SolarWinds’ official website. They used a technique called Living off the Land (LotL), where the malicious DLL is called using the valid signed executable, SolarWinds.BusinessLayerHost.exe, and thus considered a trusted process. Trusted processes cannot be scanned by security software.
Once the malicious process was started, it began running a checklist of nine environmental tests to see if it could activate undetected. The effects of weaponized AI on businesses attacked are significant and include ransomware infection, data breach, and asset under attacker control. These cause disruption to business operations with significant financial and operational impact.
AI-enabled malware can breach and infect an organization within 45 minutes. No human incident response team can detect and respond quickly enough to beat the speed of an AI system. Organizations need tools with purpose-built AI models looking for specific behaviors. General-purpose AI models do not have the fidelity to detect different types of intermittent behavior over long periods of time.
Behavioral detection should include building baselines of network traffic, user behavior, and application behavior. The models would then identify anomalous deviations, alert, and use SOAR (security orchestration, automation, and response) to command security products to respond using automated playbooks. This reduces the time needed to detect and respond to an attack from days and weeks to a matter of minutes.
Most organizations think their security architecture is robust enough to combat APTs. Yet, ransomware is almost 100% successful, which means the most popular firewalls and endpoint protection are not sufficient to detect and block weaponized AI APTs. The next state-of-the-art security solutions must be AI-enabled to detect the AI being used against them.
In conclusion, the use of weaponized AI is not just theory or science fiction anymore but a reality facing organizations today. Cybercriminals are continually developing sophisticated techniques to bypass security systems and achieve their goals undetected. Organizations need to be aware of the severity of the situation and take measures to mitigate risks. They need to deploy advanced tools with purpose-built AI models to protect their assets against weaponized AI APTs.
Guy Rosefelt is the Chief Product Officer for Sangfor Technologies and has over 20 years of experience in application and network security. After his time in the USAF building the first fiber to the desktop LAN and other things found in Tom Clancy novels, Guy worked at NGAF, SIEM, WAF, and CASB startups, as well as big-name brands like Imperva and Citrix. He has spoken at numerous conferences around the world, written articles, and led teams that designed and built security-focused products. Guy can be reached at https://www.linkedin.com/in/guyrosefelt/ and Sangfor’s official website: https://www.sangfor.com/.