Tapping on AI for Singapore’s cyber security defence against “low and slow” attacks

A high-tech business hub, Singapore continues to be a prime target for cyber-crime. Fervently rising to the cyber challenge in past months, the Government has announced significant investments in cyber security, including new training initiatives and R&D. These national efforts have not gone unnoticed: the UN recently rated Singapore’s cyber security strategy as the most comprehensive in the world. However, more can be done to strengthen our cyber resilience, as the cyber-threat landscape continues to evolve in unpredictable ways.

Unlike many other countries, Singapore managed to evade this year’s WannaCry, NotPetya and BadRabbit ransomware attacks, coming up relatively unscathed. However, a stealthier breed of threat is increasingly concerning to businesses here. Constantly reinventing themselves beyond recognition, ‘low and slow’ attacks mark a new era of cyber-threat.

These attacks seek more than to openly wreak havoc for quick financial return. They instead play a longer game to steal corporate DNA and damage organisations at their roots – through their data. Imagine an attacker moving one decimal point across millions of bank statements, or changing patients’ blood types in a laboratory results database.

Once our trust in the integrity of data is gone, our entire confidence in these institutions is undermined.

Able to morph their code to slip past perimeter security systems, ‘low and slow’ attacks can silently blend into the noise of a network for months on end. In fact, studies have discovered that a digital criminal goes undiscovered on a network for 260 days on average. These incognito attackers make calculated lateral movements across networks on the hunt for ‘crown jewels.’ Once found, they strike to cause maximum damage.

The recently-revealed cyber breach on Malaysian mobile service providers is a prime example of a large-scale ‘low and slow’ attack. The responsible threat actors lay dormant for years inside the networks of all major Malaysian mobile service providers, without anyone noticing.

Only now, after 46.2 million customer data records were discovered free to download online, has the attack been brought to light. Investigating this historic, well-disguised, malicious activity could take months, if not years, making attribution extremely difficult.

In Singapore, a recent ‘low and slow’ attack on a large hotel chain demonstrates the dangers of sophisticated insider threat. In this breach, an individual with authenticated user credentials accessed an external server from outside the network with an internal user account.

The server then made remote-desktop connections between other company computers before arriving at the hotel property management system, from where a large volume of data was downloaded. A comparable volume of data attempted to leave the network, going to the external device that initiated the original remote-desktop connection.

Upon further investigation, it transpired that the user account in question belonged to a former employee who had only recently left the company. It is possible that he had sold his access credentials before they could be disabled, or he could have been attempting to retrieve the data himself before selling to a competitor.

Regardless of the motive, the attack highlights how seemingly legitimate network users can create vulnerabilities that legacy security tools miss.

The unpredictable nature of these kinds of modern attacks makes them particularly dangerous and highlights an inherent weakness in the current approach to cyber defence. To date, the cyber security industry has adopted a fortress mentality – “by building high walls around the network, we can keep the bad guys out.”

But never-before-seen threats are unclassified. Without the ability to recognise them, they are free to pass through the gates. Clearly, trying to keep threats out is a failing philosophy and a fundamental step-change in cyber security is needed to stay ahead of today’s fast-evolving threats.

Despite bypassing traditional security defences at the network border, the attack on the Singaporean hotel chain was successfully detected by disruptive AI technology that mimics the self-learning intelligence of the human immune system to spot and stop cyber-attacks.

Just like how our body’s immune system plays a pivotal role in understanding ‘self’ and defending against emerging threats that get under our skin, this new class of technology fights back against the threats that are already inside our networks, seeking to do harm.

Acting as ‘digital antibodies,’ unique machine learning can now not only detect threatening anomalies as they develop, but respond with targeted, proportionate action to slow and stop dangerous web connections, or the lightening-speed spread of ransomware.

This self-learning AI is particularly effective in defending against stealthy ‘low and slow’ attacks. By establishing an evolving ‘pattern of life’ of every user, device and network, machine learning can join the dots between abnormalities across the entire digital infrastructure, no matter how subtle or seemingly isolated.

A force multiplier, the AI algorithms alert security teams to these leading indicators in real-time, empowering them to investigate and remediate threats, before they escalate into a crisis.

As local businesses embrace the digital revolution, networks are becoming more complex by the day. Whether it be employees connecting unsecured IoT devices to the corporate network, or inherited risks from third-party suppliers, the increasingly hyper-connected nature of Singaporean organisations is creating new inroads for savvy attackers.

The battle is on for Singaporean businesses to manage both their own complexity and an increasingly sophisticated threat landscape, as highlighted by the rise of ‘low and slow’ attacks.

Government plans to plug the cyber security skills gap and increase online safety awareness are important steps to tackle the human element of the cyber security challenge. But ultimately, this is fast becoming a cyber arms race and machine learning will be an indispensable weapon.

ABOUT THE AUTHOR:

Sanjay Aurora is managing director, Asia Pacific, Darktrace, a cyber security firm.