Threat Management, Vulnerability Management

Automating for Endless zero-days

By Derek Manky, chief of security insights & global threat alliances, Fortinet

The number of vulnerabilities available to cybercriminals continues to accelerate. But according to one recent report, of the over 100,000 vulnerabilities published to the CVE list, less than 6 percent were actually exploited in the wild. The challenge is that predicting which vulnerability will be targeted next, and which exploit will be used, requires advanced strategies, such as leveraging telemetry data to perform predictive analysis, that many organizations do not have in place.

Those organizations without such solutions, and the skilled personnel to manage them, will need to continue to rely on security tools that monitor all possible attack vectors. But because the number of known exploits and vulnerabilities continues to grow, processing that burgeoning library against live traffic is becoming a burden for many of those security solutions.

Even more concerning, the accelerating growth of known vulnerabilities and exploits is just the beginning of the problem. There’s an even larger treasure trove of potential vulnerabilities hidden from view that defenders haven’t even begun to take into consideration as part of their security strategy. Countless vulnerabilities exist inside software and hardware, particularly in the area of IoT, waiting to be discovered and exploited by cybercriminals.

Fortunately, cybercriminals have not yet figured out how to extract those zero-day vulnerabilities from existing software except in the most rudimentary ways. But that is about to change. As malicious actors begin to incorporate AI and machine learning (ML)  into their exploit models, however, zero-day vulnerabilities and exploits will explode, and the threat landscape will be completely transformed. Attack campaigns targeting multiple zero-day vulnerabilities will be able to spin up at any instant, and cybercriminals will begin integrating more and more zero-day exploits into attack kits.

Instead of constantly piling on new updates, today’s security solutions will need to become smarter about how and what they look for. Likewise, organizations will have to shift security efforts and resources to advanced strategies such as implementing predictive analysis and advanced behavioral analytics, and building tightly integrated, zero-trust architectures.

Likewise, those vendors with minimal security practices in place will have to establish PSIRT product security teams in order to interface with threat researchers that discover and/or report on new zero-day threats and to issue security alerts and updates to their downline vendors and customers. And many of them will also need to finally implement secure coding practices, something that the IoT industry, in particular, has needed to do for some time.

AI in the Hands of Criminals

To set the stage, a bit of explanation is needed. This all starts with “fuzzing,” a sophisticated technique currently only used by a handful of professional threat researchers and hackers to discover vulnerabilities in hardware and software interfaces and applications. Fuzzing involves customizing a tool to a particular target, injecting invalid, unexpected, or semi-random data into its interface or program, and then monitoring it for things like crashes, failing code assertions, and memory leaks.

Because this process is so complex and time-consuming, using fuzzing to discover zero-day vulnerabilities has traditionally been beyond the scope of most cybercriminals. However, I have predicted that cybercriminals will begin to leverage ML to develop automated fuzzing programs that accelerate the process of discovering zero-day vulnerabilities. As a result, fuzzing will not only become simpler and more efficient, but increasingly available to a growing number cybercriminals, which will lead to an increase of zero-day attacks across different programs and platforms. I am calling this approach Artificial Intelligence Fuzzing (AIF).

In this scenario, AIF malware could be pointed at a target, discover its functionalities, and automatically begin to mine for zero-day exploits – with little to no supervision required. As this technique inevitably expands into a zero-day Mining-as-a-Service strategy, organizations will need to completely change how they approach security. As the volume of zero-day exploits grows, they will be forced to spend significant resources to harden their existing security infrastructure, deploy a zero-trust security model, or implement a much smarter and highly automated security framework.

One thing we can be very sure of is that there will be no way to properly defend networks against this new attack strategy using the sorts of isolated, legacy security tools most organizations have deployed in their networks today.

But Wait – There’s More

Another prediction looming over the as-a-service cybercrime environment is the advent of the pre-programmed botnet swarm. Bad actors will allow non-technical clients to select clusters of specialized bots that use self-learning protocols to perform specialized functions that enable them to work as a group to solve problems and refine attack protocols. This clusters could then be bundled with others, such as analysis tools, polymorphic exploits, or detection evasion to form a larger, autonomous swarm where all of the individual clusters work together as an integrated attack system.

Using a sort of a la carte list of options, customers can say, “I want to target these sorts of organizations, using these sets of attacks, and I want this sort of result,” and then build an integrated swarm that can do those things for a fee. Examples of such customized swarm components include those that use machine learning to break into a device or network and those that perform AI Fuzzing to detect and exploit zero-day exploit points. These can be combined with components that help spread malware across a network, evade detection, find and exfiltrate specific sets of data, or execute destructive attacks.

An Automated Response

The implications of such powerful and sophisticated attacks may feel overwhelming, but organizations are not helpless. Automation is available to both sides, and organizations can use automation and AI to anticipate and mitigate these advanced threats. As the number of evasive techniques multiply and the time windows for prevention, detection, and remediation continue to shrink, an automated response is essential. Organizations require a security platform where traditionally discrete security element can communicate with each other in real time. AI-powered communications and collaboration will enable the discovery of even the most advanced threats, dynamically deliver a proactive response to suspicious behavior, and even begin to anticipate attacks.

However, today’s security environment, too often comprised of isolated security devices and poor security hygiene, will not be able to keep up. They will instead expose organizations to greater risk as they do not provide adequate visibility or controls. Instead, today’s organizations require an integrated security solution that not only spans the entire distributed network environment, but also provides deep integration between each security element to automatically collect, correlate, and respond to threats in a coordinated fashion.

This is a vital first step toward addressing today’s evolving threat environment and lays the fundamental foundation to protect against the threats of tomorrow. It enables actionable threat intelligence to be shared at speed and scale, shrinks the necessary windows of detection, is able to trace and intervene against attack workflows that move between network ecosystems, and provides the automated remediation required for today’s multi-vector exploits.

About the author:Derek Manky brings more than 15 years of cybersecurity experience to his work helping customers formulate security strategy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.