Tales From the Botnet #1: How AI Could Have Prevented the World’s Worst Cyber Attack

Courtesy of Sébastien Thibault

This article is the first in a series which explores the intersection between Artificial Intelligence and Cybersecurity. It starts off with a recount of the events that led to the world’s most deadly cybersecurity attack, NotPetya. Then, it dives into the different types of cybersecurity attacks, as well as the merits and weaknesses of combating security attacks with Artificial Intelligence.

This article serves as an introduction to the AI/Security field, and subsequent articles will dive deeper into the technical aspects and societal impacts of different AI Security applications, research projects, and companies. Buckle up your seatbelts and make sure to secure your passwords. You never know who (or what) could be watching…

June 27, 2017. A summer day like any other. The birds were chirping and the sun gave off a radiant glow. The employees of Maersk, a shipping conglomerate nestled in the heart of Copenhagen, who were starting to feel the jolt from their first few sips of morning coffee, slowly trickled into the office.

A seemingly normal day that would soon be cemented in history as the day the world plunged into complete and utter chaos. This was the day that NotPetya, malware believed to be written by the Russian military, propagated through thousands of computers worldwide, causing around $10 billion in damages. It became a lesson to the world about the significance of reinforced cyber-security and the importance of learning from history so that it doesn’t repeat itself.

A Maesrk employee recounts how fast this malware was able to infect and infiltrate the seemingly impenetrable network:

“All across Maersk headquarters, the full scale of the crisis was starting to become clear. Within half an hour, Maersk employees were running down hallways, yelling to their colleagues to turn off computers or disconnect them from Maersk’s network before the malicious software could infect them, as it dawned on them that every minute could mean dozens or hundreds more corrupted PCs. Tech workers ran into conference rooms and unplugged machines in the middle of meetings. Soon staffers were hurdling over locked key-card gates, which had been paralyzed”

The NotPetya Home Screen | Courtesy of Check Point

But what if there was a way to have been able to stop NotPetya’s reign of terror from ever happening?

Firstly, let’s get some relevant concepts out of the way. You’ve heard me mention terms such as “cybersecurity” and “malware”, but what do they mean, exactly?

As per Cisco, “Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.”

Cybersecurity’s reach extends to virtually all domains. The healthcare industry loses approximately $5.6 billion every year due to data breaches, and consequently, relies on cybersecurity efforts to ensure that patients’ data is kept shielded and inaccessible to those with malicious intent. Cybersecurity also plays a vital role in ensuring the booming Internet of Things (IoT) industry stays online and that users can trust their devices. They expect gadgets which monitor and record virtually all aspects of their personal lives to keep their data secure and private.

This ever-evolving field is comprised of scientists, engineers, hackers, consultants, analysts and more who specialize in learning about the anatomy of various cyberattacks, how to stop them, and the impacts that they can have on small businesses and multinational corporations alike.

These attacks vary from premeditated operations that can compromise an entire network, to spontaneous ploys where a thief can obtain access to your bank account on-the-fly without knowing your password. Malware is a general term used to describe malicious software that is designed to exploit or cause damage to any programmable device (e.g., a laptop, autonomous vehicle, or smart thermostat), service or network.

The different types of cyber attacks | Courtesy of Ecosystm360

While teams of dozens, sometimes even hundreds, of cyber security professionals are hired to live and breathe network monitoring and testing to ensure that nothing (or no one) slips past their line of defense, we’re only human, after all. The NotPetya attack didn’t happen because someone was twiddling their thumbs while a piece of malware wreaked havoc across the globe. The malware was just too fast and rampant for anyone to detect and stop it quickly enough. Technology, including the tools in hackers and cybercriminals’ malevolent toolboxes, is advancing at such a rapid pace that relying purely on human capacity to stop cybercrime just doesn’t cut it anymore.

This is where AI comes in.

What if we could harness the superpower-like abilities of AI to predict and classify cyberattacks to ensure that they never happened again? What if companies could leverage software that not only identifies attacks when they appear unannounced, but based on similar breaches, walks users through the steps needed to fend off the attack? A new field, dubbed ‘AI Security’, is devoted to researching and developing tools that do just that.

AwakeSecurity details how AI can be leveraged to combat even the most petrifying (or NotPetyafying) of cyberattacks:

“AI security tools are often used to identify “good” versus “bad” by comparing the behaviors of entities across an environment to those in a similar environment. This process enables the system to automatically learn about and flag changes. Often called unsupervised learning or ‘pattern of life’ learning, this method results in large numbers of false positives and negatives. More advanced applications of AI security can go beyond simply identifying good or bad behavior by analyzing vast amounts of information and helping to piece together related activity that could indicate suspicious behavior”

There are so many different ways that AI can be transformed into the ultimate watchdog for security systems. AI’s security could be used for endpoint security, to generate logs for users that warn them about potential security threats, and even protect users’ IoT data. Existing cybersecurity systems that provide information about network traffic, along with those that secure the perimeter of buildings could all benefit from AI’s treatment as well. The possibilities are truly endless. AI has the power to irrevocably change the cybersecurity field and ensure that virtually any system is safe from cybercrime. With continued focus and development in the space, AI could ensure that attacks like NotPetya never happen again.

AI’s potential use in various security protocols | Courtesy of Cognizant

But just like many other leading technologies out there, AI isn’t a silver bullet, and it surely isn’t without fault. While the fact that “AI security behaves in a manner that’s similar to the best and most capable human analyst” is indeed groundbreaking, what would happen to the capable human analyst who has now been outperformed by this cunning piece of artificial intelligence? What would happen to the projected 3.5 million unfilled cybersecurity jobs in 2021? If AI can be used for good, can it be used for bad also? What would happen if cybercriminals got ahold of the AI Security tech that was being used to suppress them? Is allowing AI to infiltrate the cybersecurity domain another catalyst for the Singularity?

We are right to be worried about a lot of different factors in this situation. At the same time, we are right to be confused and uncertain about them as well. AI is a relatively new field, and there is still so much that we, as a human race, have yet to discover about this highly potent technology. AI cannot be tamed, and like many untamable beasts, we must be careful as to how we approach them, or we might end up in, well, the belly of that beast in question.

While there has been speculation about using double-edged technology such as AI to combat cyber attacks, no one puts it better than Max Heinemeyer, Director of Threat Hunting at Cambridge-based AI Security company Darktrace: “You cannot anticipate tomorrow’s attack incrementally by looking at yesterday’s threat landscape”.

Tales From the Botnet to be continued…

Systems Design Engineering @ UWaterloo. Exploring the intersection between AI/ML + Security + Tech + Humanity 💻🌎

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store