How the human immune system inspired a new approach to email security

AI excels at interpreting high volume, high velocity, complex data – which is just the ticket here


Sponsored Computer scientists have long been interested in the human body's immune system. It fights off an incredible range of attacks spanning from the common cold to flu, measles, and worse. As companies face a rising tide of cyber attacks, a new approach to email defence developed by cybersecurity company Darktrace uses our own ability to fight off external threats and replicates this ‘immune system’ approach in the digital world.

Just as human beings have a protective skin to ward off germs, organizations today use a series of perimeter solutions to stop threats at the border. Anti-virus, next-generation firewalls and endpoint solutions are all examples of this. Inevitably though, every now and again a threat gets through.

In the human body, this is when the immune system kicks in: a complex ecosystem of cells have evolved over time and learned what belongs in the body and what doesn't, and these cells into action to counter any unusual activity indicative of a threat. In the digital world, supervised and unsupervised machine learning work in tandem to identify deviations from the normal ‘pattern of life’ of the digital ecosystem, and like antibodies, action a response to contain the assault. This immune system approach to cyber defence has been adopted by over 4,000 organisations around the world who found that their protective skin wasn’t sufficiently keeping them safe from attack. And now, this layered AI approach is being used to identify malicious emails and protecting corporate inboxes from harm.

Email security: The legacy approach

Legacy email scanners depend on rules and pre-prepared signatures to catch suspicious emails. Cyber criminals know this and adapt quickly, using a variety of techniques including short-lived email campaigns, bulk registration to keep domains fresh, and 'snow shoe' spamming to stop themselves showing up on anti-phishing radars.

Traditional email security vendors try to adapt with newer technologies like sandboxes, which run suspicious attachments in a controlled environment to see what they do. These new technologies struggle in a game of constant one-upmanship. True to form, online crooks developed ways for malicious attachments to detect when they're sandboxed and change their behaviour accordingly.

The struggle to spot malicious emails is compounded by another problem: old-school email scanning tools tend to get only one shot at catching phishing email and spam. They try to catch an increasing flow of toxins at the perimeter. If just one malicious email gets through that single line of defence, the game is done. The company stands a good chance of getting sick. The problem is that the move to cloud and remote working has been dissolving the perimeter for a long time.

A new, multi-layered approach

Artificial intelligence changed the game by reframing how defence tools see incoming threats like emails. It's a probabilistic technology that doesn't work in absolutes. Rather than using a single, rigid set of rules that works on a restricted set of inputs, it considers things using a complex statistical model. That's especially useful for complex data sets with lots of nuance, which is exactly what flows through the average corporate mailbox.

While some tools use just one form of AI, there are actually several. Defenders like Darktrace can combine to identify not just when an email is malicious, but why it is malicious, so that it can action the appropriate response.

The most common model in use today is supervised machine learning. In this model, someone has to teach the software what to look for. If you want a computer to recognise a hot dog, then you have to show it lots of hot dog pictures, and lots of pictures of other things that aren't hot dogs.

Supervised learning often supports computer vision applications, but it is also useful in cybersecurity-related areas like scanning for malicious attachments. By training on lots of malicious and legitimate samples, it can learn what each traditionally looks like.

Mimicking the brain

Supervised learning typically uses a neural network, which uses computers to mimic a brain's neurons. Each digital neuron takes an input and then either amplifies it, or not, before passing it onto the next. As the input passes through multiple layers of neurons, the neural net ignores some elements of the original input and focuses on others, enabling it to recognise things.

In early neural nets, there were just a handful of layers of these neurons. The cloud's scalability, along with the advent of GPUs for AI training, has created deep learning networks with many more layers. These can handle even more complex, nuanced data sets. In computer vision, they can tell you that a picture contains a Caucasian hand holding a hot dog with relish and mustard. In cybersecurity, they can score DNS data to determine anomalies.

Supervised machine learning has its place, but it also has its challenges. Someone has to label all those hot dog and not-dog pictures, or suspicious and legitimate emails. That needs a lot of human effort, or an existing data set that could quickly fall out of date. There's also a danger of human error and bias (people may disagree on what constitutes spam and label things differently).

Another problem is overfitting. You can train a supervised learning model to be too choosy when it identifies things, requiring something to be just right for a match. It could wave through a basic hot dog but misidentify a chilli dog or a Montreal dog smothered in onions. When your hot dogs are phishing emails, that's a problem.

Finally, supervised learning only knows what you show it. Present it with a new kind of hot dog or malicious email that it hasn't seen before and it will probably misidentify it.

Unsupervised learning

Unsupervised learning provides an extra layer of protection by taking a different approach to hunting down digital pathogens. Instead of looking at prior examples of things to detect, it teaches itself without human input. This is based on Bayesian mathematics, which adjusts the probability that something is a threat based on continual observation. It learns from new evidence.

When applied to cybersecurity, this approach to AI spots correlations in new data, clustering it into patterns that give it a sense of normal digital behaviour and email trends. This brings several key benefits. First, it removes the error and bias that might find their way into some supervised learning data sets. Second, it can mould itself to each company's unique environment and behaviours.

Because it doesn't rely on empirical data, unsupervised learning can also identify email campaigns that have not been seen before. In a world where the average lifecycle of an attack is reduced to hours, not days, this ability to detect and protect against novel attack infrastructure is crucial.

Darktrace uses both supervised and unsupervised learning techniques in a multilayered approach to spot digital toxins. It uses malicious emails gathered via its global cybersecurity network for supervised learning, helping train deep learning models against known malicious assets.

It combines this with over 60 unsupervised learning algorithms that compete with each other to find anomalous behaviour based on evidence ranging from device activity to senders, recipients, IP addresses, domains, and the timing of events. This enables it to detect email patterns that belong in context, and those that don't.

This self-learning approach means the system takes around an hour to install, either on-premises as a hardware appliance or virtually, in Microsoft 365 or G Suite. Unlike traditional email security gateways, the tool doesn't sit inline, interpreting emails before passing them through. Instead, it journals from the email provider, quickly examining emails and telling the email server to block them if necessary.

While traditional gateways only get one shot at spotting suspicious emails, this approach enable the AI-based tool to fold all incoming emails into its multi-layered AI model. A mail that seems innocuous now might only reveal itself as part of a campaign as more evidence comes to light. This is why it's important not just to explore emails in their current context, but to revisit them constantly as part of a broader historical corpus of email communication and events across the rest of the digital ecosystem.

AI excels at interpreting high volume, high velocity, complex data. Each AI model has its pros and cons, but by combining more than one, companies can take a multi-layered approach that will give them more protection. This maps closely to the defence-in-depth models proposed by modern cybersecurity experts. In an environment where the volume, velocity, and complexity of malicious email continues to increase, we may have developed it just in time.

Sponsored by Darktrace


Biting the hand that feeds IT © 1998–2021