Using AI to think like an attacker

Sponsored feature Most security analysts these days spend their time watching for suspicious activity in their networks. It's difficult to have eyes on everything, but what if we could know in advance which paths attackers are most likely to take?

That's the idea behind attack path modeling, a technology that cybersecurity company Darktrace is adding to its portfolio. It involves looking at a target's infrastructure from the outside in to determine and harden its weak points - and it uses machine learning to do it at scale.

Darktrace's approach to cybersecurity resembles a 'loop' with four parts: prevention, detection, response, and healing. Its Enterprise Immune System (EIS) handles the detection part by using machine learning to create an understanding of digital activity. It can then examine new behavior to watch for anything that falls outside what it deems normal.

The response part draws on the company's Antigena product family. This takes a proportional response to any threats that the EIS identifies, from holding back an email through to quarantining a whole server.

Looking at security from the outside in

However, the company was still missing something to handle external data. This would enable it not only to deal with emerging malicious behavior inside the network, but to anticipate intrusions and put its AI in the mind of the attacker.

Rather than build this technology, Darktrace sped up the process by acquiring it. On March 1, 2022, it closed the purchase of attack surface management (ASM) company Cybersprint. The product fleshes out Darktrace's AI-powered practices, which focus on customers' internal security by offering a view of a company's exposure from the external internet, explains Max Heinemeyer, VP of Cyber Innovation at Darktrace.

"This all comes back to seeing holistically how a company could be attacked," he explains. The vulnerable point could be a user's identity, which is exposed to compromise via phishing emails. "Or there could be a technical vulnerability on an asset that's Internet facing," he adds.

Heinemeyer has seen solutions that spot potential attack paths across a single domain. "But nothing's looking truly cross-domain at vulnerabilities across network, human, and Internet-facing attack paths," he warns.

This is the task that normally falls to penetration testers. These human experts rattle a company's doors to find weaknesses. It's a heavily manual process, which makes it expensive. It's also sporadic. You might call in ethical hackers every so often to test your security, but infrastructures - and the human teams that use them - evolve more quickly than that.

Darktrace wanted to reduce this human element by automating the process. That would enable it to scale up the operation, constantly evaluating attack paths.

Automating this would also give customers a more scientific way to identify and prioritize the critical attack paths that were riskiest for their business. It wanted a data-driven tool that found the fastest, easiest way for hackers to reach a customer's crown jewels in order to put mitigating measures in place before the attack happens.

Darktrace wanted to integrate the new product into its broader technology vision – to provide a continuous AI feedback loop that constantly improves security. This would help its customers to overcome their evolving security problems. There are few tools that can provide a seamless view of threats from the outside all the way through to an organization's critical assets on the inside, Heinemeyer says.

"Now we see the attack surface using a zero-touch SaaS-based approach," he says. "We know if an employee is going to be hit, what impact it's going to have, and what access to systems that employee has. We know how somebody could get to the crown jewels through that employee, along with what identity and network-level connections are shared. And we know if anything is vulnerable or accessible from the internet."

How attack surface management works

Attack Surface Management (ASM) provides continuous insights from an outside-in perspective, eliminating blind spots.

The data isn't the kind of threat intelligence information that many vulnerability management tools use. These lend themselves to rules-based decisions based on indicators of compromise, such as malicious IPs, malware hashes, and domain names.

Instead, Cybersprint's technology begins with a starting point such as a customer email address, domain name, or server IP. From there, it scans an extensive base of information about Internet infrastructure that it has collected online, including DNS and other data. Heinemeyer describes it as a copy of the Internet, but focusing on internet asset metadata rather than content.

This involves more than just a very big set of DNS queries. The technology uses AI-powered techniques such as computer vision to detect company logos on web pages, which can give it more information about relationships between brands and assets. It's also smart enough to mine the internet for assets that are similar to the brand's name so that it can pick up lookalikes.

Cybersprint also looks at what technology companies are using by thoroughly analyzing data visible from the outside. That helps it to build up a more detailed picture of what might be vulnerable and how.

Attack Path Modeling using Graph Theory

Once the tool has collected this data it structures it into a graph model, built by Darktrace. This uses data points known as nodes, which are connected to each other via edges. This is a common format for representing lots of complex transitive relationships. Adtech companies use it for understanding who's viewing what. Social networks use it to map relationships between users.

Darktrace uses graph theory to find potential attack paths and quantify their risk. It does that using a classic risk matrix, which views each attack path in two dimensions: probability and impact.

The graph evaluates the probability of an attacker exploiting a pathway by examining factors inherent in its edges. These include susceptibility to social engineering, the current patch status against known vulnerabilities, and the likelihood that an attacker will develop a zero-day attack for a system.

Attack path modeling also uses the nodes themselves to measure the impact risk. It examines data points such as who controls an asset, taking their role into account, along with how many others have access to it.

The service uses these data points to infer things such as an asset's sensitivity, along with its importance to company processes. If lots of clients are accessing data from a server, then anything impacting that server could disrupt workflows for lots of employees.

Finding vulnerable assets

The technology will be able to spot serious vulnerabilities for clients, says Heinemeyer - the kind of things that, left unchecked, could wind up in unwanted headlines. These include leaky AWS S3 buckets and databases exposed to the public internet that serve up sensitive usage data.

"It could also be a server that's been left with a standard password in the cloud with a lot of customer information on it," he says.

The system can also find otherwise legitimate online services that a company hasn't authorized for use. The spread of shadow cloud services is rife as employees take it on themselves to find online services that get the job done. With the number of apps not owned or managed by IT hitting 56 percent in the last year, that's a big problem.

Feeding back into the loop

For Darktrace to unlock the benefits of Cybersprint as well as its own new attack path modeling capabilities, they must be integrated into the rest of its existing product portfolio. While it hasn't officially announced any such integration yet, the company is already working on it and Heinemeyer describes it as an easy lift.

This integration will eventually allow Darktrace's Antigena product to apply its autonomous response action to external events, he adds. He cites the Log4J Shell vulnerability in the Log4J Java logging tool that went public in December as an example.

"If we knew beforehand that a server was vulnerable to a common exploit, then we could increase the severity of Antigena's actions on it, because we know it's a vulnerable attack path," he explains. Tagging devices with prior knowledge like this will help to refine attack patch management.

Stitching Cybersprint and attack path modeling more closely into the loop will also help Darktrace to flesh out the 'healing' part of its circular 'loop' vision for cybersecurity response.

"Why not use the knowledge you already have from detecting and responding to a cyber attack to inform the healing process?" Heinemeyer asks. "Once you remediated an attack, you know more about your technology pathways and your posture and can feed back into the prevention phase."

The new service complements Darktrace's existing technology and helps it to close the loop on cybersecurity, giving it offerings that span the entire incident response process with a machine learning approach. Heinemeyer hopes that it will further augment human teams, handling many security threats autonomously while leaving analysts to focus on more complex issues that require manual attention. With the number of attacks rising fast, it might be just the AI-powered technology you need.

Sponsored by Darktrace.