Defending Against AI-Driven Cyber Threats
AI-powered threats like phishing and deep fakes are on the rise and pose a fundamental threat to the efficacy of many existing security controls. It is vital for security leaders to understand this emerging threat and take a proactive approach to safeguarding their critical assets.
Watch Reveal Security Field CTO Adam Koblentz and veteran threat hunter Ryan Link as they offer unique insights into the latest trends and techniques employed by threat actors leveraging AI.
Discover the pivotal role of threat detection in this evolving threat landscape – specifically the importance of ML-based behavioral analytics employed in SaaS and cloud to protect sensitive data effectively in these dynamic environments.
Transcript
00:07
hi everyone thank you for joining us for defending against AI driven threats um I am Katie Sanchez I am the marketing Communications manager at reveal security who’s hosting this webinar today um and just a couple of housekeeping things before we get started um we’ll have a Q&A at the end
00:30
and we’re going to do about the last 10 minutes so if you have questions put them in the chat um we might bring them up beforehand but um for now just put them in the chat um and then also as you probably heard we’re recording this so we’ll send you a copy um after the uh
00:50
recording’s finished probably tomorrow um so the reason why we’re here is uh we’re talking about a very H Hot Topic right now um AI um and right now we have two experts in the cyber security field who are going to share their unique insights on this topic and and how we as
01:09
Defenders can what we can do to to stop these threats um so our two speakers today first is my colleague um Adam kin who is the field CPO here at reveal um he’s an expert in cyber security Partnerships engineering and strategy um and our second spirit speaker uh a friend of reveal Ryan link he’s a
01:33
veteran threat Hunter he’s been a security practitioner for over a decade um and is currently the principal of threat detection and response at CDW um so for with that I will let you guys take it from here thanks Katie great to be here joining us appreciate it so as Katie
01:53
said the goal today is to kind of talk about how we as practitioners need to kind of change our defensive strategies given what we’re thinking about what’s going on with AI in the world and how attackers are leveraging it the same way that Defenders are yep so a little bit of
02:10
housekeeping as Katie said Ryan and I are are your your host and panelists today um and our agenda is we want kind to talk about um some of the trends we’re seeing over the last six to 12 months uh and how the rise of AI is changing how thread actors are working and then especially
02:30
you know as we’ve moved more and more into the SAS and Cloud environments from being on Prem we’re all remote now kind of thing how the challenges for those special environments are exacerbated by these new trends and then we’ll kind of talk about some of the different
02:45
defensive strategies that we can talk about from a detection standpoint and also how we can Implement those today in a more meaningful fashion to hopefully get us a leg up over uh the bad guys so Trends and tactics Ryan found this awesome report that kind of talks
03:03
about how AI has risen so much in terms of like fishing attacks and how it’s being used by the bad guys I mean Ryan I remember when chat gbt was like first public play available and people were saying things like hey write me malware that’s packed this way that does these
03:19
things in Windows and it would just do it like what was your experience like trying to defend against that kind of thing you know even unsis attackers having access to that kind of you know ability yeah and you know that’s the thing is this this new trend allows folks who aren’t
03:38
necessarily normally technical capable technically capable of Performing those um activities you know they’re not programmers they’re not building their own malware um so they’re able to you know utilize this uh technology to to uh produce these uh threats and then
04:04
utilize them uh in a way that you know um you you don’t have to be very sophisticated um so to defend against that is you know not only do you have to um defend against well uh deployed uh attackers uh and well-funded attackers now you have to deal with Joe Schmo you
04:30
know that’s in their mom’s basement or uh just somewhere um maybe not as wellb built as a organized uh crime syndicate or um you know a as a nation sponsored uh attack room yeah I mean I would I would say that even before this stuff became so prevalent and so available we
04:57
were already seeing a shift from less sophisticated attackers now doing like let’s say even five years ago the the less sophisticated attackers were the difference between what they were doing and what nation states or well-funded well sponsored attackers were doing was
05:16
enormous and the floor has risen in terms of what the I don’t want to call bad but like the the less traditionally challenging attackers have have already closed a lot of the gap before the AI boom hit for them and that’s I think in my in my view driving a lot of what we’re seeing in terms of
05:41
the adoption of these these new techniques from AI to help close that Gap further and not even not even on the technical side like as we’ve seen I think the Verizon DB report said something like 80 plus percent or maybe was a crowd strike report you know your your former employer but like you know
05:58
the crowd strike report I think it was like 80 plus% of all breaches involved valid stolen credentials or fished credentials or something like that so now if we can use Ai and deep fakes and whatever else it is so much easier to bypass that prevention control that we
06:16
trust with the the help desk or or the CSR or whomever and now they’re just being you know completely fooled by some generative AI that sounds just like Ryan link telling them hey I want you to reset my credentials and give me a new token yeah and not only that you know
06:38
imagine it’s not even your native language and now you can utilize uh you know Ai and the or various language uh models and produce audio that sounds and seems like it would fit directly in wherever that particular organization is located uh yeah absolutely I mean we we go back to
07:03
some of the biggest breaches of the last of last year that involved an IDP like OCTA or something being compromised via the help desk right I’m a and I think it was what teenagers or something that Were Somehow affiliated with like Alphacat or something that somehow you
07:20
know did that and it’s like how but but the you know the sea level everyone’s like but I I I have prevention I have this IDP I have MFA I have all these things it’s like yeah but if I can convince your it person to just reset it doesn’t matter yeah allegedly teenagers um but yeah as far as uh that
07:46
particular um group goes yeah and and that’s also where we saw a huge shift in targeting you know not only did we have um on Prem we also had out assets being attacked um and that has has launched us into a new era of landscape because it’s like okay you know now I I don’t only I can’t only
08:17
just defend against end points I have to defend again uh against all this different uh technology like um your uh user identities um your Cloud management plane um various you know SAS solutions that you’re using and stuff like that so you know yeah now the the the already
08:43
streamed security practitioners who were already looking at too many logs are now having to figure out what these new data sources are all about yeah look look Ryan I want you to know that when your company purchases a new sass solution they are promising to to secure all your
09:03
data in that and it’s definitely not a 2-way street except it is and there’s often this this implied um the the implied shared responsibility model that’s not formalized there’s no contract that you’re signing when your organization buys a new SAS product you know and for
09:21
example let’s say that you you Salesforce um you’re like one of the top 10 things that Salesforce recommends is to turn on audit login in their platform okay but they’re not doing anything about that that that’s new a a net new input for you and your team to have to now deal with without any
09:45
context on what that is so how would you even like think about that and the challenge that we have is you’re limited in a lot of ways by the access controls which we discussed or more easily bypassed than ever and often are not necessarily as robust as you luck in the
10:02
first place you know um and I think this is this is a good a good quote that we we found which is deep fakes and and AI are the second you know biggest thing behind malware and I think this all malware includes ransomware like let’s be clear ransomware is by far away the
10:21
the the most popular thing for bad guys to do because it makes them money the only people who aren’t all in IR ran somewh are nation states because they you know they have other plans yeah but that’s where you see your uh your financial um abuse so imagine if you were a state sponsored actor and you
10:45
want to inflict some sort of damage to another state well you can mess with the stock market um and imagine utilizing AI for that because now you don’t have to monitor all of these uh different aspects of the market you can use a automated program that you know just feeds you important
11:07
information and then you make the uh the various changes to those particular uh markets yeah and you know what if I’m in the pla or something and I want to mess with agriculture I can use AI to learn a lot about John Deere tractors that’s gonna mess with a lot of farmers that
11:25
people don’t realize you know yeah so I I think that there’s there’s it’s not like Ai and deep fakes Etc are not being used exclusively by lower end it just it’s raising the floor for the lower end it’s propelling the higher end into places that we didn’t think were
11:44
reasonable or possible before yeah and yeah that that’s also where we saw an increase in supply chain attacks you know before the state sponsored folks didn’t necessarily have to always utilize that but now that’s where their their focus is uh for the foreseeable future yeah absolutely
12:07
and and we we kind of already touched on the the challenges for assassin Cloud but I think you know one of the things you brought up that’s I think really important here is okay you’ve got a team they’re trying to focus on how to detect bad do they like I don’t think
12:25
everyone’s like Cy like Cipher in The Matrix able to read every log file natively right and and now suddenly we’re throwing in like there was some crazy stat I saw I think from bettercloud that like for every you know thousand or 2,000 employees you have you have at least 50 more SAS apps than you
12:43
realize and so like all the dark SAS all the ever like whatever right even if you have legitimate not dark SAS and this is just you as a real company you have a 500 applications you use for different point Solutions or whatever because we have transitioned from the old days of I’m
13:02
all on Oracle here’s my thing everyone my business is run on Oracle now it’s okay you have 365 you have some Google stuff you have maybe some you know few Salesforce you have work dat what whatever you end up with with the sprawl of SAS and Cloud estate that you’re still responsible for
13:23
and again you’re limited mostly to access control and prevention in a lot of ways I mean sales SP has some stuff built in they have some rules engine Microsoft has some stuff built in you know it’s got some some rules engine and some basic ml type stuff but I think it’s more volumetric than you you’d
13:43
prefer as as a Defender and I think for me personally I’m thinking about you know how do you lock down an on Prem Network a lot easier than trying to defend Cloud infrastructure for the service like we saw with the um XZ stuff last month or the month before like now
14:07
there’s supply chain youve well-funded we assume very well-funded well well sponsored actors running three plus year campaigns to get into the tooling itself that you’re using in your Cloud infrastructure that’s now accessible to the internet not just behind a firewall
14:23
yep I mean I don’t know how you would what you would do with that I mean to me it’s it’s kind of a huge problem I don’t think is being discussed enough you know because it it it seems to me we all just have decided over the last 10 years or so that okay all my stuff’s in the
14:42
Salesforce like okay cool and then what like do it seems to me maybe I’m crazy people are not or companies are not internalizing that threat because it’s not the salesforce’s problem not mine even though it’s their data you discussing that not only is there a huge sprawl in terms of what the business
16:34
needs to be successful and and to enable business but also on our side there’s so many other tools that we have to deal with that all handle these things differently or don’t even take them into account that it’s it’s really hard to really understand how how do you as as a a a a
16:56
blue teamer or a Defender protect your company’s data or IP Etc or your employees IP or the pii ETC if it’s stored in these environments that you have may be logging and very little control over what actually happens I mean I think one of the things that people don’t realize is
17:19
a lot of vendors actually charge you extra for the logs so and so for example like I think Salesforce is 15 to 30% of total spend to turn on logging but it’s also one of their best practices you know what do you do with that um yeah I think also as we’ve seen with like terraform it’s pretty easy for
17:40
people to or not even just terraform you look at all the different different csps cloud service providers and it is very easy we’ve seen some of the biggest financials in the world get popped through misconfigured AWS S3 buckets or other asset like we saw I think it was
17:59
like maybe a month ago where that guy found a loophole where like if you actually know a bucket ID you can jack up someone’s bill you know all these things that people don’t think about and have implications well that’s that’s the thing with with things that are publicly
18:16
exposed so say you have a website well if I go on your website and I pull up the developer mode on my browser if you don’t have certain things um implemented correctly you may be exposing your backend infrastructure that houses that database that houses whatever sort of information you’re
18:40
pulling from your back end to display it to whoever it may be um which you know that’s it comes back to this uh topic of H how do we how do we defend against all these different attack surfaces yeah you know absolutely and never mind Chrome Dev tools SM as burp Suite or
19:02
something yeah you know like so it’s a h it’s a huge problem and I think that you know as we have on the slide here we’ve kind of talked about around this but a lot of the detection strategies for cloud and and sasps is are still very nent this is still very much in its
19:21
infancy in a lot of ways yeah um there are many converstions I have with with cesos and and top level Defenders who if you ask them hey are you what are you doing about your Salesforce logs they might say what logs when they might say why are you asking that like why do I
19:40
care because they aren’t in the mindset of that’s my data that’s my customers data that’s my employees data whatever I have to be responsible for it because it’s not mine it’s sales forces for example you know so now one of the things that we should probably talk about and this is this is
20:01
a a a big one that you and I have have gone back and forth on a bit I I think we all agree that if you have logs you have some things that are known bad like not having threat Intel not have is is irresponsible not having some basic rule sets irresponsible like you you know for
20:24
example putting us back in the endpoint mindset for a second like you know leeting you know Shadow copies that that’s generally a bad thing and you want to know when someone’s doing that that shouldn’t be happening every day Etc okay my time at Caron black your time at at rri we we
20:43
understand this goes like okay shs are deleted that’s probably bad but what about the things you don’t know are bad because you know you don’t know what’s a bad thing in Salesforce you don’t know what’s a Bad Thing necessarily in 360 and that’s a big challenge you know and
21:02
that’s kind of why we’re here today is to talk about how we as Defenders can utilize ML and AI better and not just have it be a a harder problem for us when the attackers leverage it you know I I’ve seen some really cool stuff I mean I’m sure you have two where people are using a to generate like
21:23
Sigma rules or the equivalent for different kinds of things you know like are you using this yourself are you trying get this you know in practice where you are um I want to say it is on the road map um but it’s one of those things like figuring out how to best utilize all of
21:42
this stuff because you know various products have ml integrated in with uh in with it but um it’s it’s still all of the stuff is still in its infancy of being able to help Defender because ultimately what we care about is not so much the known bads I want to know about the suspicious
22:08
activity the anomali like what what what is what are some things that are interesting that are happening in my environment that are being allowed to happen um you know and that’s that’s where like you have some of your various methods of like statistical anomalies
22:27
and and stuff like that that come into play uh yeah versus you know depending on how like what the ml is integrated with you know you just have something that analyzes a binary and based off of a certain weight all of a sudden it’s malicious or uh not malicious yeah you know what this is a
22:50
good time Pro probably for me to kind of you know step in and kind of explain the different kinds of like ML and AI Etc so I guess from the purposes of our conversation laying this out for everyone so ml there’s there’s there’s trained or or supervised machine learning which is trained with known
23:07
good known bad and then there’s unsupervised machine learning which is really clustering so the idea with unsupervised machine learning is you’re just finding weird and anomalous you’re not trying to make a determination of good or bad and what’s also important is we haven’t hit this yet kind of
23:25
explicitly but what we’re talking about here is everything we’re talking is post authentication the idea is these things are happening in your environment are they okay or not are they normal are they reasonable now I’m saying post authentication because there are any
23:41
number of tools that do a great job of detecting pre off issues IP scanning or other you know weird things that are involved in infrastructure or someone’s trying to do a a cred stuffing attack you’ll see that in in different kinds of logs but post off this is really
24:00
important because as we’ve gotten more and more into the mindset of social engineering and fishing or smashing or fishing or whatever the idea is that we are now post off because the assumption is that an attacker is going to log in not break in the the number of real zero
24:19
days that involve rce shell popping on applications that you don’t own in the Sass and Cloud environments pretty like way it’s now much more likely they’re going to use AI to generate a deep fake or something that is going to let them log in and we had a question come in
24:40
actually Ryan can we give an example of a real deep fake that happened that caused problems I have two off top of my head if you have any please go first but I I I have two that that I want to I would love to throw out there no go ahead do it all right well we just saw
24:56
that someone was indicted today or yesterday for using a deep fake of Joe Biden’s voice telling everyone to not vote in in Maine like that’s that’s an example of a deep f is being used to buy a attacker in this case political or otherwise but you know then we also have another
25:15
example I think it was last year a person at a bank I think it was in Singapore got a deep fake from their CFO who told them to transfer $25 million to a bad guy well that that that was not the CFO they they actually deep faked the CFO and giv the instruction and in a setting that if I remember
25:38
correctly involved more of like the exec team so this person had like no reason to suspect that was a problem it was such a good well produced deep fake that they just there was no obvious glitching and they are not you know we are all kind of told to follow our managers or
25:55
whatever so this person’s being told by half the exec team in in the room and the CFO saying transfer money that’s an example of a deep fake that you have no defense against like you know unless you train your employees super duper well on some kind of back Channel process or
26:14
something to figure this stuff out but you also could look at it from the standpoint of well is this normal or anomalous and that’s where the weird comes in that’s where the fun comes in as a threat Hunter you want to come and figure out well this is kind of weird what what
26:31
strings can I pull to see what’s going on here yep because known bad’s easy known bad’s been out of the box you can buy it off the shelf at Micro Center for 25 years that’s called signatures it doesn’t matter whether it’s a EDR platform xdr platform or antivirus from 25 years ago does doesn’t
26:50
matter like it’s Dr marttin over here but for cloud I guess but but the the idea is that we’re we’re trying to figure out like okay well okay we all agree that ml is important uh because we need it for defense because the attackers have it for their purposes so if we assume that all the
27:10
bad guys are logging in and we assume that the bad guys are going to appear to be legitimate credential users what do we do and we look for deviations you know and I think I think that’s something that isn’t really being understood well because it’s not just deviations and statistics you know I get
27:29
asked all the time you know I have ms365 I have an E5 license so I have Defender I have mcast Etc I have Sentinel why do I need something like a reveal or something and the answer is I don’t we’re not looking at things the same way you know ubaa failed I think if you ever
27:47
tried using ubaa it it went poorly because you know they’re built on a single baseline or some very simple models that are trying to derive abnormal via you still breaking some kind of rule the rule is maybe trained by activity so something like oh Ryan you sent a lot of
28:07
emails today is that okay like well I’m doing doing a webinar today so I’m invite people or something like that right or I log into many times logging into many times is not a thing and oh impossible travel I don’t know vpns exist you know like you and I were discussing I want to say like what like
28:25
a month ago about how oh someone logged in from China so it can’t be the pla it’s like no definitely could you know like they have VPN so I guess you know from your standpoint where do you see like are do you implement uas do you implement the statiscal analysis that
