AI Cybersecurity just got beat! Now What?
Garmin fell to the ransomware WastedLocker a week ago. But this wasn’t just any type of ransomware. According to security researchers at Sophos, WastedLocker has gone beyond just worming its way through your network, encrypting files, and then demanding a ransom. Instead, WastedLocker was designed to avoid detection. This detection avoidance isn’t just target towards tried and true security technologies, but steps up its detection avoidance to another level – evading behavior based solutions.
As Sophos delved into the underlying programing of WastedLocker, what they found was a threat that changed how a ransomware encrypted files. The malware uses Windows API functions to confuse behavior-based security software as to what is really going on. Using memory-mapped I/O to encrypt a file, as opposed at the disk I/O level, the malware is allowed to secretly cache documents in memory, without causing additional disk I/O, then encrypting the files in memory, effectively shielding the behavior from AI security technology.
In past blogs I have written how AI had been the game changer, because intruders couldn’t mimic what users behavior looks like for any individual or individual network. They still can’t, but this experience has shown they have now developed an invisibility cloak in which their behavior cannot be detected. The game has changed again, in only a few short years.
However, there is opportunity that is presented in this story. It is believed that stolen login credentials were required due to a belief the attacks were planned carefully, with very hands-on movements throughout the entire process.
As with any defense technique, depth is a requirement. Multi-factor authentication, VDI infrastructure, separate user/passwords for security tools or critical systems are all additional defense mechanisms that can help thwart attacks. Also, with every security appliance, while there are strengths, there are also weaknesses. The criminals have just found machine-learning security’s weakness. It is time to plug it up with additional methods.