Laurent -

AI-enabled cyber attacks a reality soon, warns Mikko Hypponen

Technology continues to shape human conflict and artificial intelligence will be no exception, so business needs to up its ability to detect attacks and respond, says security expert

Cyber attacks enabled by artificial intelligence (AI) technology have yet to be seen in real-world attacks, but organisations could soon be defending against a new order of AI attacks, warns Mikko Hypponen, chief research officer at IT security company F-Secure.

Despite the claims of some security suppliers, no criminal groups appear to be using AI to conduct cyber attacks, said Hypponen. “There has been academic research into what AI attacks could look like, but we have not seen any in the real world,” he said.

“The closest we have come so far is attacks against the AI-based systems used by defenders, where criminals are attempting to poison machine learning-based defence systems by throwing garbage data at them to subvert the machine learning.

“But we are not seeing AI used in malware or other types of attack. Attacking machine learning systems is different to actually creating a machine learning-based attack.”

Attempts to confound cyber defence systems in this way are not new, said Hypponen, pointing out that when Bayesian spam filtering became popular, spammers simply flooded email systems with spam messages containing random English words, not links and images.

“This was, in effect, an attack against a learning system,” he said. “As a result, these anti-spam systems began flagging legitimate emails as spam, making the system no longer useful.”

Hypponen believes that people with AI skills and knowledge are so highly sought-after in legitimate industry that there is no need for these well-paid individuals to get involved in criminal activity. However, updating his stance from a year ago when he said AI-enabled attacks were unlikely any time soon, Hypponen said that new commercially available AI development tools could hasten AI-enabled attacks.

“As machine learning development tools get easier and easier to use, criminals will no longer have to find someone with a computer science degree to use them,” he said. “The barrier to entry is coming down and so we will start to see AI-enabled cyber attacks.

“That could be within the next year. They will be rudimentary at first, but soon will be pretty good machine learning attacks, where the malware is capable of rewriting itself to adapt to any obstacles it encounters.”

The continuing game of “cat and mouse” between attackers and defenders will reach a whole new level, said Hypponen, and defenders will have to adapt quickly as soon as they see the first AI-enabled attacks emerging.

Read more about AI security

But AI-enabled attacks are not the only big threat on the horizon, said Hypponen – the proliferation of internet-connected devices that make up the internet of things (IoT) is cause for concern.

“Thanks to 5G and other connectivity technologies, within five to 10 years it will become extremely cheap to enable internet connectivity for just about any device at all,” he said. This will usher in a new generation of “stupid devices” that are connected to the internet for no other reason than to collect data for manufacturers and suppliers, he added.

“They will collect data about their customers and how they use their products because they need it to make money, and this will lead us into a world where just about every electrical device will be online, and the people who buy these devices will not even be aware.

“Consumers will not even be able to stop these devices from connecting because they will no longer be using home Wi-Fi. Instead, these devices will be able to connect directly using 5G.”

This problem is best described as “IT asbestos”, said Hypponen. “Just like using asbestos seemed like a great idea in the 1960s and 1970s, and it was put everywhere. But decades later we realised that it was a bad idea – and that is what we are doing right now with internet-connected devices.

“The idea of taking these embedded, outdated Linux kernels with built-in root passwords that users cannot change and that are unpatchable and insecure, and deploying them everywhere, is going to be the asbestos of the future, and we will regret what we are doing now.”

Technology is shaping everything around us, “both good and bad”, said Hypponen. “The internet is the best thing and the worst thing that has happened during our lifetime,” he said. “While we get great benefits, we also get completely new risks.

“I do think that the benefits are bigger than the problems we get from digitisation, the internet and even the IoT. I would love to think that, in 20 years’ time, we will be able to look back and say that the benefits of IoT outweighed the problems, like the internet, where despite the problems, the upsides are bigger than the downsides.”

Read more about threat hunting

Hypponen said the fact that rapidly evolving technology is shaping the world, including the nature of war, and enabling cyber attacks in ever-increasingly sophisticated and unexpected ways, underlines the need for enterprise security to switch focus from purely defending the network perimeter to being able to detect malicious activity within the network and respond to it more quickly and effectively.

“IT security decision-makers need to stop thinking about the walls around their network and start looking at what is happening inside the network,” he said. “They need to focusing more on detection and response instead of just hoping they will be able to keep all the attackers out for ever.

“The larger the network, the more likely it is that there will be a breach. Assume that all the safeguards around the network will fail. Nobody likes to do that, but when you adopt that approach, you can start thinking about how you will detect anomalies and how you will respond.

“Currently, it takes most companies far too long to find out that their IT networks have been breached. That is where organisations need to get much better, and relatively few have an in-house threat-hunting capability.

“Most organisations have to outsource it, which usually makes more sense. And I am not just saying that as a supplier, but only very large organisations would have the resources required to build and maintain a threat-hunting capability of their own.

“Because security is not the core business of most companies, it makes more sense to outsource this to specialist providers of threat-hunting services.”

Hypponen said such providers are particularly good at detecting malicious activity that has been enabled by human error or cooperation, rather than exploiting technical vulnerabilities which are easier to detect and fix.

“No matter how well we patch our systems or monitor our networks, if users let the attacker in, you still have to have the capability of monitoring your network for anomalies and investigating why these are happening to see if they are connected to anything malicious,” he added.

Read more on Hackers and cybercrime prevention

Data Center
Data Management