SE Labs

Posts tagged 'machine learning'

Enemy Unknown: Handling Customised Targeted Attacks

Detecting and preventing threats in real-time

Computer security products are designed to detect and protect against threats such as computer viruses, other malware and the actions of hackers.

A common approach is to identify existing threats and to create patterns of recognition, in much the same way as the pharmaceutical industry creates vaccinations against  known biological viruses or police issue wanted notices with photographs of known offenders.

The downside to this approach is that the virus or criminal has to be known to be harmful, most likely after someone has become sick or a crime has already been committed. It would be better to detect new infections and crimes in real-time and to stop them in action before any damage is caused.

This approach is becoming increasingly popular in the cyber security world.

Deep Instinct claims that its D-Client software is capable of detecting not only known threats but those that have not yet hit computer systems in the real world. Determining the accuracy of these claims requires a realistic test that pits the product against known threats and those typically crafted by attackers who work in a more targeted way, identifying specific potential victims and moving against them with speed and accuracy.

This test report used a range of sophisticated, high-profile threat campaigns such as those believed to have been directed against the US Presidential election in 2016, in addition to directing more targeted attacks against the victim systems using techniques seen in well-known security breaches in recent months and years.

The results show that Deep Instinct D-Client provided a wide range of detection and threat blocking capability against well-known and customised targeted attacks, without interfering with regular use of the systems upon which it was deployed. The deep learning system was  trained in August 2018, six months before the customised targeted threats were created.

Latest report now online.

Predictably Evil

pmr-1176337

A common criticism of computer security products is that they can only protect against known threats. When new attacks are detected and analysed security companies produce updates based on this new knowledge. It’s a reactive approach that can provide attackers with a significant window of opportunity.

It’s why anti-virus has been declared dead on more than one occasion.

Latest report now online.

Security companies have, for some years, developed advanced detection systems, often labelled as using ‘AI’, ‘machine learning’ or some other technical-sounding term. The basic idea is that past threats are analysed in deep ways to identify what future threats might look like. Ideally the result will be a product that can detect potentially bad files or behaviour before the attack is successful.

(We wrote a basic primer to understanding machine learning a couple of years ago.)

So does this AI stuff really work? Is it possible to predict new types of evil software? Certainly investors in tech companies believe so, piling hundreds of millions of funding dollars into new start-ups in the cyber defence field.

We prefer lab work to Silicon Valley speculation, though, and built a test designed to challenge the often magical claims made by ‘next-gen’ anti-malware companies.

With support from Cylance, we took four of its AI models and exposed them to threats that were seen in well-publicised attacks (e.g. WannaCry; Petya) months and even years later than the training that created the models.

It’s the equivalent of sending an old product forward in time and seeing how well it works with future threats. To find out how the Cylance AI models fared, and to discover more about how we tested, please download our report for free from our website.

Follow us on Twitter and/ or Facebook to receive updates and future reports.

Review: ImmuniWeb On-Demand Application Security Testing

hacked-1764593

What do a start-up, small business and enterprise have in common?

They all have one or more websites.

That’s not a very humorous punchline, but the security implications of managing business websites aren’t funny either.

In an age when extremely large organisations are being hacked, as well as specialist security companies, website security could not be a more serious business. Throw into the mix regulations such as the data protection act and the incoming GDPR legislation and being the person responsible for the company website just became positively horrible.

A website is a business’ public face, whether it be a local taxi company or a global pharmaceutical giant. It is virtually impossible to do business these days without a website and maintain credibility, but a website hack instantly harms any company’s standing.

How do websites get hacked? Sometimes the attackers will focus on compromising the site’s administrator, but more often than not (in our experience) the site itself is attacked directly by means of an exploit.

Such an exploit could be a aimed at a vulnerability in the platform, such as WordPress, or the server’s operating system. Sometimes the hosting company itself is targeted: a good value-for-money proposition for an attacker who wants to run one attack and gain access to thousands of websites.

Will AI save our sites?
Artificial intelligence is great but people are often necessary for some tasks. ImmuniWeb understands that. Assessing the security of a website is non-trivial and, while automated tools exist to test for the presence of various vulnerabilities, often it takes a human brain to really get to the bottom of a problem. Much in the same way that SE Labs uses people to enhance security testing, ImmuniWeb adds the personal touch to checking the quality of a website’s security.
The service provides testing for vulnerabilities listed in the OWASP Top Ten Vulnerabilities list, PCI DSS vulnerabilities and a range of other sensible criteria, including predictable CAPTCHA protections and open directory listings.
Wizard setup
wizard-4625603
Setting up the initial test was a very simple task. Enter a few relevant details into  ImmuniWeb’s Wizard-driven website, pay the fee and the work starts. A couple of days later a report is made available and you have around three months to download it before it is deleted automatically. You will receive warnings about the impending deletion.
The report is detailed. The first pages give an overview of the risk level based on how many vulnerabilities have been found, certain administration configuration issues that might exist and even an indication of other websites that might be impersonating yours.
Who is hosting?
report-4813405
The data in the reports is interesting and some of the issues brought to light could be easily solved. It does depend on how you have your web hosting organised, though. For example, if you run your own servers you can follow advice on upgrading certain services, such as Apache or SSH.
However, if your site runs on a hosting platform provided by a third-party, such as GoDaddy, 1&1, 123Reg or a thousand others then you have a choice: You could contact the company and request that they upgrade; or move to another host and hope that they do a better job with updates.
In this review we discovered that the hosting company we use for the SE Labs website was a little behind with some updates. We used the ImmuniWeb report as evidence that there was a potential problem and, to our surprise, the company responded fast and claimed to fix the issues.
While we could verify the changes ourselves (after all, we test security systems ourselves) we understand that for most businesses a second test would be warranted. We ran a second test for this review and were pleased to see that the previous issues had indeed been fixed.
How much?
This is where things could get expensive, though. An on-demand small business (SMB) test costs $1,499. If you are a start-up and want to have your site assessed then this is a reasonable business expense. Multiple verification tests add up, though. A faster ‘Express’ test is less expensive, coming in at $499. If you expect your site to change frequently then continuous assessments are available, with prices starting at $999 per month.
Total Cost of Reassurance
But while your site might not change, knowledge about security vulnerabilities does. New vulnerabilities are being discovered at a frightening rate and updates for popular web server components, such as MySQL, appear often. When testing our own website ImmuniWeb noted out of date software, which was updated accordingly.
By the time we ran the second test the same, updated software was again out of date. If the same issues happen to you, it might be worth learning how to test the versions of the services running at your web hosting company and give them a prod to update as and when necessary. Paying over $1,000 to assess something they should be taking care of seems unnecessary.
Monitoring the weak link
Losing control of your website is a situation no business wants to contemplate, whether it’s a start-up looking for funding or a massively profitable public company. Web application vulnerabilities are a significant weak point that can and should be assessed regularly. ImmuniWeb provides just such a service but because people are involved, as well as machine learning-equipped systems, there is a significant cost to the system, as well as an advantage over free website scanning sites and tools.
While, on the face of it, using ImmuniWeb’s service might appear expensive, compared to training your own team of penetration testers, or sub-contracting a company to do the work for you, it is good value for money.

Predictions for 2017

golden-2017-new-year-text-with-glowing-glitter-effect-and-fireworksStill dazed from the year that was, Jon Thompson dons his Nostradamus hat, dusts off his crystal ball
and stares horrified into 2017.

Prediction is difficult. Who would have thought a year ago that ransomware would now come with customer care, or that Russia would be openly accused of hacking a bombastic businessman into the Whitehouse. Who even dreamed Yahoo would admit to a billion-account compromise?

So, with that in mind, it’s time to gaze into the abyss and despair…

Let’s get the obvious stuff out of the way first. Mega credential breaches won’t go away. With so many acres of forgotten code handling access to back end databases, it’s inevitable that the record currently held by Yahoo for the largest account breach will be beaten.

Similarly, ransomware is only just beginning. Already a billion-dollar industry, it’s cheap to buy into and easy to profit from. New techniques are already emerging as gangs become more sophisticated. First came the audacious concept of customer service desks to help victims through the process of forking over the ransom. By the end of 2016, the Popcorn Time ransomware gang was offering decryption for your data if you infect two of your friends who subsequently pay up. With this depth of innovation already in place, 2017 will hold even greater horrors for those who naively click attachments.

Targeted social engineering and phishing attacks will also continue to thrive, with innovative

campaigns succeeding in relieving companies of their revenues. Though most untargeted bulk phishing attempts will continue to show a low return, phishers will inevitably get wise and start to make their attacks more believable. At SE Labs, we’ve already seen evidence of this.

It’s also obvious that the Internet of Things will continue to be outrageously insecure, leading to DDoS attacks that will make the 1.1Tbps attack on hosting company OVH look trivial. The IoT will also make ransomware delivery even more efficient, as increasing armies of compromised devices pump out the pink stuff. By the end of 2017, I predict hacking groups (government-backed or otherwise) will have amassed enough IoT firepower to knock small nations offline. November’s test of a Mirai botnet against Liberia was a prelude to the carnage to come.

Bitcoin  btc-mono-ring-orange-6370546recently passed the $1,000 mark for the first time in three years, which means criminals will want even more than ever to steal the anonymous cryptocurrency. However, a flash crash in value is also likely as investors take profits and the market panics in response to a sudden fall. It’s happened before, most noticeably at the end of 2013. There’s also the distinct possibility that the growth in value is due to ransomware, in which case the underlying rally will continue regardless of profit takers.

The state-sponsored use of third party hacking groups brings with it plausible deniability, but proof cannot stay hidden forever. One infiltration, one defection, one prick of conscience, and someone will spill the beans regardless of the personal cost. It’s highly likely that 2017 will include major revelations of widespread state-sponsored hacking.

This leads me neatly on to Donald Trump and his mercurial grasp of “the cyber”. We’ve already delved into what he may do as president, and much of what we know comes straight from the man himself. For example, we already know he skips his daily security briefings because they are “repetitive”, and prefers to ask people around him what’s going on because “You know, I’m, like, a smart person.

Trump’s insistence on cracking down on foreign workers will have a direct impact on the ability of the US to defend itself in cyberspace. The shift from filling jobs with overseas expertise to training homegrown talent has no discernible transition plan. This will leave a growing skills gap for several years as new college graduates find their way to the workplace. This shortfall will be exploited by foreign threat actors.

Then there’s Trump’s pompous and wildly indiscreet Twitter feed. Does the world really need to know when secret security briefings are postponed, or what he thinks of the intelligence presented in those meetings? In espionage circles, everything is information, and Trump needs to understand that. I predict that his continued use of social media will lead to internal conflict and resignations this year, as those charged with national cybersecurity finally run out of patience.

donald-trump-spars-with-univision-journalist-jorge-ramos-6442066

It’s not all doom and gloom, however. The steady development of intelligent anti-spam and anti-malware technologies will see a trickledown from advanced corporate products into the hotly contested consumer market. The first AV vendor to produce an overtly next gen consumer product will change the game – especially if a free version is made available.

There’s also a huge hole in “fake news” just begging to be filled. I predict that 2017 will see the establishment of an infosec satire site. Just as The Onion has unwittingly duped lazy journalists in the past, there’s scope for the same level of hilarity in the cybersecurity community.

However, by far the biggest threat to life online in 2017 will continue to be the end user. Without serious primetime TV and radio campaigns explicitly showing exactly what to look for, users will continue to casually infect themselves and the companies they work for with ransomware, and to give up their credentials to phishing sites. When challenged, I also predict that governments will insist the problem is being addressed.

So, all in all, it’s business as usual.

Happy 2017!

What is Machine Learning?

machine_learning-1991327… and how do we know it works?

What’s the difference between artificial intelligence and machine learning? Put simply, artificial intelligence is the area of study dedicated to making machines solve problems that humans find easy but digital computers find hard, such as driving cars, playing chess or recognising sarcasm. Machine learning is a subset of AI dedicated to developing techniques for making machines learn to solve these and other “human” problems without the insanely complex task of explicitly programming them.

A machine is said to learn if, with increasing experience, it gets better at solving a problem. Let’s take identifying malware as an example. This is known as a classification problem. Let’s also call into existence a theoretical machine learning program called Mavis. Consistent malware classification is difficult for Mavis because it is deliberately evasive and subtle.

silicon2bbrain-1881268For it to successfully classify malware, we need to show Mavis a huge number of files that are known to be malicious. Once Mavis has digested several million examples, it should be an expert in what makes a file “smell” like malware.

The spectrum of ways in which Mavis might be programmed to learn this task is very wide indeed, and filled with head-spinning concepts and algorithms. Suitable approaches all have advantages and disadvantages. All that counts, however, it’s whether Mavis can spot and stop previously unknown malware even when the “smell” is very faint or deliberately disguised to confuse it into an unfortunate misclassification.

A major problem for developers lies in proving that their implementation of Mavis intelligently detects unknown malware. How much training is enough? What happens when their Mavis encounters a completely new threat that smells clean? Do we need a second, signature-based system until we’re 100% certain it’s getting it right every time? Some vendors prefer a layered approach, while others go all in with their version of Mavis.

Every next generation security product vendor using machine learning says their approach is the best, which is entirely understandable. Like traditional AV products, however, the proof is in the testing. To gain trust in their AI-based products, vendors need to hand them over to independent labs for a thorough, painstaking work out. It’s the best way for the public, private enterprises, and governments to be sure that Mavis in her many guises will protect them without faltering.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press