As Ukraine fights to maintain a stronghold on its besieged capital, cyberattacks are escalating. Governments on both sides of the Atlantic are concerned about a potential full-on cyberwar.
By Jarred Capellman, VP of Engineering & Cybersecurity, SparkCognition
Just hours after a series of distributed denial-of-service (DDoS) attacks knocked out several critical Ukrainian websites, a new data-wiping malware called HermeticWiper (aka Killdisk) was launched. Designed for destruction, HermeticWiper has two components: one that targets the Master Boot Record (MBR) and another targeting partitions.
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), in conjunction with the U.K. National Cyber Security Center (NCSC), released an alert of a new malware used by threat actors linking back to the Russian Intelligence Centre for Special Technologies (GTsST). The group known as Sandworm launched a sophisticated state-sponsored botnet called Cyclops Blink, which uses WatchGuard firewall appliances to spread destructive malware. Cyclops Blink acts as a beacon for the command and control server, where it can download and install new malware or additional capabilities and prepare for future attacks. Sandworm, also known as Voodoo Bear, is connected to previous BlackEnergy, a Trojan used to conduct DDoS attacks, cyber espionage, and information destruction attacks, and Petya, a self-propagating worm used to infect networks, steal credentials, encrypt files, and move to different systems malware.
Zero-Day – No Time to Prepare
Polymorphous viruses and advanced phishing gambits have ratcheted up security risks exponentially. Cyberthreats and malware can now spread in hours or even minutes—hence the term “zero-day attack.” Zero-day attacks are vulnerabilities discovered by attackers before the victim or target has become aware of them, giving them zero days to fight against them. Because the targets are unaware, no patch exists for zero-day vulnerabilities, making them far more likely to succeed. According to the research group Ponemon Institute, 80% of successful attacks are zero-day exploits fueled by the emergence of hacking-as-a-service and new open-source tools that dramatically lower the barriers to creating new malware variants.
Zero-day attacks either involve exploiting undisclosed vulnerabilities or using new/polymorphic malware variants that signature-based detection solutions do not recognize. The combination of malicious intent and ease of development has accelerated the sheer scale of deployed malware, with more than 376,000 threats being created per day. The polymorphic nature contributes to the rise of low-cost, single-use attacks which circumvent signatures, file reputation, and rigid heuristics.
The U.S. Department of Homeland Security (DHS) and CISA issued a “SHIELDS UP” advisory that urged organizations to prepare for cyberattacks by reinforcing their cybersecurity posture. The Department of Energy (DOE) also released a warning to the energy sector to proactively prepare for the “highest possible level” of Russian cyberattacks. And the Biden administration and Congress are warning businesses to harden their cyber defenses and sharpen their ability to respond to Russian cyberattacks.
All western companies should be in a heightened state of preparedness now, but yesterday’s security best practices are not comprehensive or technologically astute enough to protect against the newest cyberthreats. There are no blueprints for avoiding the newest digital invasions.
Antiquated security tools and solutions depended on whitelists, blacklists, and signature-based methods or attack indicators to identify threats – and they were powerless against threats that have not yet been discovered. Spotting impending cyber threats is next to impossible – and there is no time to reverse-engineer extremely sophisticated malware fingerprints and enter them into databases.
AI-based cyber protection software should be all companies’ first line of cyber defense. SaaS (Software as a Service) based technologies are available today with functionalities that include both client-side agents, a cloud-hosted management console, and global cloud services. Security executives should look for endpoint protection agents with multi-level system monitoring that can detect anomalous activity on host systems. In addition to monitoring processes executing activity, file creation and modification activity, and script activity executing in system memory, some agents can learn which files, scripts, and processes have already been analyzed to eliminate redundant analysis and reduce the agent footprint on any given device.
In leveraging the power of advanced machine learning models, the technology can analyze and predict if a process, file, or in-memory activity has abnormal or malicious intent. A best-case scenario is to have the machine learning threat detection engines bundled with agents and hosted on the device. This allows for threat detection in connected, disconnected, or isolated network use cases. It can also leverage a cloud-based file reputation service to quickly and accurately identify known clean and malicious processes and files that reside on the user system.
A smart agent will have the ability to intercept and quarantine threats in a pre-execution state as well as during process and memory execution. All processes or in-memory activity that are considered abnormal or malicious should be automatically terminated, and all files considered abnormal or malicious can be automatically quarantined without end-user or administrator interaction. It should also have a scalable data processing system in the cloud capable of generating highly accurate and efficient machine learning models to solve malware problems. It should be able to collect data, train and learn from the data, and calculate likely outcomes based on what it sees.
Prepare for the Future
The Russian digital threats could last as long as the Ukrainian conflict – or longer. It is more imperative than ever to become proactive in the battle against bad actors. One of the surest ways to slow or prevent attacks is to have a very strong endpoint security solution. These solutions are installed on endpoint devices and block any malware from infecting the systems. In addition, there are simple actions that can be taken regardless of company size:
- All devices should always be running the latest operating software.
- Next-generation firewalls should be in place to protect the edge.
- All employees should be engaged so they can assess whether an attachment, link, or email is trustworthy.
- There should be crisis and disaster recovery plans in place.
- All backups should be verified on a regular cadence.
AI is changing the game for cybersecurity, but companies are only as secure as their weakest endpoint. By enabling better security postures with AI driven products that correlate multiple data points, such as Geo Location, Software/Hardware vulnerabilities, and User Behavior, will provide inside to the risk factors of specific devices.
Without a doubt, AI, machine learning, deep learning, and natural language processing are essential for helping companies build efficient cybersecurity solutions enhanced with advanced analytics, self-learning algorithms, and task automation – now and in the future.
About the Author
Jarred Capellman, VP of Engineering & Cybersecurity at SparkCognition, has almost two decades of experience building scalable enterprise-grade software across multiple verticals. At SparkCognition, he leads security, engineering, and data science teams combining his passion for software engineering, cybersecurity, and data science. In his role, he has helped lead the development of DeepArmor, SparkCognition’s AI-built cybersecurity solution that improves security posture with industry-leading zero-day protection against today’s most advanced ransomware, viruses, malware, and more. He contributes to GitHub daily on his various projects and is pursuing his DSc in cybersecurity, focused on applying machine learning to solving network threats on endpoints. Capellman holds a Bachelor’s in Computer Science and a Master’s in Computer and Information Systems Security.
Jarred can be reached online at https://www.linkedin.com/in/jarredcapellman/ and at our company website https://www.sparkcognition.com.