Fighting polymorphic malware

Martin Riley at Bridewell warns that malware that thinks for itself needs to meet its match, or threats will continue to mount

 

If one thing is certain in cyber-security over the coming months, it is that the arms race around AI will continue, with particular focus on developments in polymorphic malware.

 

This type of self-adapting malware has been on the cyber-security horizon for a while, capable of mutating with every infection, making detection an ever-greater challenge. It adapts by learning from each attack, exploiting vulnerabilities and constantly evolving its tactics. AI and large language models such as ChatGPT have given it greater potency. AI will create malicious code for criminals and enable them to use more complex methods, building out their existing capabilities.

 

While AI enables the evolution of polymorphic malware, it also allows criminals with low skill levels to create more convincing phishing emails. These emails have a higher chance of success using breached data and stolen credentials for more accurate targeting.

 

As the landscape evolves with AI-enhanced threats, the real challenge lies in outthinking these advanced adversaries. The focus now shifts to leveraging cutting-edge technologies and strategic foresight, enabling professionals to build robust defences, and proactively counter these unpredictable threats.

 

Breaching EDR defences

This malware that thinks for itself is capable of outwitting the mostly commonly deployed endpoint detection and response (EDR) solutions, which look for certain patterns of behaviour and particular characteristics. The malware takes data from exploits, attacks and tools, and having “learned” what is likely to work, changes what it does in response to the EDR solution it encounters. The speed at which these polymorphic attacks are conducted with AI-driven automation only adds to their potential for harm.

 

In truth, until the past year, nobody fully anticipated the speed at which generative AI would take off and give added potential to polymorphic strains of malware that are capable of attacking IT estates, systems and networks on a broad front.

 

Yet AI is the proverbial double-edged sword. It will also help with detection in a way no human can, through its ability to establish a normal baseline and then analyse masses of data from all kinds of digital activity to spot suspicious behaviour. AI tools can enhance cyber-attacks by identifying and responding to threats and exploits. Analysts at Gartner believe this will have very significant implications in cyber-defence, being integrated into many cloud applications to combat the execution of common software vulnerabilities. 

 

Yet, currently, organisations need to be wary of AI-badged solutions and the view of technology as a panacea. It is a force-multiplier, but no silver bullet. Microsoft Copilot for Azure is currently the only significant cloud security tool with generative AI, capable of analysing data quickly for its user.

 

AI’s true potential lies in its use as a supportive tool rather than a solution. It helps with routine tasks superbly and is very useful for detecting relatively low-level threats or correlating events and helping with pivoting and guided remediation. But once security threats are more advanced and helping remediation, it can struggle.

 

While AI tools can greatly enhance cyber-defence, it’s important to be cautious. Many tools and proofs-of-concept are already in production may claim to be powered by AI or generative AI, but in reality, they may tend to be more traditional tools with analytical capabilities. For instance, a tool might be marketed as using AI to predict threats, but upon closer inspection, it could rely on pre-set rules and pattern recognition, rather than true machine learning.

 

By critically evaluating these tools, organisations can ensure they meet the advanced requirements posed by evolving threats.

 

Blending human expertise with technology

What organisations will need to defend themselves against current and AI attacks is human expertise integrated with cutting-edge technology. The integration of human-driven, managed detection and response (MDR) and extended detection and response (XDR) services, integrated with AI, enables organisations to get to the root cause of security vulnerabilities, going beyond superficial fixes and ‘sticking plasters’ to ensure long-term cyber-resilience.

 

There is ultimately little point in repeatedly finding and remediating an exploit rapidly if the root cause of the vulnerability is not found and then addressed with a comprehensive solution. Whilst AI can assist in detecting and responding to threats, it doesn’t truly understand what it is looking at. Currently only a real human being with expertise can assess a threat or not, and whether it has been dealt with effectively.

 

Given the current level of capability within AI and generative AI, technology is not going to supply all the answers that organisations need when subjected to sophisticated attacks. Human oversight will fundamentally be needed to ensure that AI is functioning correctly and making the right decisions.

 

These are all questions to grapple with as the entire cyber-crime industry becomes more professionalised. The gangs that create polymorphic malware are steadily becoming more specialised, as we can see in the growth of ransomware-as-a-service around the globe.

 

There is a thriving initial access broker ecosystem where threat actors compromise systems and networks with a view to selling the access to other threat actors such as cyber-criminals. This access opens the doors for ransomware attacks. Such malware-, access-, and ransomware-as-a-service models are becoming very profitable, attracting the attention of criminals from other areas of law-breaking.

 

With generative AI making polymorphic malware easier to create, fast-growing criminal enterprises will continue to expand as threat actors devote their energies to compromising victims’ identities, systems, services, and data.

 

New threats to democracy

In the vast majority of cases, these activities are conducted by criminals with financial gain on their minds and in a few cases, by activists motivated by causes. But the authorities in Russia, North Korea and Iran are ready to approve or turn a blind eye to malware and ransomware activity. With general elections this year in the US and the UK, we may expect to see polymorphic techniques directed against the infrastructure of democracy and political organisations.

 

Like all businesses, the authorities should be ready for the growth and mutation of threats, especially polymorphic malware. The best protection for our democratic processes will come from combining human expertise, insight and vigilance with technology in managed detection and response approaches.

 

---

 

Martin Riley is Director of Managed Security Services at Bridewell

 

Main image courtesy of iStockPhoto.com and Casimiro