teissTalk: Deploying AI in attack prevention and incident response

teissTalk host Geoff White was joined by Philippe Amman, Head of Strategy, Europol-EC3 as lead guest; Alexandre Pieyre, Group Head of Information Security, IQ-EQ; and Alix Melchy, Vice President of Artificial Intelligence, Jumio.

Views on news

 

The Internet Organised Crime Threat Assessment (IOCTA) published by Europol’s European Cyber-crime Centre (C-3) is Europol’s flagship strategic report on key findings and emerging threats and developments in cybercrime.

 

The 2021 report found that the trends that emerged during the pandemic are still with us such as Android banking malware family FluBot. As for recent results, Interpol has been supporting an international investigation with its expertise and data exchange system that led to intercepting and decoding messages of cyber-criminals on EncroChat.

 

The grey market –legitimate services that cater to or are being abused by criminals and are part of the cybercrime-as-a-service model – are also in the line of sight of law enforcement (e.g., cryptocurrency mixer services) with the responsibility of messaging and social media platforms in becoming tools in the hands of criminals is also a grey area to be clarified.

 

Encrypted messaging apps, for example, should probably play a more active role in checking IP and email addresses and mobile IMEIs used to set up accounts on their platforms.

 

This issue shouldn’t be seen as a trade-off between privacy and investigation/security as there are a number of ways in which service providers can assist law enforcement without breaching their contractual data privacy obligations – for example providing metadata and making risk profiles of users at both onboarding and in the course of their interactions on the platform.

The role AI currently plays in cyber threat detection and response systems

 

As the initial steps of an attack – the breach and the lateral movement – are orchestrated by algorithms, typically, no AI footprint can be detected there. Ai, however, is extensively used on the defensive end, e.g., BloodHound. But, as Alexandre has pointed out, it shouldn’t necessarily be regarded as AI but rather as a good scripting and following sequence. Digital forensics suggest that criminals are also starting to use sophisticated deep fakes to create spoof identities.

 

AI-based systems can play a central role in detecting breaches and cyber threats. Until we have general AI, ML solutions – in combination with humans – are great tools for getting insights from large datasets and for automating certain parts of the analysis process. The human touch is needed the most to fill in the gap between full contextualisation and final decision-making.

 

AI is blurring the line between SOCs and the job of the managed detection and response (MDR) analyst. so much so that MDR can be seen as the latest addition to the value SOC can create. Unsupervised learning can do a great job at picking up signals that don’t fit into existing patterns and can help security experts keep up with the innovation drive of cybercriminals.

 

To read the report on how criminals use AI for their own purposes or the methods they deploy to attack AI systems:  unicri.it/sites/default/files/2020-11/Abuse_ai.pdf

 

For the new framework on how to use AI responsibly, click here.