Chapter 3: Build your strategy

AI in (anti)ransomware

Any scientific or technological breakthrough is accompanied by two sides: those who use it for the welfare of society and those that use it for destruction and personal gain. In 1867, Alfred Nobel combined nitroglycerin and clay to create dynamite. Nobel created it with the intention of helping people build tunnels and break down large rocks. Instead, it was used in war. The use of dynamite has caused significant loss of life and destruction of property. Likewise, AI and ML have the potential to play good vs. evil in technology, and it's no surprise that hackers are trying to profit from them.

Evil: AI-powered ransomware

AI models like ChatGPT and Bard are still in the early stages of development, but they have already been used to cause destruction. AI has lowered the barrier of entry and made malware easier to create and deploy. How can AI be used in ransomware attacks?

• Eliminate language barriers: Hackers from different parts of the world can use generative AI to create phishing content in the target user's language. It assists them in conveying a grammatically sound message, making it more convincing to the victim.
• Overcome spam filters: Most mail services use rules, filters, or scores to mark incoming emails as spam. AI and ML models can help hackers understand why emails were marked as spam and modify their approach accordingly.
• Generate malicious code: If AI models can create secure code, they can also create harmful code to infect systems. Most AI models are trained to filter out and block such requests, but there's always a loophole like breaking code down to smaller lines, tricking the model into providing results. Cybercriminals with limited technical understanding may no longer have to rely on third-party (RaaS) services.
• Mimic trusted people: If you get a voice note from your manager asking you to send this quarter's financial report to their backup mail ID, there's a good chance you'd buy it. Deepfake is all the rage now. Forget text messages, you can now create fake audio, images, and even videos of people, making it almost impossible to distinguish them from the real deal.
• Increase the attack perimeter: AI can be used to do recon, which is usually done manually. This saves time and allows criminals to cast a wider net to attack systems. It can also discover vulnerabilities, guess passwords with better accuracy, and deploy malware at a larger scale.
• Manipulate AI models: AI models train on data, so why not mess them up at the source? Anyone with negative intentions can teach the AI model that malicious thoughts and activities are actually acceptable. A good example is Microsoft's Tay chatbot. Tay was introduced on Twitter in 2016 and went from a cheery young adult to a misogynistic racist in less than 24 hours.

Good: AI-driven anti-ransomware

Fortunately, security models are also catching up to their evil counterparts. They are getting smarter, faster, and identifying attacks that evade traditional detection methods. Here are a few ways AI and supervised ML can empower cybersecurity.

• Conduct user entity and behavior analysis (UEBA): ML-assisted anomaly detection is a great way to stop an attack in its tracks. UEBA monitors behavioral patterns and raises an alert when there's unusual activity like change in login location or files accessed. Since it is constantly studying baseline behavior, any deviation can be spotted quickly. Unlike traditional systems that refer to a pre-determined list of past attacks and rules, AI-based systems can evolve in pace with malware entry techniques and detect potential threats.
• Automate processes: Manual tasks like risk analysis, relationship analysis, and reports can be automated by AI, reducing the organization's response time to threats. ManageEngine's endpoint management solution utilizes ML in its anti-ransomware module, which sorts alerts and documents them as incidents.
• Weed out bots: Bots are often used across the web to carry out tasks like crawling search engines and performance monitoring. However, they're also used to distribute spam and infect systems. AI and ML models can study and differentiate between good and bad bots based on their activities.

Best practices

If you ask our EDR team, they'll tell you that any ransomware prevention solution works like cleaning products advertised on TV: they're 99.99% effective. The other 0.01% rests in your organization's preparedness to tackle ransomware attacks. Here are a few best practices to protect your organization against ransomware:

• 1. Emphasize employee awareness

  Employee education and training should be your top priority. Ransomware usually enters the network when a user falls victim to a phishing attack or fails to update their system. At Zoho Corp., we have an annual security and privacy awareness training where employees are trained to recognize and report phishing attempts. The Compliance team curates these lessons in line with the current technological landscape. Annual training is required by applicable laws, customer contracts, and standards and are mandatory for employees across all divisions of the company.

• 2. Back up and encrypt data

  Malicious actors often attempt to encrypt or delete backups, leaving their victims in despair and thinking they have no other option than to pay up. Have your data backups offline and update them regularly. Your end goal should be to recover data without paying and with minimal downtime. With frequent and periodic backups, it's easier to pick a version that hasn't been touched by the hackers so you don't have to start from scratch. Test your backup with regular recovery exercises to identify gaps in processes and communication between stakeholders.

• 3. Implement Zero Trust

  The principle of least privilege is key to securing your data. Access control at the granular level limits data exposure and is monitored, reviewed, and regulated periodically. This works best when with combined with other security measures like MFA and helps block lateral movement i.e., moving across systems within a network without remote access tools. ManageEngine's ongoing efforts to deploy Zero Trust are documented in the e-book, "Achieving Zero Trust: ManageEngine's path to upgrading cybersecurity."

• 4. Put your response plan to the test

  Creating an IR plan isn't enough, because everything works in theory. Conduct regular tabletop exercises and document your experiences. The inferences can help you craft detailed instructions for your updated IR plan and overcome potential obstacles. Here's something some IR teams often forget: With great power comes great responsibility. Tests and exercises aren't just for the cybersecurity team. C-suite executives and managers are just as responsible in case of an incident and should play an active role. IR is a team effort and equal participation is crucial for quick recovery.

• 5. Be proactive

  Be proactive Don't wait for an incident to review your IT environment and cybersecurity health. Here are a few ways to stay ahead and be prepared:

  • Monitor patches and software updates and conduct vulnerability scanning.
  • Establish strong policies (e.g., password policies, login timeout policies, etc.)
  • Disable features that are not in use, like RDPs.
  • Monitor IoCs and IoAs.
  • Update third-party applications.

• 6. Invest in EDR

  If managing every aspect of your endpoint security in-house is not an option, invest in an EDR solution. EDR solutions encompass anti-ransomware, anti-virus, legacy anti-virus, and behavioral detection. It can detect suspicious activity like ransomware in the earlier stages of attack, averting security disasters. Since the solution is always training on new data, it can spot new and evolved variants of a virus.

Conclusion

As far as the cybersecurity world is concerned, ransomware will be an ever-growing threat, especially now that AI has gone mainstream. With the right tools and practices, these situations can be handled effectively. If a ransomware attack happens to you or your organization, stick to the protocol. However, the best way to protect yourself is to avoid an attack altogether. Keep your systems up to date on software, keep yourself up to date on social engineering attacks, and remain vigilant.