10 March 2019

RSA Conference 2019: How to Defend Against an AI vs AI ‘Flash War’

Tom Spring

SAN FRANCISCO – As perimeter cyber defenses adopt new strategies such artificial intelligence and machine learning, security experts predict adversaries will adopt similar techniques when it comes to an attack chain.

Derek Manky, chief of security insights at Fortinet, said that “black-hat automation and swarm technology” are emerging threats. He argues that companies need to identify weak points in their cyber defenses and assess whether they are vulnerable to automated attacks.

“You have to be able to know the threat in order to be able to block it,” he told Threatpost in an interview here at the RSA Conference.

There are effective strategies to thwart these types of “flash war” attacks. Manky said organizations can prolong the attack chain in an effort to mitigating risk and speed up the defensive kill chain. One solution, he said, was creating a “house of mirror-based deception techniques” to effectively dilute a large attack surface.


What follows is a video interview conducted at the RSA Conference on Tuesday.

** What follows is a transcript of the interview **

Tom Spring: Hi and welcome to Threatpost here at RSA Conference 2019. We are here in Broadcast Alley and I’d like to introduce Derek Manky.

Derek Manky: Okay. Derek Manky with Fortinet. I’ve been with Fortinet for 15 years. I’m from our FortiGuard department, so I lead our cyber threat intelligence efforts, our global threat alliances, as well.

My role is chief of security insights. So, we’re constantly looking at research, what the bad guys are doing, and try to innovate in terms of how we can try to get a step ahead of them. It’s always an arms race, as you know.

Tom Spring: Welcome. Welcome to RSA Broadcast Alley and Threatpost.

I’m interested in what your thoughts are on one of the biggest buzzwords of the show, which is artificial intelligence and machine learning. Maybe you can cut through some of the noise for us and help us better understand where the rubber actually really does meet the road.

Derek Manky: Yeah, sure, sure.

Okay. So machine learning is a core part of AI, right? I mean, machines learn like humans do. I mean, Alan Turing described this back in the 1930’s. Right? The whole idea is that by using Machine Learning models, we can start to study things like cyber crime, right? Who the cyber criminal organizations are, how they’re moving, what’s their next move going to be?

There’s predictive elements of artificial intelligence, as well. It’s a very complex beast to manage.

Tom Spring: Yeah. Yeah.

Derek Manky: In fact, you talked about where the rubber meets the road. It’s a long lifecycle. I mean, it takes about at least five years of development for these machines to learn in our world, from the security space on the defensive side. Be able to be confident. Trust is a big theme of AI.

Tom Spring: When you say five years, are you talking about five years for a company? What does that five years refer to?

Derek Manky: Yeah. Yeah. Definitely. I mean for any valid artificial intelligent machine learning solution, when it comes to the defensive side, right? ‘Cause when we’re talking about mitigating threats, you have to be able to trust them. They have to be as intelligence and experienced as day to day operations for let’s say a security operation, a SOC admin or a network operation admin.

It takes time to learn. Now machines learn quicker than humans do, right? I mean, a machine can become a teenager on the, on that cycle within a year as an example.

Tom Spring: Right. Right.

Derek Manky: But, it takes time.

Tom Spring: Well, so it seems like it’s gonna take a little more time for the defensive AI to really be a thousand percent effective for a company-

Derek Manky: Yeah. Yeah. Yeah.

Tom Spring: …and for perhaps even the technology to mature.

Derek Manky: Yeah.

Tom Spring: But I’m actually really curious about how artificial intelligence and machine learning is being used from the offensive standpoint.

Derek Manky: Yeah.

Tom Spring: Where, where we’re seeing a sort of a switch in terms of how the offensive security, what, talk a little bit about offensive security and artificial intelligence and what the bad guys are capable of and what they’re doing.

Derek Manky: Yeah. So, this is a really interesting area and not a lot of people are talking about right now.

On the defensive side, we can do a million things right and one thing wrong, and that’s a very big issue. That’s why I talk about these long life cycles of development. From the offensive side, they’re not bound by rules. They’re not bound by laws. They can release new versions of code that may or may not go in the right direction, which is a scary prospect when it gets into that.

Right now, what we’re seeing mostly is automation when it comes to attackers, right? To attack tools, things like this, that are created.

Tom Spring: So, automation as opposed to artificial intelligence.

Derek Manky: Yeah. There’s a clear difference, right?

Tom Spring: Now, one of the things that I know that you’re gonna be talking about later, here at RSA, is swarm technology.

Derek Manky: Yes.

Tom Spring: How does that play into … how does that play into machine learning or to the automated attacks?

Derek Manky: Right. So, swarm technology is about multiple agents in a network and in our, in our case, botnets are effective machines, that are able to communicate with each other, share intelligence, and then act on intelligence. So, Node A talked to Node B. Gave him a heads up that there’s a potential vulnerable target to attack, right? That’s one technology. 

Now, you couple that with machine learning and artificial intelligence and you have the ultimate machine when it comes to attacks, right? ‘Cause you have something that’s capable of moving very quickly inside of networks. That’s truly intelligent, being able to, on its own, identify weak spots in a network, being able to develop custom weapons on the fly.

I’m talking about exploits, ways into networks, and things like that.

Tom Spring: Yeah. I know. The keynote earlier today was talking a lot about how the bad guys can sort of take a look at the, when, when vulnerabilities exist within a network-

Derek Manky: Yeah.

Tom Spring: … and optimize their attacks based on the sort of the algorithm of the defenses.

It’s really a interesting thing, but to think about this swarm technology, really help me better understand what you mean by a swarm. A swarm connotes many different things coming together and acting as one.

Derek Manky: Acting as one to solve a complex task. In my talk today, I’ll be talking about this. It’s existed in biology, when it comes to things like ants being able to optimize paths to the nest to get food. They’re able to work together to form a bridge in space by actually communicating with each other and talking.

It’s no different when it comes to cyber. You think about the advantages. If you have different strategic positions within a network, infected nodes and IP security cameras. Say a network attached storage or something. They’re able to communicate with each other. They can actually team up to do things dynamically like DDoS attacks, trying to take down a target to put it into a weaker spot.

So it’s this element of, like you said, working together, strength in numbers, a bigger group, to be able to solve a complex tasks. It also makes it because it’s a swarm, very robust.

Tom Spring: Very robust.

Derek Manky: If a couple of infected machines, in our case from an attacker’s point of view, happened to fail or die, it doesn’t matter because another one’s gonna take the place.

Tom Spring: Well, I think that really brings up … another point that I know that you’ve talked on in the past and that is the attack chain and the kill chain and how those two things are interacting and … We’re seeing a reduction in the attack chain, the time to infect or attack a company is being drastically reduced because of this type of artificial intelligence, machine learning and this type of automatic, automated attack.

Can you talk a little bit about that?

Derek Manky: Sure.

So, it starts with automation. There’s simple frameworks out there that can connect blueprints of vulnerable servers, ports, hosts, things that are running out there with attack frameworks like, as an example. It intelligently lines up the exploits.

These are things that could take a human hours to try to do on their own, that can be sped up into the, into the, the range of minutes, as an example.

So, the attack chain is just an inverse view of the kill chain, right? It’s coming from an attackers point of view. How quickly can I succeed to be able to get data and ex filtrate the data out of a network? So, a data breach, in other words.

Tom Spring: Why is that kill chain timeline so reduced? I mean, we’re seeing some numbers in terms of time to attack within hours and sometimes within minutes.

Why are we seeing that?

Derek Manky: So, a couple of reasons, right? One, the state of security is very vulnerable still out there. I mean NIST and the NVD, they’re reporting over 14,000 vulnerabilities a year, coming out. A lot of it’s IoT, is the culprit, right?

So the, the attack surface is simply larger. It’s easier to be able to go end to end. You have more options as an attacker. You also have things like the automation frameworks I was talking about. That’s the reality of it, right? By using tools and technology, what starting with automation right now, it’s enabling attackers to be able to move much quicker.

With what we’re starting to see with the promise of machine learning and artificial intelligence from an attacker’s point of view, that starts to take the human even more out of the loop.

This is what I’m gonna be talking about today. The concept of a flash war, when you have AI versus AI on the defensive.

Tom Spring: Now, for people who aren’t familiar with the term flash war, what is a flash war?

Derek Manky: From the attack chain, a flash war happens fast, right? It’s always an arms race from an attacker’s to a defense standpoint, that the end game, the end result, whether it’s a data breach or a successful block, is gonna happen within milliseconds, right?

Tom Spring: Mm-hmm (affirmative).

Derek Manky: Similar to the stock exchange and latency and trading. It can be over in the blink of an eye. That’s the idea of a flash war.

Tom Spring: Right. Here’s, here’s a hard question for you to answer.

Derek Manky: Yeah.

Tom Spring: Because you’re wearing a Fortinet hat, but how do companies prepare themselves for this new world? How do they defend themselves against the scenarios that you’ve just pointed out?

Derek Manky: So, speed and agility, right? Visibility first is key, right? You have to be able to know the threat in order to be able to block it. So, having threat intelligence solutions that are integrated. Orchestration integration is very important. There’s a lot of solutions out there for that.

Being able to actively do incident response by automation and AI is key, right?

Tom Spring: Right. Right.

Derek Manky: So, if you’ve got a threat on your network, being able to quarantine that threat, do things like network access control, so NAC we call it, is very important because I said a lot, a lot of the problem today is IoT concepts like Zero Trust Networks is another big solution people have to look at because … the unfortunate reality is a lot of these vulnerable IoT devices are trusted by nature when they’re the biggest, the most vulnerable piece of the attack surface out there.

Tom Spring: I really appreciate that unbiased not self-serving answer. I didn’t mean to frame the question the way I did in the sense that you’re not-

Derek Manky: Nah. It’s good. It’s all about strategy.

Tom Spring: Well, I think that’s a really great overview of your session and some of the bigger trends that we’re seeing here at RSA. Real quickly, are there any sessions or anything that you’re interested in hearing more about here at RSA?

Derek Manky: Yeah. I mean, this is always great. I mean particularly on what the good guys are doing to work responsibility together. Unify collaboration’s a big thing. Myself, I’m a part of the Cyber Threat Alliance, right, Fortinet’s a chartered member there.

So, there’s a lot of good stuff going on with the CTA in general. That’s all about teaming up together against the bad guys. We got to make it more expensive for cyber criminals to operate.

So, the collaboration team is really big to me here.

Tom Spring: Well, thank you so much for joining us and have a great rest of your show.

Derek Manky: Okay. Thank you.

No comments: