Last week’s unprecedented spread of WannaCry Ransomware again brought attention to the limitation of traditional technologies and processes in detecting and responding to ever increasing Cyberthreats. Many blogs and articles appropriately focus on the need for every machine to be on the latest version and patches for software, with a validated backup & disaster recovery plan.
But we also know that in a budget constrained world with limited IT resources, 100% adherence to this practice isn’t happening. There will always be systems running without the latest patch. Can Machine Learning & Artificial Intelligence technologies help in staying ahead of the game, not only for WannaCry but also for other threats that may happen in future?
The simple answer is Yes.
Unlike traditional rules based systems, Behavioral Analytics systems are trained to detect anomalous behavior in users and machines across multiple dimensions of connectivity, bandwidth and processes. It is this ability to provide deeper visibility and real time analysis that make Machine learning & Artificial Intelligence systems optimal to detect cyberattacks and enable rapid response.
RANK’s product VASA (Virtual Advisor for Security Analytics) helps customers in many ways for Day Zero attacks
Let’s go deeper into each of those points to demonstrate how VASA works for WannaCry attack (and others like it)
1. Machine Learning based Behavioral Anomalies: VASA helps identify suspicious processes running on machines, without requiring any hardcoded file-hashes or rules. The Indicators of Compromise (IOCs) for the WannaCry family of ransomware are bread and butter use cases for VASA.
2. Network Visibility & Timeline view: VASA identifies reconnaissance to open SMB shares. This allowed VASA customers to proactively tighten up their network configuration to reduce their risk exposure. VASA provides a timeline view of the SMB scan which reveals a couple of different network outliers that analysts can immediately action.
I. Spikes in the network share connection count indicate a very high number of network connections emanating from the internal machine
II. The specific events to Port 445 (used for SMB traffic) that provide specificity on the network connections
3.Threat intelligence: RANK VASA automatically connects to threat intelligence sources and immediately flags the appearance of known Indicators of Compromise published by security researchers throughout the world
4. Architecture: VASA has an open and flexible architecture and integrates with many popular Malware Sandboxes. This enables VASA to analyze all files downloaded in an organization in real time and alert analysts in real-time.
CyberAttacks are growing at an unprecedented rate. It is not a matter of if, but rather when, an organization will get breached. It is time to move the Cybersecurity game from a Reactive to a Proactive approach. Artificial Intelligence can be an effective tool in helping Predict, Prevent, And Defeat Attacks. VASA coupled with best practices like patch management, backups and standard end-point protection provide organizations with an effective tool to fight back against growing cyberthreats.