Interviews | June 21, 2021

AI-Powered Cyber Attacks Emerging as Major Concern

Darktrace | DARPA | ExtraHop | Splunk | Trend Micro

Max Heinemeyer
Director of Threat Hunting


Q1. Darktrace has described ransomware as being the top use case for its Autonomous Response technology. Why is that the case? Why is self-learning AI so crucial for dealing with the ransomware threat?

Ransomware is a particularly effective and fast-moving threat. It has been around for over 20 years, and yet it is still slipping through defenses and paralyzing companies, even companies that we traditionally assume to be secure, with robust defenses. Yet when considering how to respond to ransomware, the key thing to remember is that threat actors have already gained access to your system, whether that be via phishing email, a vulnerable website, or unpatched software, and it is too late to reverse the process.

Therefore, to stop ransomware, your philosophy needs to change from 'how do I keep the bad guys out', to 'the bad guys are inevitably going to get in, so how do I spot a threat once it's inside?' This mentality, namely the assumption that you have already been breached, is fundamental to how defensive AI technology works.

Defensive AI is based on three core values:

  • Preventative security tools aren't enough because attackers will always find new vulnerabilities.
  • Signature-based defenses aren't working because we constantly see novel variants of ransomware.
  • Human security teams cannot act fast enough to contain ransomware – they are simply outpaced.

Conversely, self-learning AI does not work by relying on rules and signatures - it works by learning the normal 'patterns of life' for the organization – including its users, devices and applications – and identifies every step of ransomware attacks, within seconds, as they deviate from this norm.

Critically, Cyber AI takes targeted action to neutralize the ransomware, ensuring that an organization's response is proportionate and doesn't incur damaging and unintended knock-on effects. By stopping ransomware in its earliest stages before it has had a chance to spread, the question of whether to shut down critical systems or pay the ransom – is taken out of the equation.

With proportionate Autonomous Response that is built on self-learning AI, organizations can build cyber resilience to fight back against the full range of machine-speed attacks – wherever they strike.

Q2. Enterprise organizations have begun using AI-based technologies, such as those from Darktrace to fight cyber threats. What happens when threat actors begin using AI-based approaches more widely to carry out attacks? What capabilities are organizations going to need to defend against AI-based cyber weapons?

AI-powered attacks are one of the biggest fears within the security community. When it becomes a reality, which may be very soon, 'offensive AI' is going to bring about a paradigm shift to the attack landscape.

What this means is that at some point in a campaign there are much fewer human hands on the keyboard than today – or none at all. This can be done in a relatively simple way – for example using more simple techniques like natural language processing to automatically gather context on the Internet for social engineering attacks all the way to more sophisticated methods like malware deciding on the best ways to move laterally during an infection by itself.

We'll see this in various ways. Firstly, the sheer number of cyber-attacks will explode, because it will be so much easier to orchestrate and automate campaigns. The speed of attacks will also increase dramatically. We've already seen this a little with ransomware, and how quickly it can now encrypt files, and in attack life-cycles generally, even from two years ago. We're going to see more threat actors on the scene. AI will make it far simpler to launch campaigns, which means that even low-skilled hackers will be able to operate sophisticated tools.

Additionally, in the near future, we can expect more sophisticated AI to be used in more subtle ways - for example to create highly convincing emails that impersonate trusted contacts, or to help malware target high-value data sets within a corporate network.

Security teams already struggle to keep up with incidents and to navigate the sea of false positives which are churned out by sub-standard security tools. When cyber-criminals begin to use AI, human response will no longer be an option.

This is not an issue which can be resolved by throwing more humans in the mix, and anyway – we don't have the humans to spare. Instead, the way to defend against this will be by fighting fire with fire. AI against AI, algorithm against algorithm. And that's what we at Darktrace have been preparing for.

Q3. What does Darktrace plan on highlighting at Black Hat USA 2021? What's your main messaging going to be at the event?

We're going to focus on three main areas: self-learning AI, how to protect yourself in the cloud, and AI-powered Red Teaming.

The digital world is more complex than ever. And when systems are complex, that makes them vulnerable. We've seen this in the widespread adoption of cloud and SaaS applications in the last year – from Zoom to Microsoft Teams to SharePoint. And this shift to the cloud, and to more complex ways of using and relying on technology, is here to stay.

In this new world, which brings with it new weaknesses and new methods of attack, AI-powered security is crucial in protecting your digital company. Self-learning AI can discover unpredictable attacks as they emerge, without relying on any previous knowledge or rules. Autonomous Response can keep normal operations running at all times, neutralizing threats in seconds.

AI Red Teaming is a really exciting development in the security industry. We've spoken about how offensive AI will be the next big security challenge. With AI Red Teaming, we can emulate the power and speed of an AI-augmented attack, to help autonomously identify security issues, and help to remediate them. This will be a huge help to organizations in having the resilience necessary for when a real attack comes along.

Keith Rebello
Program Manager, Microsystems Technology Office


Q1. DARPA is known for its focus on anticipating future technological trends. What is the agency currently focused on, in terms of cybersecurity?

DARPA is executing a wide range of research programs focused on developing techniques, tools, frameworks, theories, and solutions for the full range of cyber operations, involving many layers and stages in systems. This includes programs focused on developing more secure circuits and microsystems.

Throughout the 2010s, DARPA established several programs to address the security shortcomings of conventional computing systems. DARPA's current System Security Integration Through Hardware and Firmware (SSITH) program builds on some of these research efforts while exploring novel approaches to hardware security at the microarchitecture level.

Current efforts to provide electronic security largely rely on robust software development and integration, utilizing an endless cycle of developing and deploying patches to the software layer without addressing the underlying hardware vulnerability. Instead of relying on patches to ensure the safety of software applications, SSITH aims to address the underlying hardware vulnerabilities at the source. The program is developing hardware security architectures and associated design tools to protect systems against entire classes of vulnerabilities exploited through software, not just specific vulnerability instances.

SSITH is focusing specifically on common classes of hardware weaknesses as identified by the MITRE Common Weakness Enumeration Specification (CWE) and NIST, including buffer errors; information leakage; resource management; numeric errors; injection; permissions, privileges, and access control; and hardware/system-on-chip implementation errors.

Researchers on SSITH are exploring different approaches, which includes the use of metadata tagging to detect unauthorized system access; utilizing context sensing pipelines to determine the intent of instructions; and employing formal methods to reason about integrated circuit systems and guarantee the accuracy of security characteristics.

Q2. How could the secure processors in development on the SSITH program benefit our ability to protect today's electronic systems?

Microsoft estimates that 70% of their security updates address memory safety errors. Google provides the same statistic for the Chrome browser. SSITH processors provide strong protections for memory safety errors, as well as a host of other weaknesses, and we're confident that these architectures will have a significant impact on the security of real-world systems. While SSITH doesn't address attacks at the software layer, things like SQL injection or cross-site scripting, it will still put a significant damper on the plans of bad actors. Most critically, it makes hardware an active participant in defense, instead of a passive bystander, providing an opportunity for further system hardening by integrating hardware and software defenses.

Q3. What is DARPA planning to showcase at the Black Hat USA 2021 virtual event?

At Black Hat USA 2021, DARPA is planning to demonstrate how the SSITH processors could protect real-world systems. We've developed a cyber-physical demonstrator that replaces several systems found in a car – from the infotainment system to the embedded computers that control braking and steering – with secure versions.

The increasing connectivity and automation of vehicles have dramatically increased their attack surfaces in recent years, with potentially devastating consequences. Our demonstrator will show how the SSITH processors could stop representative attacks on these systems from happening, interfering at critical points, and making certain exploit chains obsolete.

We are also hosting a lunch-and-learn that will provide attendees with a deep dive on the SSITH program and the ongoing work of the various research teams involved. The discussion will also highlight DARPA's efforts to move the technologies from the lab to the real-world, providing a path for commercial and defense organizations to employ these novel protections in their critical electronic systems.

Jesse Rothstein


Q1. Bain Capital Private Equity and Crosspoint Capital Partners recently acquired ExtraHop. How, if at all, does the transaction impact your customers? What is your message to them?

ExtraHop remains deeply committed to our customers. As part of the Bain Capital and Crosspoint Capital family, we will have access to significant resources to continue innovating and progress our mission of securing enterprises against advanced cyber threats.

We plan to expand our capabilities to directly benefit our global customers. Areas of focus include:

  • Doubling down on our detection, investigation, and response capabilities for advanced threats—like supply chain attacks and zero days—that bypass user-focused defense systems and target infrastructure, workloads, and data.
  • Securing the explosion of unmanaged devices now connecting to the network, including enterprise, healthcare, and industrial IoT.
  • Augmenting Zero Trust architectures with visibility to verify that controls are correctly configured and automatic policy inference to detect potential violations.
  • Stepping in to fill the "first 24 hours" gap between initial detection and full-scale incident response.
  • Expanding partnerships with leaders in the market like CrowdStrike and AWS to automate response at the ecosystem level and create best-of-breed detection and response that truly delivers on the promise of integrated insights.

Q2. The NDR market is one of the fastest growing segments in the cybersecurity industry. What's driving the growth? How has the COVID-19 pandemic impacted the NDR market?

The enterprise IT estate is now vast and perimeter-less, and it's under constant threat from nation-state actors, cyber criminals, and even insiders in pursuit of sensitive business and personal data, illicit profit, or both. Despite $150 billion in annual spend on cybersecurity products and services, data loss and business disruptions due to cyber attacks remain common. While network intrusion detection and forensics have been valued by practitioners for decades, NDR solutions that apply behavioral analytics with modern data science and machine learning have rapidly become the favored approach. Simply put, NDR is growing fast because it works better than legacy products, providing higher quality detections, streamlined investigation, and automated response.

The COVID-19 pandemic primarily impacted the NDR market in two ways. First, it greatly accelerated cloud workload migrations. NDR is uniquely able to secure cloud workloads non-invasively and without the cooperation or consent of developers who typically control the images and CI/CD pipelines. Second, the pandemic reshaped the attack surface with ubiquitous remote access. Although in many cases user devices have become more difficult to secure, NDR focuses on securing infrastructure, workloads, and data against the most advanced threats, providing an essential line of defense across the enterprise environment.

Q3. What are your plans at Black Hat USA 2021? What can security professionals expect to hear from ExtraHop at the event?

We're excited for Black Hat. Like many organizations, this will be the first event in a year and a half that we'll be attending in person. We're looking forward to reconnecting with and learning from our industry colleagues.

As for ExtraHop, we'll be sharing some of our latest research around topics like the ubiquity of insecure protocols. We'll also be talking about the recent Cyber Executive Order and subsequent classification of ransomware as a terrorist threat. While these are hugely important steps, there's still more to be done. We'll share our thoughts on how to ensure that these measures are effective and introduce the idea of Behavior Transparency as a critical element of cybersecurity moving forward.

Yassir Abousselham


Q1. What should organizations be taking away from attacks like the one that SolarWinds disclosed last December? What can/should they be doing to minimize exposure to those kinds of attacks?

When it comes to supply chain attacks, my takeaway is that Advanced Persistent Threats are the new normal for our industry. Wars are fought in cyberspace and most commercial or governmental entities have not yet had time to roll out comprehensive strategies to effectively counter these threats. We are dealing with adversaries that are well funded, highly technical, and persistent. Supply chain is one of many advanced strategies leveraged by these threat actors.

We still have ground to cover as an industry to properly protect against supply chain attacks. However, there are a number of strategies that cater directly to the attacker tactics and if implemented properly, can mitigate the supply chain cyber risk. Those strategies include zero trust, strong authentication, network segmentation, secrets management, deeper vendor/open-source security assessments and aggressive monitoring.

Q2. How has the rush to adopt cloud and SaaS applications since the pandemic began impacted enterprise security? What gaps did it reveal in enterprise security capabilities?

The consequences of the pandemic's rapid shift to work-from-home — and the exponentially faster shift to cloud technology that it helped drive — resulted in a larger, more varied attack surface for adversaries to target and higher dependency on third party vendor security. In addition, organizations that were just embarking on the cloud journey had to quickly retool their capabilities to continue protecting data outside their network perimeter. Lastly, organizations had to enhance their detections and threat awareness to mitigate COVID-themed attacks targeting their employees.

According to recent findings stemming from our State of Security 2021 Report, the top two identified enterprise security challenges confronted in 2020 were maintaining security consistency across the data center and public cloud environments (cited by 50% of respondents) and the cost and complexity of using multiple cybersecurity controls (42%).

In the race to set up remote work, there was a rushed transition to cloud solutions to allow remote employees to do basic tasks, like communicating with videoconferencing and instant messaging. Depending on the organization's cloud maturity, this transition exposed gaps in the security posture. Capabilities such as cloud-centric access management, comprehensive security monitoring across all platforms and endpoint protection became critical to addressing both on-prem and cloud security use cases.

Q3. What do you want security professionals at Black Hat USA 2021 to know about Splunk's data-to-everything strategy? What does Splunk plan on highlighting at the event?

Splunk's solutions support every part of the organization's security journey, supplying security teams with a cohesive set of solutions needed to combat major security challenges. Additionally, we recently announced Splunk Security Cloud, a data-centric security operations platform that delivers advanced security analytics, automated security operations, and integrated threat intelligence with a broad and open ecosystem. With Splunk Security Cloud, teams can secure and manage multi-cloud deployments while remaining agile to adapt to ever-evolving threats.

The launch of Splunk Security Cloud comes on the heels of our acquisition of TruSTAR, a cloud-native security company specializing in data-centric threat intelligence. TruSTAR will be integrated deeper into the Splunk Security Cloud in the coming months - allowing Splunk customers to enrich their SOC workflows with normalized threat intelligence from third-party sources and from their own historical events and investigations.

Finally, we have a lot of activity taking place at Black Hat this year - both in person and virtually. Our Splunk researchers and engineers will host virtual and on-site conference talks where they will discuss critical cyber issues impacting businesses today, including ranswomare, credential leaks, active directory attack simulations and how to navigate threat intelligence. We will also have a booth at the event where we can showcase our latest product announcements. We can't wait to see everyone in person again!

Mike Gibson
VP of Security Research and Customer Success

Trend Micro

Q1. What do you perceive as some of the biggest threats to enterprise endpoints over the next few years? What kind of capabilities are going to be required to address these threats?

Overall, not only will threats continue to evolve but it feels like the summer of cybercrime with such an uptick in high profile attacks as of late. Criminals are better enabled and equipped today than ever – less experience is needed to be a full-fledged cybercriminal with "as-a-service" offerings available in underground forums for all types of threats and attacks. Attackers are improving their methods to hide in the shadows and slip through any cracks they can find.

One positive change to counter this is that companies are consolidating their security vendors, which reduces the number of cracks and shadows to hide in. No matter the security stack, visibility and connectivity will be the most important factors that contribute to successfully mitigating the risk of cyber attacks in the future. A simplified view across the entire IT infrastructure that provides actionable information and risk assessments plus connectivity across security solutions will help security teams see anomalous behavior and stop attacks before payloads are dropped.

Q2. Why has XDR become such a crucial need for enterprise organizations? Over the next few years, do you see XDR as replacing SIEM or coexisting with it?

The job of security teams today has become unmanageable. Teams, who are already understaffed, must manage countless dashboard and innumerable event logs, try to correlate the information and make sense of the red flags to know when an attack is underway. That is not a scalable approach, nor will it be effective in stopping damaging attacks. This is the beauty and value of a good XDR solution. These solutions make data correlations for security teams, connecting across the entire IT environment to see threat events from endpoints, cloud assets, the network, and email and web gateways. When teams can ignore the noise and focus on actionable logs from a single dashboard, they are much better equipped to identify and stop criminals.

There is distinct value in XDR and SIEM solutions, but they should work together to maintain their particular value propositions. XDR solutions will continue to focus on specific, and more detailed, data sources stored for shorter periods of time for real-time alerting and response activity. SIEM solutions will continue to collect summarized information, from a larger number of data sources, for longer periods of time to solve general security use cases and compliance requirements. One of those data sources will be metadata and alerts from XDR solutions.

Q3. What are Trend Micro's plans at Black Hat USA 2021? What technologies/services/capabilities do you plan on highlighting at the event?

The best cybersecurity platform must leverage the best research. During Black Hat 2021, we'll be giving attendees a peak behind the curtains of Trend Micro Research. We have undisputed leadership in vulnerability research globally. We will shine a light on this during our threat defense challenge, where participants can get hands-on with our post-patch vulnerability intelligence and turn those into protection mechanisms to block exploitation.

Beyond this in-booth & virtual challenge, check out our talk on vulnerability intelligence, a joint session on robot reversing, and an arsenal session on a unique take on CTFs that our teams have had a lot of fun with.

Sustaining Partners