"The speed of processes and the amount of data to be used in defending cyberspace cannot be handled by humans without considerable automation.”
These remarks came from Enn Tyugu, at the time a researcher for Estonia’s Cooperative Cyber Defense Center of Excellence. His comments on the need for automation in national defence came three years after one the world’s first cyber wars. Russian nationalist hackers had taken revenge on his small Baltic state in 2007 in retribution for the removal of a war memorial, the Bronze Soldier of Tallinn. Hackers tore through the country’s banks, ministries and media.
Nils J Nilsson, one of the founding researchers in the discipline of artificial intelligence, says that at its peak, automation is artificial intelligence; it’s the activity that makes a machine so intelligent that it can function appropriately and with foresight in its environment.
Since being coined at a 1956 gathering at a Dartmouth Summer Research Project, the concept of AI has become woven into everything from transportation, to medicine, movies, video games and, increasingly, information security.
It is a world of the weird, where intelligent hackers are often dumbfounded by specialists describing the complex mathematics and Gordian knot-like decision trees that lurk behind the world’s best artificial intelligence. It is hugely impressive, yet still in its infancy compared with the sentience popularised in science fiction.
Arguably the most advanced hacking platform to use elements of advanced AI was demonstrated at a security “capture the flag” competition just months ago. It was a completely self-contained system capable of identifying vulnerabilities in code, developing and applying necessary patches, and even exploiting flaws to bring down its enemies.
David Brumley’s security machine – aptly known as Mayhem – trumped six other fully autonomous systems in a test at the US Defense Advanced Research Projects Agency’s (DARPA) Cyber Grand Challenge in August. The platform was developed over two years by a team of seven, including Brumley, who put in regular 100-hour work weeks and all-nighters to prepare for the 10-hour hacking challenge.
It paid off: running on a supercomputer, Mayhem vastly out-hacked and out-patched its well-performing rivals in front of hundreds of hackers at DEF CON Las Vegas. The team collected the US$2 million first prize.
The teams, which also included second-placed Xandra and bronze medallist ShellPhish, were fed never-before-seen code and tasked with identifying vulnerabilities, making patching decisions and finding and exploiting holes in rival autonomous systems. Some of the world’s most infamous bugs and attacks were executed, including Heartbleed and SQL Slammer. The machines made decisions such as whether to withhold patches to save resources and if they should hack rival machines in ways that would be less likely to draw attention. A neural network within Mayhem fed misinformation to other players. Mayhem, the team says, is a very early instance of artificial “special” intelligence. It cannot, for example, teach itself new things that it is not already programmed to know, which would make it artificial “general” intelligence. But it remains the most capable automated hack-and-patch system in the world.
In the wake of the world-first and ground-breaking hacking competition, Brumley and his team are turning Mayhem to pursuits closer to home: the oceans of horribly insecure internet-of-things devices. “Automated vulnerability discovery is on the rise,” Brumley tells CRN. “IoT in particular will be a key target and the implications are huge. Right now we rely on human experts to audit all code and, as a result, very few apps are really checked well.”
He says that automated vulnerability analysis will open an avenue for security professionals to test web-enabled kettles, light bulbs, and the vast array of poorly secured, often cheap embedded devices such as routers and cameras that may otherwise be easily hacked and enslaved.
The Mirai botnet, attacked in recent months and still active, clearly demonstrated the threat of security-free, cheap internet devices. Hundreds of thousands of cameras and other devices were hacked and enslaved into a botnet that generated the world’s largest distributed denial of service attack. It unleashed a cracking one-terabit-per-second of traffic, smashing a major DNS provider offline and flicking off large swathes of internet connectivity across the world.
“The game changer is going to be looking at everything else,” says Brumley. “Right now no one audits the software on your home wi-fi router, your IP camera or your car because the number of devices and vulnerable software outnumbers security experts by a huge margin. Automated analysis will tip the balance so that much more software is checked.”
Antivirus has almost become a pariah in the information security world.
Advice from the world’s best hackers to avoid anything but native antivirus often centres on the ease at which malware can be repacked in ways that easily slip past defences.
This approach is so well-established that there exists a thriving underground as-a-service industry of cheap reliable antivirus bypassing offerings. Other hackers warn that antivirus in and of itself increases a computer’s attack surface through often buggy code that can be complex and deeply-integrated within Windows systems. The hackers have a point.
Enter Cylance and its Protect product, which the company says is steeped in artificial intelligence. Protect jettisons signature-based protection entirely, along with the fat databases that antiquated technology brings, to instead use machine learning techniques to identity patterns of malicious behaviour before payloads execute. It’s a bold play, but only the first step into the world of artificial intelligence the company plans to take.
The company is claiming record-breaking efficacy: 99.7 percent detection rates of malware, a claim previously laughable thanks to the millions of automatically generated, slightly varied malware that authors create and distribute around the clock. “I really haven’t seen anything this exciting in security for a long time,” says Greg Singh, technical sales director at the California-based company. “Everything has been a new can of paint on the same old thing.”
Cylance is an anti-malware company thanks to the technology being a common expertise between founders Stuart McClure and Ryan Permeh. But it expects to diversify.
“We are an artificial intelligence company,” says Singh. “Stay tuned.”
Mayhem and Cylance Protect are, at their core, systems designed to alleviate drone work. The former to find and patch vulnerabilities, and the latter to eliminate malware noise, freeing up the security professional to do more critical decision-making. It is a concept RSA Asia-Pacific security adviser Leonard Kleinman is acutely aware of. For years, Kleinman led an accomplished penetration testing team within the Australian Taxation Office before joining the security giant, triaging and identifying vulnerabilities not only in ATO systems, but for an increasing backlog of other government agencies that sought to borrow the team’s skills.
“Automation is about supporting incident response,” Kleinman says. “There is a lot of acquisition of data, logs, and packets and it [automation] helps release the humans from that and into interpreting the data.”
This final point is the nirvana of incidence response teams, security types who find out what systems were breached, when, how, and – sometimes – by whom. There is a huge amount of planning and tool and policy building and refinement before the blood crew, who are the incident responders, can operate at the maximum efficiency critical decision level.
Kleinman likes what DARPA and Mayhem are doing, but knows that artificial intelligence and automation are still in their infancy.
“It is first the step on that journey to the pointy ends, which is prioritised interpreting of interesting data,” he says. “It will compress the time between discovery and remediation, but you need to crawl before you walk, and walk before you run.”
Automation has and will continue to make scores of careers redundant. Truck drivers are likely first, as driverless B-doubles cruise our freeways without the risk of fatigue or speed. Uber is already trialling driverless cars in Pittsburgh.
But the jobs that require creativity, gut-instinct and make-or-break decisions are at less risk of extinction.
Mayhem’s Brumley agrees. He says his team’s system is utterly outpaced by hacking royalty George Hotz and Loki, “On vuln assessment in particular, the best penetration testers, people like George Hotz and Loki, are still orders of magnitude better than Mayhem,” says Brumley.
“I think this may change in the next couple of decades, but it won’t be overnight.”
Estonia’s cyber defence thinker Tyugu also saw the role of artificial intelligence as a catalyst for a revolution of knowledge handling and decision making, but not as a replacement for human minds, at least in the foreseeable future. His predictions appear to be right.