The WannaCry ransomware attack in May, which affected more than 200,000 computers in more than 150 countries, underscored how the economics of cyber attacks are skewing favorably to attackers.
Ransomware is projected to be a billion-dollar-a-year criminal industry, according to a cyber-security report published by the Australian software company Nuix.
The authors of ransomware are not just running their own operations, they are selling their services for a cut of the action, going as far as developing a business model referred to as “ransomware as a service” (RaaS). A Nuix search of malware forums revealed RaaS kits for sale ranging in price from $15 to $95.
Such exploit kits and other tools are easily acquired and can be reused against multiple targets while the likelihood of detection and punishment is low.
That is not all, says the Israeli cyber-security strategist Menny Barzilay, CEO of FortyTwo Solutions and chief technology officer at the Cyber Research Center at Tel Aviv University in Israel, a global cybersecurity hub. Open innovation models, which encourage businesses to bring in external ideas and technologies, and the introduction of the Internet of Things (IoT) — the name given for the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data — are also compounding cyber-security issues.
The 2016 attack on global Internet access, which blocked some of the world’s most popular websites, is believed to have been unleashed by hackers using devices like webcams and digital recorders that are connected to the IoT. And, connecting many new smart devices to the Internet offers many new ways for bad guys to hack into systems and steal information, says Mark Gazit, founder of the Israeli cyber-security startup ThetaRay.
He points to a real-world case in which a criminal gang hacked IoT devices to gain control over a bank’s global ATM network. The gang quickly discovered that it could command ATMs in multiple locations to automatically spit out cash and that if the order was for five bank notes or less the banks would chalk it up to petty theft or mechanical error. “Allegedly over one billion dollars was stolen this way,” says Gazit.
The introduction of artificial intelligence to the sector is expected to both hurt and help.
Corporates face an uphill battle since “it is impossible to put the fence high enough” to keep hackers out, says Barzilay. And as technology systems become more sophisticated the situation is expected to get worse.
AI will also give hackers a lot of new resources, says Guy Leibovitz, founder and CEO of the Israeli AI cyber-security startup D.Day Labs. Today, it takes a lot of time and money for criminals to find vulnerabilities in software programs or networks and exploit them. With AI the process of detecting flaws will be automated. So instead of looking for a tedious needle in the haystack, the bad guys could start launching monthly assaults like WannaCry — “zero day attacks” that target publicly known but still unpatched vulnerabilities.
The rise of AI-enabled cyber attacks is expected to cause an explosion of network penetrations and intelligent computer viruses. “Imagine an AI application that knows how to develop viruses by itself,” says Leibovitz.
Ironically, the best defense against AI-enabled hacking is to use AI, leading to an escalation of the AI arms race, he adds.
AI-infused cyber security includes predictive analytics, which promises to give security teams the insight needed to stop threats before they become an issue, as opposed to reacting to a problem. Experts say AI could also help in detecting as-yet-unknown types of attacks.
But not every company that purports to be offering AI is able to deliver, says Nimrod Kozlovski, co-founder and director of the venture capital firm Jerusalem Venture Partners’ Cyber Labs, which incubates four to six cyber-security startups at any given moment and monitors many more. “AI is a good buzz word and startups think it makes for good branding, but a lot of what we see is not exactly what we would define as artificial intelligence,” he says.
Even state-of-the-art AI won’t be a panacea. AI should be adapted to a corporation’s needs and has to be trained to be effective, says Kozlovski. He warns big companies not to try and rely on off-the-shelf products. “Companies have to go through the process of identifying where their vulnerabilities are and try to understand which solutions are particularly relevant,” he says.
No one is claiming victory in what has always been a cat-and-mouse game. But ThetaRay’s Gazit remains optimistic, not just because AI is now becoming a part of the arsenal but because he says he believes the quantity and quality of good people outpace the black hats. “The good guys always win,” says Gazit. “This movie will have a happy ending.”
