Fighting Ransomware with AI/ML | Spices 1
Ransomware remains a major problem for organizations and governments. It gains in sophistication, frequency, and ransom money. Fleming Shi, CTO, Barracuda Networks, discusses how AI and ML can help fight ransomware and three things security teams should look for in AI/ML-based email security solutions.
Ransomware continues to plague organizations around the world, with the number of attacks increasing by 64% in 2021, according to one of our studies, heavily targeting municipalities, healthcare, education and other businesses. These attacks can cripple day-to-day operations, wreak havoc, and lead to financial loss through downtime, ransom payments, and recovery costs — unbudgeted and unforeseen expenses that can bring large organizations down.
Ransomware even has the power to destroy entire countries. The government of Costa Rica is locked in a struggle with Conti, a Russian-linked ransomware gang that demands a payment of $20 million. And Lincoln College – a 157-year-old institution in Illinois – had to close its doors earlier this year due to the devastating impact of a ransomware attack.
All is not lost, however. As ransomware becomes more disruptive and pervasive, advances in machine learning (ML) and artificial intelligence (AI) may hold the key to more effective defense against ransomware.
Ransomware protection starts with an email
Although ransomware can be delivered via just about any threat vector, most attacks are carried out via email. This is understandable, as email is the most commonly used method of communication to connect with entities outside the organization, such as customers and partners. Coupled with the fact that users are typically an organization’s weakest link in the security chain, it’s easy to see how email presents an attractive backdoor for threat actors to gain initial access and control over the corporate network. A single click by a single user can be enough to compromise the network and deliver a devastating ransomware payload.
It is true that email platforms such as Microsoft 360 and Gmail offer a wide range of security features. But recent attacks have shown that the native security features of these email gateway solutions are rife with vulnerabilities that malicious actors will exploit. By using highly evasive techniques such as brand spoofing, legacy URL reputation evasion (LURE), HTML smuggling, and code obfuscation, attackers can fool security filters into their pretending that malicious links and compromised files are legitimate business communications.
If increased sophistication wasn’t enough, ransomware-as-a-service attacks have led to outsourced development of ransomware payloads. This allows anyone with a credit card and a bone to choose to buy malicious code from the dark web that will allow them to access and take control of a remote system. And that’s not all. Payments continue to grow exponentially, having an increasingly destructive impact on organizations’ finances. The average ransom demand per incident is now over $10 million, up from 30% of demands in 2021 were over $30 million, according to our study mentioned above.
Learn more: On the alert: Fighting ever-evolving ransomware with resilience in 2022
AI/ML provides an intriguing solution
Many security tools can help clean up a ransomware attack after the damage has been done. Given the financial and reputational risks caused by ransomware attacks, businesses need a solution that can stop ransomware attacks before they happen. Fortunately, AI/ML-based solutions can identify and intercept various forms of ransomware attacks before they reach the end user. Continuously trained in real time as new threats are discovered, these solutions identify email messages based on a fraudulent domain or anomalous communication attempting to impersonate a legitimate sender. Once identified, the message is moved to a quarantine folder for further inspection.
But not all ransomware prevention solutions are created equal. Here are three things security teams should look for in AI/ML-based email security solutions:
1. API integration in your email provider
Naturally, email providers focus on email, not security. It is their core business, after all. Keeping up to date with the latest security threats, MITER [email protected] Framework techniques, and ransomware trends is time-consuming and expensive. Make sure you’re relying on a third-party email security solution designed and maintained by developers who are 100% focused on protecting your business. Seamless API integration between your email provider and email security solution provides visibility into internal, external, and historical email communications for every individual in the organization. This is critical data that AI can use to learn communication patterns within the company, between employees, and with known and unknown outside entities.
2. Intelligent identification of identity theft attempts
Comprehensive protection depends on your solution’s ability to identify people who are not who they say they are. Your AI/ML-based solution should be able to use internal, external, and historical email metadata to create an identity graph for each use. Comprised of email addresses, document types, names used, natural language analysis (NLP), and other characteristics that define an individual’s unique communication patterns, these learned patterns allow solutions to identify behavior, content and link transfer anomalies.
3. Real-time correction before user interaction
When it comes to ransomware, speed is everything. Your email security solution must identify and quarantine threats before it’s too late. AI/ML allows you to act faster than humans, removing threats from the inbox before the user can interact with the message. Remediation should be done in real time with notification alerts sent to users and IT administrators.
Proactive and preventive email security is the key to stopping ransomware
Ransomware is becoming more sophisticated, more common and less expensive to launch while payouts continue to soar. Stopping these evasive threats requires proactive and preventative AI/ML-based email security. Seamlessly integrated with your email provider, these solutions automatically identify spoofing attempts based on real-time behavioral analytics and remove even the most sophisticated and evasive ransomware attempts before users unsuspecting have the ability to interact with emails. AI/ML-powered automation can prevent
these large-scale attacks before they gain initial access and control over your most critical business systems.
Have you used AI to fight ransomware? What are some things security teams should keep in mind? Share with us on Facebook, Twitterand LinkedIn.