How AI Can Help Stop Cyberattacks (#GotBitcoin?)
As hackers get smarter and more determined, artificial intelligence is going to be an important part of the solution.
As corporations struggle to fight off hackers and contain data breaches, some are looking to artificial intelligence for a solution.
They’re using machine learning to sort through millions of malware files, searching for common characteristics that will help them identify new attacks. They’re analyzing people’s voices, fingerprints and typing styles to make sure that only authorized users get into their systems. And they’re hunting for clues to figure out who launched cyberattacks—and make sure they can’t do it again.
“The problem we’re running into these days is the amount of data we see is overwhelming,” says Mathew Newfield, chief information-security officer at Unisys Corp. “Trying to analyze that information is impossible for a human, and that’s where machine learning can come into play.”
The push for AI comes as companies face a huge increase in threats and more-sophisticated criminals who can often draw on nation-states for resources. More than 121.6 million new malware programs were discovered in 2017, according to a report by German research institute AV-Test GmbH. That is equivalent to about 231 new malware samples every minute.
Of course, nobody thinks AI is the cure-all for stopping threats. New operating systems and software updates introduce unpredictable risks, and hackers adopt new tactics.
“Is AI a silver bullet? Absolutely not,” says Koos Lodewijkx, vice president and chief technology officer at IBM Security. “It’s a new tool in our toolbox.”
Because of those limitations, reliance on algorithms “is a little concerning and in some cases even dangerous,” says Raffael Marty, vice president of corporate strategy at cybersecurity firm Forcepoint, which is owned by defense contractor Raytheon Co.
Still, most cybersecurity experts believe that AI can do a lot more good than harm as hackers get smarter and more determined. Here are a few examples of how cybersecurity pros are using artificial intelligence—and what’s next for the technology.
Traditionally, security systems look for malware by watching for known malicious files and then blocking them. But that doesn’t work for zero-day malware—threats that are unknown to the security community.
AI is helping to solve that problem and identify new attacks as soon as they appear. The systems analyze existing malware and see what characteristics the files have in common, then check to see if potential new threats have any of those traits, says Avivah Litan, a cybersecurity analyst at Gartner Inc.
That is the method used at security firm CrowdStrike Inc. When a user clicks on a suspicious file, the company’s tool scans hundreds of different attributes—such as the size, content and distribution of code in the file—then runs them through a machine-learning algorithm that compares them to the company’s malware database and determines how likely the file is to be malicious.
“The reason why machine learning works so well for malware is that there’s so much data out there—it’s easier to train the system,” says CrowdStrike’s director of product marketing, Jackie Castelli.
One big hurdle for this approach to identifying malware is false positives: Currently, some AI systems classify a lot of benign programs as threats, which is a big problem given how many attacks companies face and how much time it can take to investigate each lead. But most security vendors that focus on laptops, mobile phones and other devices are working on the problem, Ms. Litan says.
Getting Detailed Data On Users
Organizations in a range of fields, including government, retail and finance, are trying to keep unauthorized users out of their systems by combining machine learning with biometrics—studying physical information about users, like fingerprints and voices.
With biometric systems, people access services by talking or scanning a part of their body instead of entering a username and password. Machine learning can be used to analyze small differences in these characteristics and compare them to data on file, making verification precise.
For instance, financial-services firms such as Fidelity Investments, JPMorgan Chase & Co. and Charles Schwab Corp. have deployed biometric technology for customer service that scrutinizes hundreds of voice characteristics, such as the rhythm of speech.
Nuance Communications Inc., which develops speech-recognition software used in mobile phones, has started to incorporate behavioral biometric information, such as a person’s vocabulary, into its machine-learning algorithms.
When voice and behavioral data are combined, the system is precise enough to tell identical twins apart, says Brett Beranek, director of security strategy at Nuance. That is because characteristics such as vocabulary and frequency of pauses will differ even if people’s voices sound the same.
One hurdle for biometric technology is selling users on the idea. Researchers at the University of Texas at Austin’s Center for Identity have found that many consumers are wary of biometric authentication because of concerns about privacy, government tracking and identity theft.
Mr. Beranek says many U.S. consumers haven’t been exposed to biometric technology, unlike people in many European countries, and recommends organizations that use it address concerns and questions that customers might have. Many banks, for example, offer online explanations about how it works and how they use encryption to protect stored biometric data.
Sifting Through Alerts
A typical large corporation receives tens of thousands of security alerts each day warning about possible malware, newly discovered ways to exploit security flaws and ways to remediate threats, according to cybersecurity experts.
So, companies are investing in AI to help determine which alerts are most important, and then automate the responses.
Companies “can’t handle all the security alerts, and they’re missing things that are really important,” says Gartner’s Ms. Litan. “If you look at almost all the data breaches that took place in the last 10 years, there’s a security alert that notified them, but it was buried at the bottom of the list.”
For example, the breach announced by Equifax Inc. in September 2017 was partly blamed on a flaw in the Apache Software Foundation’s Struts software program. A patch for the vulnerability was issued several months before the incident at Equifax occurred, but the company failed to address the issue. The breach compromised personal information belonging to about 147.9 million consumers.
A spokeswoman for Equifax said in an email that the company has since hired a new chief information-security officer and chief technology officer, and has increased its security and technology budget by more than $200 million this year.
About three years ago, International Business Machines Corp. started training its Watson AI system on cybersecurity, with the goal of helping security teams manage the influx of threat information. The system combs through alerts, recognizes patterns and determines things such as what malware is involved, whether it is related to previous attacks and whether the company is being specifically targeted. That way, security teams can focus on the most likely threats and put the rest aside.
“We want to use AI to do all the investigative work and essentially give the analyst a researched case,” says Mr. Lodewijkx, adding that IBM determined that its own security analysts spend about 58% of their time doing repetitive work such as studying alerts.
“We’re aiming to take all of that 58% away from the analyst, so they’re able to deal with the uniquely human tasks,” he says.
More than 100 companies currently use Watson for cybersecurity, including Sri Lanka’s Cargills Bank Ltd. and Swiss financial-services provider SIX Group. Like most AI, the technology took years to develop and encountered bumps along the way. For example, Watson at one point concluded that the word “it” was the name of the most dangerous malware, because it appeared so frequently in malware research, Mr. Lodewijkx says.
Tracking Down Enemies
One common struggle for data-breach victims is figuring out who attacked them, because criminals and nation-state hackers use a number of techniques to obfuscate their identity. Some cybersecurity researchers and analysts believe machine learning can be used to attribute attacks, which can help companies defend against them and prepare for future incidents.
Security systems can mine and analyze information on registries and online databases to find clues about the infrastructure that criminals set up to launch attacks, such as domain names of websites and IP addresses associated with the devices they use for hacking.
When hackers leave all those traces, “you create a behavior footprint that you leave behind that is unique,” says Chris Bell, chief executive of Diskin Advanced Technologies. The firm uses machine learning to analyze these footprints, determine who is behind an attack and who their next victims may be.
The technology is still in the early stages, but customers in the aviation, utility and financial-services industries have used it to spot pending attacks and automatically block IP addresses associated with criminal groups, according to Mr. Bell.
Before It Was Hacked, Equifax Had a Different Fear: Chinese Spying
The credit-reporting company went to the FBI with its suspicions—then the investigation stalled.
Two years before Equifax Inc. stunned the world with the announcement it had been hacked, the credit-reporting company believed it was the victim of another theft, only this time at the hands of Chinese spies, according to people familiar with the matter.
In the previously undisclosed incident, security officials feared that former employees had removed thousands of pages of proprietary information before leaving and heading to jobs in China. Materials included code for planned new products, human-resources files and manuals.
Equifax went to the Federal Bureau of Investigation and the Central Intelligence Agency. Investigators from the company and the FBI came to view events at Equifax as potentially a huge theft of data—not of consumers’ personal data, as happened with the subsequent 2017 hacking of Equifax’s files, but of confidential business information.
Equifax security officials briefed the then-chief executive, Richard Smith, at a fall 2015 meeting, spreading high stacks of paper across the length of the boardroom table. The voluminous printouts represented what they feared was stolen. Adding to suspicions, the Chinese government had recently asked eight companies to help it build a national credit-reporting system.
At one point, Equifax grew so worried it began building a way to monitor the computer activity of all of its ethnic-Chinese employees, according to people familiar with the investigation. The resource-heavy project, which raised legal concerns internally, was short-lived.
Some investigators believed Equifax’s intense focus on the matter contributed to a delay in the company’s understanding the extent of the 2017 hack of consumers’ information, an event that hammered Equifax’s stock, cost some executives their jobs, including Mr. Smith, and damaged the company’s reputation.
Ultimately, the previously undisclosed investigation undertaken by the FBI stalled. The FBI wanted to pursue a criminal case, believing the theft of trade secrets costs the U.S. hundreds of billions of dollars a year, with China the leading offender, said people familiar with the investigation. Equifax began to worry about legal exposure and how onerous the inquiry could become, according to these people, and eventually reduced its cooperation with law enforcement.
That left many of the questions raised by the investigation, both about Equifax and about China, unresolved.
This account of the events at Equifax is based on people familiar with the investigation.
Equifax, in a written statement, said it became aware in 2015 of “efforts by a former employee to obtain company information, and launched an internal investigation into his activities.” The company “brought the investigation to the attention of U.S. law enforcement authorities and cooperated with the federal agencies,” Equifax said.
“Although this individual had improperly obtained proprietary Equifax information,” the statement said, “the information we determined was accessed was general in nature and not material or harmful to Equifax, consumers or our business clients.” Equifax said the company has “no evidence to suggest that consumer data or other personal information was compromised, or that this individual targeted this type of information.”
Equifax didn’t address in its statement whether it thought other employees were involved. A person familiar with the company’s thinking disputed the notion that Equifax reduced its cooperation with law enforcement in a probe it had itself triggered.
Representatives of the FBI and CIA declined to comment. The Chinese Embassy in Washington didn’t respond to requests for comment.
One of the former employees Equifax and the FBI investigated in connection with a possible business-information theft was Daniel Zou, who worked in Toronto. The company he joined in China was Ant Financial, a fast-growing financial-technology affiliate of Alibaba Group Holding Ltd. , founded by billionaire Jack Ma.
Both Ant and Mr. Zou denied any involvement in taking proprietary Equifax data. Alibaba referred questions to Ant.
Ant, based in Hangzhou, China, said it “has never used Equifax code, scripts or algorithms in the development of its own products and services.”
Mr. Zou, in a sworn statement provided by his lawyer, said, “I deny that I worked with or consulted with a network of Equifax colleagues to steal Equifax code for Ant Financial or that I provided any such code to Ant Financial.”
Mr. Zou, a 35-year-old Chinese-born Canadian citizen who graduated from the University of Toronto, repeated his denial and said that learning of Equifax’s suspicions had been “a nightmare.”
Those suspicions arose in 2015, a few months after Mr. Zou left his job as an Equifax product manager to join Ant’s new credit-scoring business, which is known as Sesame Credit in English. Ant was among the companies asked by China’s central bank to develop credit-scoring services. Sesame launched its service in January 2015, several months before Mr. Zou came aboard.
Equifax’s data-loss prevention system, which guards against sensitive information leaving the corporate network, flagged the activities of Mr. Zou, according to people familiar with the investigation. The system alerted that an employee might have taken data off the network, and initially registered it as benign, they said.
Mr. Zou said in his interview with the Journal that, according to his understanding of how the system works, it would warn the person removing the data on the spot. He said he never received such a warning. Equifax declined to say whether that is how the system works or whether Mr. Zou received a warning.
At the same time, Equifax officials also had suspicions about a different employee, in another city. Equifax’s security chief, Susan Mauldin, approached the FBI with a question: What would it look like if we were being targeted by China?
FBI officials told her that in one common technique, a group makes plans to visit a company’s office to pitch a partnership, then at the last minute replaces delegation members with spies.
Around this time, a delegation from a Chinese business visited Equifax and swapped out some members at the last minute, fueling Equifax’s suspicions it was a target.
Company security officials decided to examine Mr. Zou’s computer activity. They discovered he had printed out thousands of pages of company information. The material related to the way credit scores are obtained, what different pieces of data mean and how to apply algorithms to assess troves of data, according to the people familiar with the investigation. They said some was information that could help explain products Equifax was working on.
At around the same time they were examining Mr. Zou’s systems, investigators discovered what they believed to be a major infiltration campaign. They found that other employees had sent code to their personal email accounts and uploaded it to software-development platforms others could access.
According to the people familiar with the probe, the investigators, by talking to Equifax employees and examining email accounts and LinkedIn messages sent to them, saw indications that recruiters purporting to represent Ant affiliate Alibaba had offered to triple salaries for certain ethnically Chinese Equifax employees—and provided instructions on specific Equifax information they should bring along if they jumped ship.
The investigators saw, as well, that Mr. Zou had searched the Equifax human-resources system to look up data analytics teams in the U.S. He had printed out contact information for many ethnic-Chinese employees, according to people familiar with the probe. They said some of those employees told colleagues they were later contacted by recruiters who claimed to be working on behalf of Alibaba.
The investigators found notes on Chinese messaging service WeChat in which another group of Equifax employees in North America, using their company-issued phones, arranged off-hours meetings to discuss work projects and left the company soon after, saying they were going to Ant or Sesame for big raises.
Ant said Mr. Zou is the only former Equifax employee it has hired since it began collecting employment history information in 2011. Ant said Mr. Zou began at its credit-scoring business in May 2015. It listed a five-figure starting salary for Mr. Zou and said he wasn’t promised any large bonuses.
Ant said it didn’t “directly or indirectly through third-party recruiters” encourage job applicants to steal Equifax information. Ant prohibits employees and recruiters from requesting such activity, the company said, adding that third-party recruiters aren’t authorized to make job offers on its behalf.
Ant said it hadn’t been contacted by Equifax or any government investigators about such matters. After receiving an inquiry from the Journal about Mr. Zou, Ant said, it investigated his information-technology activities and found no evidence he had ever provided Ant with any Equifax code, scripts or algorithms.
Mr. Zou said he worked in marketing and didn’t have access to Equifax code, algorithms and other proprietary information; never took any to Ant; wasn’t asked to; and never encouraged others to.
“I deny that I searched an internal Equifax human resources database to recruit Equifax employees to join Ant Financial,” Mr. Zou said in the sworn declaration provided by a lawyer. “I further deny that I printed contact information for ethnic-Chinese Equifax employees as part of an effort to recruit such employees to join Ant Financial.”
In the Journal interview, Mr. Zou said, “I think [where] this might come from is that during my time at Equifax I had a habit of sending work-related documents to my own email so that I could work at home. If any of those contain [any] of what they call the alleged proprietary information, right after I left Equifax and before I went back to China, I deleted them all. And I did not share that with anybody.”
If investigators were alarmed by his email practices, Mr. Zou said, “I think that’s a huge misunderstanding.”
Mr. Zou also said he printed out employee contact information for projects that required him to work with global colleagues. “Equifax Canada did not want to reinvent the wheel from beginning,” he said, “so my job was to piggyback the success case” from the company’s U.S., U.K. and Latin American regions.
He said he disposed of all the documents before moving to China and joining Ant, and he denied targeting any ethnicity. “If you search a data analytics team, the likelihood is high that you will reach a Chinese employee,” he said.
Mr. Zou said he had never been contacted by Equifax or any government authorities about data theft, and learning he was suspected caused him “emotional turmoil.”
Although Equifax had gone to the FBI—and although the bureau was eager to pursue the matter—Equifax officials by the middle of 2016 had grown wary of providing more information to federal investigators.
Equifax worried that doing so could trigger requirements under securities law for disclosure of material information, said the people familiar with the investigation. They said Equifax also was concerned that handing over access to its entire network, including international operations, as the FBI had requested, could run afoul of obligations in some countries where Equifax operates.
Around the middle of 2016, Equifax told its internal investigators to comply with any potential subpoenas but to stop proactively providing information to law enforcement, said the people familiar with the investigation.
The person familiar with Equifax who disputed the notion the company directed employees to be uncooperative said: “As the investigation progressed, we did ask that requests for information be passed through our legal office to ensure we were adhering to standard legal protocols.”
Equifax continued to monitor certain employees through 2016 and 2017. It eventually confronted several ethnically Chinese employees over activities found in its investigation, who left before the company took further action, according to people familiar with the probe.
FBI officials in Atlanta got the impression from Equifax’s then-CEO, Mr. Smith, and legal staff that the company didn’t believe it generally had information valuable enough to be the target of a major Chinese campaign.
Mr. Smith told colleagues even if thieves had taken code, they didn’t have Equifax’s consumer data, which meant the theft wouldn’t pose a competitive threat. Moreover, Equifax didn’t see a material impact on current operations because the information that appeared to have been stolen related to products in development, not to existing ones.
The U.S. attorney’s office in Atlanta ultimately determined it didn’t have evidence the suspected thefts were directed by the Chinese government, a top priority for law enforcement. The prosecutors decided they wouldn’t pursue a case against any individual, since Equifax wasn’t eager to do so, and since what former employees were suspected of taking was corporate information, rather than anything directly affecting U.S. consumers.
The U.S. attorney’s office declined to comment.
Then, in September 2017, came blockbuster news from Equifax: the disclosure that a hacking of its files had exposed highly sensitive personal data on more than 140 million Americans.
Equifax had learned six months earlier, in March 2017, of a software vulnerability, but waited months to fully check its encrypted traffic to see whether it had been breached. Only in July 2017 did Equifax realize the hack had exposed personal information, including Social Security numbers and dates of birth, of nearly half the U.S. population.
This delay was partially due to Equifax’s failure to resolve a dispute between its technology and information-security staffs at a time when top security people were focused on possible infiltration from China, in the opinion of some of the people familiar with the investigation.
The person familiar with Equifax’s thinking said the hack involved both human error and technological failure, and Equifax has been forthcoming about the causes.
In the weeks following the disclosure of that giant 2017 breach, Mr. Smith resigned, as did Ms. Mauldin and Equifax’s chief information officer, David Webb. All either couldn’t be reached or didn’t respond to requests for comment.
In January 2018, Chinese officials rolled out a state-backed credit-scoring company and gave Ant Financial an 8% stake.
Mr. Zou has returned to Canada. Ant transferred him from Sesame Credit to its Alipay international business unit in Hangzhou in mid-2017. On June 1 of this year, he moved to Alipay Canada in Vancouver.
State Department Email Breach Exposed Employees’ Personal Information (9-17-2018)
The State Department recently suffered a breach of its unclassified email system, and the compromise exposed the personal information of a small number of employees, according to a notice sent to the agency’s workforce.
State described the incident as “activity of concern … affecting less than 1% of employee inboxes” in a Sept. 7 alert that was shared with POLITICO and confirmed by two U.S. officials.
“We have determined that certain employees’ personally identifiable information (PII) may have been exposed,” the alert said. “We have notified those employees.”
The classified email system was not affected, according to the alert, which was marked “Sensitive But Unclassified.”
Watchdog reports have consistently dinged State for its insufficient cybersecurity protections, and last week a bipartisan group of senators asked Secretary of State Mike Pompeo how the department was responding. The secretary has yet to respond to the senators’ letter.
Following the email breach, the department convened a task force to examine the incident, according to a U.S. official, who requested anonymity to discuss a security matter.
The State Department confirmed the breach of its cloud-hosted email service in a statement to POLITICO. “This is an ongoing investigation and we are working with partner agencies, as well as the private sector service provider, to conduct a full assessment,” spokeswoman Nicole Thompson said in an email.
The sources who spoke to POLITICO did not say whether the department had identified the hackers behind the breach.
The State Department has always been a top target for hackers, especially those working for foreign governments. One of the most famous cybersecurity incidents in U.S. government history occurred in late 2014, when the NSA and Russian hackers battled for control of State Department servers.