AI/ML-based attack signal intelligence at the tactical edge

Story

September 07, 2023

Advances in generative artificial intelligence (AI) are enabling adversaries to build new attacks faster and evade signature-based threat detection with ease. The cutting edge of adversarial cybersecurity is becoming more sophisticated, using new technologies to rapidly develop new attacks. Defensive cybersecurity efforts must keep pace with bad actors by using new tools that combine attack signal intelligence with pattern-matching capabilities to identify polymorphic threats, or cyberthreats that employ evasive techniques to evade detection from traditional security solutions.

If a breach has occurred or is suspected, the defense cyber team cannot trust any devices on the network and must bring their own equipment to perform the analysis. These “tactical edge hunt kits” are carried by an operator to analyze network threats on location, as many defensive cyber missions occur on segmented, isolated, or otherwise air-gapped networks owned by other organizations or mission allies. A mobile and rapidly deployable hunt kit enables the speedy response essential to remediate threats and protect devices and networks.

Over the last decade, it’s become routine for cyber task forces to visit a site and collect network data for a couple of weeks, after which they return to their lab and run the collected data through an analyzer. By that point, though, the adversary has likely completed its mission, hidden its tracks, and changed its attack. Running replays of data after the fact is no longer enough. What’s needed is to move from snapshot-in-time assessment of threats to a more continuous monitoring model.

Today’s signature-based techniques, while important, are not significant enough on their own to address the advancing threat conditions. They often require knowledge of the attack methods to build the files to perform the pattern matching. Types of attack are changing too rapidly and bypassing known signatures. Another approach, machine learning (ML)-enhanced anomaly detection, frequently misses critical threats or finds too many false positives. An avalanche of false positives can mask true attacks that might be underway. The efficacy of threat detections is key to the success of cyber hunts to find the “unknown unknown.”

Purpose-built AI makes operators more effective; in part, it prevents the human element from getting overwhelmed by intelligently reducing the noise. Jason Kikta, former Hunt Forward Mission Director, U.S. Cyber Command, stated, “Without the evolution and inclusion of AI in our hunt operations, there’s no way our operators can scale the fire hose of data they need to sift through at the tactical edge.”

The good news is that modernized, compact hunt kits, small enough to fit into an airplane’s overhead luggage compartment, can quickly bring the power of enterprise-level AI and self-training ML algorithms to the tactical edge, anywhere in the world. An integrated commercial off-the-shelf (COTS)-based, highly transportable system that provides the compute power and AI/ML tools for attack signal intelligence – combined with other tools, such as an aggregated enterprise threat-management system – enables a hunt team to bring the solution rapidly to the battlespace, gaining results in real time versus months after an incident.

Making AI/MI-based cyber hunt capabilities available at the tactical edge enables the hunt operation to see the “unknown unknown” that less powerful approaches would miss. Providing clarity to those unknowns across the systems enables a response to be more quickly orchestrated to act against the threat. Leading-edge organizations are witnessing the effectiveness of AI-driven attack signal intelligence in their cyber hunt operations and choosing to permanently install these tools in their networks for continual real-time defense.

An example of a transportable system that hosts the highest level of kit capabilities and brings AI/ML threat detection to national security cyber tactical-edge communications is a new hunt kit developed in collaboration between Curtiss-Wright Defense Solutions and Vectra AI. The modular and transportable kit leverages AI/ML algorithms proven in national security enterprise environments and makes them mobile for use in the field. Using these algorithms, which can run on CPU- or GPU-based processors, cyber hunt operations that formerly took weeks to conduct now take less than 10 days after being connected to the network (with 36% of detections happening immediately, using fully trained models). Instead of using a single general-purpose algorithm, this hunt kit features 120+ patented AI algorithms and a combination of pretrained and self-learning ML models.

A better way to deal with polymorphic cyberattacks is to fight AI with AI. It’s now possible to detect the “unknown unknown” and cyberthreats around the world that traditional intrusion detection systems (IDS) and signature capabilities would miss. Hunt teams now have the power to effectively detect and deter cyber adversaries.

Michael Wilson is Federal Advanced Programs Group Manager at Vectra AI.

Dominic Perez is the CTO at Curtiss-Wright Defense Solutions and a Curtiss-Wright Technical Fellow.

Vectra AI • Curtiss-Wright Defense Solutions