Brett Raybould, EMEA Solutions Architect, Menlo Security
The finance sector is ripe for the many conceivable applications of AI thanks to the large volume of financial and customer data it handles and manages. It is an industry that therefore stands to make significant economic gains from it. However, the data it holds, and the catastrophic impact of a cyber attack, also makes it a prime target for cyber criminals. What is more, attackers are already on the case using AI in supercharged phishing attacks and finding innovative ways to deliver malware.
To stay ahead of the threat, it’s time to use fire to fight fire.
Financial businesses locked in a cycle with attackers
Financial businesses have long been locked in an embrace with attackers as they navigate an intricate dance together. They follow a simple cycle; attackers find a weak spot in the financial institution’s systems and begin to exploit it. The defender realises the problem and plugs the hole. So, the attacker moves on to find another attack vector. And they move like this, toe-to-toe, around the battlefield.
Any organisation would rather not have to dance at all of course, but as long as the two sides are evenly matched, this is manageable. Attacks will happen, but smart companies can defend against them. While one side might gain the upper hand for a while, there has been a rough equilibrium over time.
The web browser has become a main target
Two trends are destabilising this equilibrium. The first has evolved over the last decade or two. It’s the gradual emergence of the Browser as a key conduit in enterprise IT.
The browser’s popularity as a business tool has risen sharply along with SaaS applications since around 2010. While on-premises apps that aren’t accessed via the browser won’t go away entirely, they’re typically in the minority these days. Instead, employees access most of their computing resources through a browser window.
Windows are transparent, browsers are not. What happens in the browser is often invisible. Websites use browsers’ JavaScript engines to process data in ways that security teams cannot see. Even legitimate applications often obfuscate their traffic in the browser to avoid performance-hindering security inspections.
Highly evasive adaptive threats threaten web browsers
As the web browser became the most critical tool for knowledge workers today, a new breed of attacker emerged, one that has learned to weaponize the browser’s ubiquity and opacity to target employees and company networks.
The 2023 Verizon Breach Data Report shows web applications as the top action vector for attack, often through the use of stolen credentials. Email – often accessed via a browser – is the second. Between them, the browser and email account for over 80% of actions leading to security breaches or incidents.
As a result, a broad array of cyber threats have evolved beyond the cross-site scripting and man-in-the-middle attacks, using the browser to avoid detection. These browser-based threats are getting worse as attackers use more adaptive techniques designed to evade traditional detection systems like firewalls and anti-virus software.
At Menlo Security, we call these highly Evasive Adaptive threat techniques. They are leveraged to compromise browsers, gain initial access to the endpoint, and ultimately deploy threats like ransomware or malware and are unmatched in their ability to evade detection, making them the perfect vector for attackers.
Here are some of the ways that they subvert traditional security, becoming a risk to financial institutions:
SEO poisoning. SEO poisoning uses black hat SEO to get malicious content to the top of search engines, lulling the user into a false sense of security. Another, MFA bypass, uses reverse proxies to collect multi-factor authentication tokens and hijack victims’ online sessions.
Some highly evasive adaptive attacks are multi-staged. For example, an SEO poisoning attack might use a legitimate domain such as Microsoft 365 to host its malicious content. That makes it difficult for link scanners to detect and block the traffic based on domain reputation alone.
Password-protecting files. Once the user is persuaded to click a malicious link on the site, it might send them a password-protected document containing the malware loader. Many traditional content scanners will allow such documents through to avoid disrupting business workflows.
HTML smuggling. Alternatively, they can use another pernicious evasive adaptive technique called HTML smuggling, which uses obfuscated JavaScript to construct the attack malware on the client side, dodging file scanners.
Avoiding email security: One way that attackers prevent detection by email scanners is to avoid using that channel altogether. Instead of trying to sneak malicious links or files to victims in email messages, they’ll use social media systems, including business-focused ones, to message users and deliver attacks via the browser.
Using fire to fight fire
So, how does the finance sector fight the coming onslaught of AI-powered attacks? AI is a powerful tool for cyber criminals, but it can also be a robust form of defense.
Attackers and the malicious websites that serve their traffic leave behind a digital exhaust that offers deep insights into their real intentions. Everything from the URL that a malicious site is using through to the elements used on a web page and the images it displays offer powerful clues.
Human operators cannot comb through that amount of data, but AI is the perfect tool to analyse large amounts of data at speed – more than a human operator ever could – and spot patterns that deviate from the norm.
AI can marry computer vision with web page analysis and URL risk scoring to understand what’s happening in the browser and how it might be trying to dupe a user into downloading malicious content.
AI-based defence systems can use computer vision to ‘see’ images that scammers insert in emails or web pages to trick readers. The data that AI analyses comes in the form of network traffic flowing to and from the browser, but also from within the browser itself. They can apply sophisticated URL risk scoring mechanisms, combining them with an analysis of web page elements. When passed through constantly updated machine learning models, this data can determine the intent of a website in real-time.
Isolation technology can see where conventional tools like secure web gateways and firewalls cannot. It can ensure that all active content is executed in a cloud-based browser, rather than on a user’s end device, ensuring that malicious payloads never have the opportunity to reach the target endpoint. It can then use machine learning to spot the telltale signs of a highly evasive adaptive threat attack and raise the alarm.
As attackers begin to use multiple malicious generative AI tools already available on the dark web, the race is on to expand our defenses and stabilise the balance of power in cybersecurity before it’s too late. Machine learning capabilities in security products will soon become mandatory to spot sophisticated, automated attacks before they happen.
The post How financial institutions can deter the catastrophic impact of AI cyber threats appeared first on Finance Derivative.
