How the Mirai Botnet DNS attack highlights the need for Cognitive Cybersecurity

New Cyberattacks use open source code and combined computing power to outsmart and overwhelm support services running the most popular sites on the internet. With computer chips becoming more powerful, more available, and processing more data, Cybersecurity innovation is moving to the next frontier, Artificial Intelligence.

We are coming into the next evolution of the internet and information age. Over the past five decades, Moore’s Law has held true, and processing power in computers (the number of transistors in a dense integrated circuit) has doubled every two years. This has led us to smaller, more powerful computer chips and brought the size of computer systems from large setups in a basement, to our desktops, and now into our pockets.

Chips that five to ten years ago were powering some of the most advanced computers are now much cheaper and more accessible. Chips are enabling household appliances, body sensors and industrial machinery to connect to a network creating a new system of interrelated computing devices known at the Internet of Things (IoT).

Earlier this month, a complex cyber-attack targeted one of the largest Domain Name Service providers by assembling 100,000 internet-connected devices in a Distributed Denial of Service (DDoS) attack that was twice as powerful as any other similar attack. There are many things that make this attack unique and interesting, however the big question is: what could have been done about it?

Current cyber security defense measures are similar to the flu shot that we get every year: scientists predict the formula that will provide the strongest immunity against the newest age of virus and it is incrementally updated over the years. Computer viruses also behave similarly to flu viruses, adapting to defense measures and finding new ways to infect potential hosts.

Over the past three years, the flu virus has proven to be less effective than previous years. Ironically, a similar trend seems to be happening in cyber security. The formula for flu-shots is created based on statistical analysis based on known strains. However, the newest strains, like H1N1 and H3N2, are made up of proteins that can mutate so that they won’t be detected by the immune system.

Modern cyber attacks now have what are known as “polymorphic” qualities, in which their appearance constantly changes, making it impossible for even the most recent update on your antivirus software to detect.

In the case of the recent attack on the major DNS provider, tens of thousands of interconnected devices were compromised and then banded together in what is known as a “botnet”. These devices then sent large volumes of malicious site traffic to the provider with ever-changing IP addresses, some of which weren’t even properly formatted. This all happened and took place in a matter of seconds. You can read the full summary of the October 21st DDoS Attack here.

The way we defend against these cyber-attacks should have a similar biological evolution, maintaining a strong immune system.

This is where cognitive security comes in, a system which can process large amounts of information, identify potential threats, and leverage the knowledge of today to immediately build a defense and start proactive prevention of further damage. Advanced cognitive algorithms can be applied in both the IoT devices (endpoints) and the network to assist in prevention as well as mitigation.

Starting with the IoT, if the devices can proactively recognize the attack, they may evade being compromised, or at least not so easily. Unfortunately, these IoT devices like your DVR’s and webcams have default logins with no security measures to prevent them from infiltration.

Here are three ways a cognitive endpoint security solution can defend today’s modern cyber threat environment:

  1. Automating log analysis at the device level to alert when a device is taken over
    Many IoT devices run relatively simple and mundane tasks carrying out simple executions, by applying machine learning to understand what normal behavior is, the moment anomalous behavior begins, the device will take action.
  2. Implementing out of band control loops to allow devices to be aware of their own compromise
    There are ways for malicious attacks to mask individual device behavior to make it appear normal to log analysis detection. An out of band control loop is on a separate connection and monitors macro variables. In the case of the recent attack, the devices that were enlisted into the botnet began to bombard the target network with tens of millions of discrete IP addresses until the network could not accommodate actual visitors. This might not have triggered an alert in the log analysis on some devices, where an out of band control loop would have noticed the unusual increase from the network and sent a signal to devices that they might be compromised.
  3. Automate IoT device testing for improved security
    A cognitive solution can run in the background, continuously logging data and learning from the network. The Mirai Botnet, the major culprit in the recent attack, had been deployed in a previous attack to take down a major cyber security blog. In the beginning of October, the source code to deploy a Mirai botnet was released to the public. A cognitive solution could have learned from the first attack or used the available source code to better understand which devices might be more susceptible to a future attack.

graphThese solutions would be akin to neutralizing mosquitoes carrying harmful virus. They would be “the endpoints”.  And although effective if deployed on an entire system of endpoints,It is improbable that all internet connected devices will have some sort of endpoint protection on them, just like every mosquito can’t be expected to be neutralized.

A cognitive network security system can analyze incoming information and identify patterns as fast as the initial attack, giving engineers defending that attack human intelligence at machine scale.

Here are three more detailed ways this might take place:

  1. Automatedly identify the key differentiators between inbound human and bot behavior, allowing for dynamic firewall updates and the immediate mitigation of bad machine’s actions.
    As fast as the attack was deployed, a cognitive security system can run millions of models and parse out certain behaviors and characteristics to then build a dynamic defense to shut the attacks down.
  2. Patch vulnerabilities, as it learns more about the nature of the attack and what weaknesses might be potentially exposed
    Similarly, as an attack begins, a cognitive solution can see what parts of the system are being hit hardest and tap into a neural network to understand why, then either prompting a security expert with instructions or mitigating the attack automatically.
  3. Exposing trends in packet data and log data at the device or network level so humans can know before a botnet is activated
    When a cognitive security solution is deployed it looks back and analyzes past data to identify patterns and build models to define normal system behavior. As it continues to monitor a system, it will continue to refine and build new models while also identifying abnormal behaviors and guiding security experts through malicious behavior education.

This graphic represents a simulation of the attack that took place, early reports suggested that traffic increased heavily at 7AM but were quickly mitigated only to be followed by an even stronger attack a couple of hours later which took about two hours to rectify and then later a third attack in which was resolved with knowledge gained from the previous attack. The blue line below suggests that with the help of a cognitive solution, engineers and experts would have been able to respond and react faster as well as better leverage the knowledge gained from previous attacks.

A large-scale attack may prompt irrational responses; one idea was product recalls for vulnerable devices but it is hard to imagine every potentially faulty IoT device being recalled or eliminated. Another discussion was around rebuilding the internet from the foundation to be safer and tuned to the new variety of devices, however can anyone really imagine this happening? The obvious solution is to do what we have done in the past: learn, adapt, and create new ways to solve new problems.

What made this cyberattack so effective and so powerful was not the quality of the hardware but the quantity of hardware used for the attack. Businesses and consumers have more practical use cases for multiple devices with different purposes on a network, but more devices doesn’t have to make the system more vulnerable. This is where the supercomputers with fast processors which can manage and control these devices, will be applied. Running on these computers will need to be a system smart enough that, like the viruses attacking them, are able to evolve and adapt with new variables and like our bodies are able respond and learn from collective experience to defend against them.

If you are interested in learning more about cognitive security solutions, check out SparkCognition’s webinar on how Artificial Intelligence is your new best friend