- CrowdStrike has announced a new AI-powered index of attack (IoA) model designed to counter advanced adversary tradecraft, available later this year.
- AI-powered IoA uses machine intelligence to stop breaches and detect and predict malicious behavioral patterns in real time, regardless of the tools or malware used.
Since its founding in 2011, CrowdStrike has pioneered the use of artificial intelligence (AI) and machine learning (ML) in cybersecurity to solve our customers’ most pressing challenges. Our AI applications fit into his three practical categories:
- Use AI to identify enemy behavior and threat patterns to counter increasingly sophisticated attacks
- Solve hyperscale data challenges by analyzing intelligence and threat telemetry at speed and scale
- Use AI to automate repetitive security tasks and unlock machine-speed intelligence to automate detection and response, closing the cybersecurity skills gap.
Among the areas CrowdStrike has pioneered is the industry’s first AI-powered Index of Attack (IOA). A concept first introduced by CrowdStrike, an IOA is a series of observed events that indicate a positive attempt to compromise a system (code execution, persistence, attacks, etc.). lateral movement). By examining these events and processes across the entire attack surface, IOA helps organizations replace silos between tools and Overall By probing the environment, you can better anticipate and prevent signs of suspicious activity and uncover enemy tactics.
Last year we enhanced the IOA generation process, IOA powered by AIapplying AI to the process of generating new attack indicators and further extending defense-in-depth with sensors and the cloud (in parallel with ML-powered malware classification and existing IOCs and IOAs). By applying the power of cloud-native machine intelligence to the IOA generation process, speed So we detect new behavioral patterns while dramatically improving the accuracy of our model. We leverage deep learning with convolutional neural networks (a technology similar to the structure of the visual cortex in animals) to discover and predict new adversarial patterns.
At launch, we released two first models. One targets malicious post-exploit payloads and the other detects malicious PowerShell scripts. Today we are happy to share that we are extending his IOA capabilities leveraging existing AI to all clouds. These protections will be available to his CrowdStrike customers around the world later this year.
Expanding the Arsenal: New Attack Indicators Powered by AI
Adversaries are continually evolving their tactics by creating new scripts, hijacking legitimate tools, and discovering new ways to evade detection.according to CrowdStrike 2023 Global Threat ReportToday, 71% of attacks do not contain malware, but 80% of attacks use stolen or compromised credentials.
Adversaries are finding new ways to gain initial access and achieve lateral movement.And they’re moving faster than ever, with an average breakthrough time of 84 minutes. Leveraging these new classes of AI, his IOA expands AI-powered coverage across many of these new attack vectors, giving security teams the speed and precision they need to stop today’s adversaries. Offers. New innovations include:
Innovation: Multiprocess Atomic Behavior Analysis on Windows
Atomic actions are operations performed by a process that are not malicious enough to detect, but that could indicate hostile activity. For example, taking screenshots can be malicious, but it can also be harmless. Falcon uses indicators of attack, compromise, and behavior sent to the cloud to initiate CrowdScore incidents, and uses specific combinations of atomic behaviors to support detection. However, there are many atomic behaviors that are neither stored in the cloud nor exist as existing detections. This data provides a wealth of information for machine learning.
Attackers often utilize multiple tools, file formats, and processes to coordinate their attacks across target environments. Observing the activity of a single tool or an entire process may not provide enough context to confidently identify whether it is benign or malicious. By examining the atomic behavior of multi-processes, this model takes advantage of the rich context gathered by the platform for more reliable detection.
Customer Impact and Benefits: Enhanced proactive detection and prevention against all types of threats.
Innovation: Malicious Command Line and LOLBin Detection
Adversaries are increasingly leveraging Offshore Binary (LOLBin) Hijacking a target system’s native and legitimate tools to carry out an attack. These methods allow attackers to easily evade traditional security tools that rely on detecting known malware signatures and allow attackers to remain in the victim’s environment for an extended period of time. This new model targets LOLBin and more effectively detects suspicious activity by inspecting anomalous command line executions and analyzing combined sequences of child, parent, and grandparent processes.
Customer Impact and Benefits: Accelerates detection and response time for fileless attacks leveraging malicious command lines and LOLBin.
Innovation: IOA Coverage Against Malicious Linux Scripts Powered by AI
Linux is one of the leading operating systems for many business-critical applications. As Linux adoption and malware targeting Linux continues to grow, this AI-powered IOA of his will enable Falcon to detect malicious scripts in several forms. Linux scripting, Bash, JavaScript, Python, and Perl allow for more comprehensive coverage across major operating systems. This model also detects malicious Python and batch scripts in Windows environments.
Customer Impact and Benefits: New visibility and proactive response to malicious scripts on Windows and Linux-based endpoints.
Innovation: Detecting Malicious Windows Multiscript Content
Attackers frequently modify or obfuscate scripts to avoid detection. This model allows you to target high-frequency adversary tactics, techniques, and procedures for PowerShell, JavaScript, VBScript, and VBA script types supported by Windows ScriptControl, including debugger registry changes and other Provides resilience against obfuscation techniques such as tactics.
Customer Impact and Benefits: New visibility and proactive response to commonly used Windows-specific script types.
Innovation: Detecting Fileless .NET Assemblies
As developers popularize the .NET framework, we launch the first machine learning model dedicated to predicting adversary activity on in-memory .NET assemblies. In-memory .NET assemblies are attractive to attackers because they are difficult to detect by traditional antivirus solutions that primarily monitor file-based activity. This model is similar to the common adversarial attacks used in these attacks, such as using reflective DLL injection to load .NET assemblies directly into memory, or hiding artifacts left by activity using NTFS file attributes. It helps detect some of the techniques.
Customer Impact and Benefits: AI-powered proactive response to malicious fileless attacks using .NET.
Conclusion
Machine learning and AI are powerful tools for detecting emerging patterns in data and performing detailed behavioral analysis to understand enemy intent and objectives. CrowdStrike will continue to leverage the collective power of AI and the cloud to strengthen defenses, subvert adversaries’ tactics, and help customers stay ahead of adversaries and stop breaches. .
