Attackers rely on automation - and you can use it against them

With the boom of generative AI tools, threat actors have even more capacity to automate their operations and attack more organisations with greater efficiency. One Forbes headline warns that AI is unleashing a ‘new era of menacing threats’; and we know that cybercriminals can utilise AI to analyse vast volumes of information in order to identify vulnerable and high-value targets.

But at Black Hat MEA 2022, Richard Rushing (CISO at Motorola Mobility) pointed out that the increasing use of automation by criminal groups can also become a vulnerability for the attackers themselves.

They rely on automation. And you can use it against them.

Attack automation has a weak spot

Threat actors use a lot of automation to build software, and they’re almost always attacking a number of different organisations at the same time.

Multiple campaigns run side-by-side, using the same software. The attacker’s job, Rushing said, is to make their attacks look different – so if one organisation detects an attack, the other 20 companies the attacker is already targeting don’t gain information that tells them they’re at risk too.

To create those apparent differences between attacks, threat actors change certain elements of the software. And cybersecurity professionals need to understand how to identify the same attack when it’s presented differently.

“So,” Rushing said, “you look at things in the malware world and say well, what doesn’t change? Well, the file name changes, the hash name changes. The file size usually doesn’t.”

That means if you look for common file sizes, you can identify the same attack being deployed under a different disguise.

“Same thing with registry changes. I can’t do my persistence mechanisms in the malware, and change it multiple times for every kind of thing I’m deploying. I’m going to do the same thing — because it works.”

You might, for example, notice that one attack happens in the exact same time cycle as another attack; or at the exact same time of day. And that’s a strong indicator that it’s the same attack – even if file and hash names are different.

Focus on common behaviours

In criminology, the study of criminal behaviour allows criminologists to identify behaviour patterns that are common among offenders. These behaviours are then used to develop criminal profiles – which have been found to help law enforcement agencies identify offenders and prevent crimes before they happen.

Obviously, criminal profiling has its limitations and risks, which we won’t get into here. But a similar behavioural approach can be applied to malware and cyberattacks – using behaviour as the identifying feature that reveals an intended crime.

“There are all these different ways you can leverage to discover malware just by its known behaviours,” Rushing added. And if you can identify common behaviours, you can get around misleading details and discover attacks that are being automated for deployment against multiple victims at the same time.

“You already have those controls – you just have to adjust the logic slightly.”

And when you do that, an attacker can change the IOPS all day long – but you’ll still be able to track their behaviour.