Artificially Intelligent Malware: not as Futuristic as you Might Think

Martyn Booth, Chief Information Security Officer, Euromoney Institutional Investor PLC

Martyn Booth, Chief Information Security Officer, Euromoney Institutional Investor PLC

While many organisations are deploying appropriate patching strategies, conducting vulnerability scans and ensuring that their anti-virus is appropriately updated, it seems premature to be concerned about the world of Artificial Intelligence (AI) and how it might impact everyday businesses. But how far are we all from having to face up to the threats presented by AI-powered malware?

Not very far, we are yet to see a major concerted attack using AI as its foundation. However, recently, signs in the cyber industry suggest that this is a cause for concern that needs to be seen with serious consideration. It may not be easy to continue confining it to a scenario of science fiction novels much longer.

IBM recently created and released ‘DeepLocker’ to test how an AI-powered malware could impacts current anti-virus solutions. Their developed model of hiding a malicious payload inside regular, everyday applications and creating intelligent ‘release triggers’ has successfully fooled current anti-malware software. This enabled the test strain of Malware to remain hidden on the network.

Perhaps, the most worrying thing about DeepLocker is that it could manifest itself on an infected machine for a long period of time and stay hidden while allowing very limited ability by the managing organisation to locate and destroy it. This kind of ‘wrapping’ has been seen by many of the most prevalent pieces of malware recently. Criminal enterprises can wrap up the requested malware and sell it as a ready-made service. Sentiment in the industry seems to consider the support arrangements of these criminal enterprises as significantly above that which they receive from some of their own suppliers.

So, can we expect this method of attack to be weaponised soon? Malwarebytes have named AI-powered virus infections on their expected active threats in 2019, and that unfortunately means it is highly likely that advanced prototypes already exist.

All information security professionals are busy, but must dedicate time to planning for future threats as well as fire fighting the current ones

It’s very possible that some have already been deployed in earnest. If one considers the requirement to get advanced malware into a readily deployable form, we can see how soon this is likely to be become a reality:

• Cost: the development cost needs to be outweighed by the potential gain. While less advanced malwares are still bringing rewards to the criminal enterprises that created them, more advanced attacks are unnecessary. However, many of those most prevalent malwares are starting to lose their ability to generate significant returns. The ease with which they are created means that they continue to be used. But criminals are already starting to move on to new trends (such as skimming) to increase their returns. When the return on investment of these pieces of Malware falls beneath a certain level, their evolution is inevitable. It stands to reason that artificial intelligence would be that evolution.

• Skillset: Do advanced artificial intelligence skills exist and do criminals have access to them? Perhaps not at the moment but where there is revenue there be skilled resources that are happy to benefit from them. A fact that is supported by the current affairs of market economics.

• Launch capabilities: Criminals have shown that they have the ability to provide robust mechanisms to deploy malware effectively. Doing so with artificially intelligent malware is the same.

The level of intelligence exhibited by this Malware isn’t something from ‘2001 A Space Odyssey,’ it is a basic level that has the ability to detect security controls designed to stop it and take appropriate action in order to circumvent those controls, or to stay hidden from them. IBM has proven that this is possible, and it seems it is only a matter of time before major attacks that have utilized AI. .

So, what can be done about this situation? Information security has been plagued by responding to threats reactively, well after the risk has materialised. The pattern: a new threat is located, the threat is developed, the threat is exploited successfully across a number of organisations, a response is prepared by the information security community and the cycle repeats. For once, it would be nice if information security approached this threat proactively. There are many anti-malware solutions that are utilising artificial intelligence to defend against threats, rather than the traditional (and rapidly becoming outdated) model of comparing threats to previously identified signatures. Deploying those tools, alongside traditional anti-malware solutions to begin would provide additional protection against current threats and the threat posed by AI.

All information security professionals are busy, but all of us need to dedicate time to planning for future threats as well as fire fighting the current ones. If that isn’t possible, it is our duty to speak to our company boards about the threats we face, the risks that the business is exposed to and how comfortable they are with accepting them. If they’re not, then it is up to all of us to make the investment case for the resources and tools that we will need in the near future.