Despite all of the money, time and effort spent over the last few decades, we’ve been chasing the attacker… waiting for a ‘patient zero’ to emerge in the wild before any response to a new campaign can begin. But we are now living in a new era, where artificial intelligence (AI) can truly predict attacks by weeks, months, or even years ahead of a campaign. We call this the Cylance Predictive Advantage (CPA) that AI gives the defender over the attacker.
Measured in days, CPA is a metric for a new era of predictive prevention being ushered in by data science, and it will forevermore be the measurement of the true impact AI has on disrupting malware economies and nation-state efforts to evolve malware. Time… the ultimate battlespace advantage, is finally on the side of the defender.
Introducing the Cylance Predictive Advantage
A year ago, before the Vault 7 dump, and before the first version of the WannaCry ransomware was even conceived, let alone compiled, who would have predicted that a worming ransomware campaign leveraging an NSA-grade propagation tool would make headlines and affect a quarter million hosts over a single weekend?
Who would have predicted a kill-switch component that ended up being the Achilles heel for the first wave of the attack? Who could have known that the obtuse kill-switch domain was going to be: “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com”?
Who could have predicted a 22-year-old researcher would register and sinkhole this domain to help stave off the initial wave of this attack? Who could have predicted that a worm (which we haven’t seen the likes of in nearly a decade) would have taken out hospital systems, two airlines, railway systems, two automobile manufactures, shipping companies, power companies, police departments, ATMs, and even laundromat machines around the world, infecting 300,000 machines, all in just one weekend?
Who could have predicted that Microsoft would respond by releasing emergency patches for even unsupported operating systems over 15 years old?
And yet, for all that damage and for the living hell inflicted on those affected, the malware authors are estimated to have only netted $60,000, as of 8pm CST on Monday, May 15. All that damage, and only 233 bitcoin (BTC) transactions to show for it, for an average of $260/payment.
Predicting the Measure Of Success
Who would predict that earning the equivalent of one single person’s average yearly salary would be worth it to the WannaCry attackers, for causing global mayhem? The answer: probably no-one… not even the malware author… could have predicted this result. After all, their campaign failed; less than one in 1000 infected devices resulted in a ransom payment.
You see the thing is, humans are particularly weak at prediction. I’ve been known to predict things about ransomware that have since come true, and other things about it that (hopefully) never will. One very human trait we all share is that we all fear the unknown, yet our predictions that are meant to help us protect us from that unknown are very often wrong.
We humans rely on gut instinct, wisdom, experience, and sometimes dodgy inferences that may or may not hold material weight. We also suffer from a vision of the future that is distorted by our own past fears, hopes and desires – and yet we rely on this distorted vision in the hopes of being able to plan and protect ourselves in future, to better our chances of survival.
The Human Element in Cybersecurity
Our human traits also strongly affect how we think about cybersecurity. For instance, when it comes to predicting malware campaigns, we, as a collective human race hoping to do battle against an ever-evolving, economically-motivated threat, are only so good at predicting what future malware attacks might look like.
Even when analyzing malware, we maybe collectively learn how to look at a few thousand features we’re willing to ascribe to malware. We might poke at it for interactive behavioral analysis, reverse the code, or look at some static properties (strings, headers, hashes, etc). Malware analysts do this endlessly, day after day. But the reality is that we aren’t yet good enough to turn those analyses into predictions about future malware with enough confidence to create future signatures to protect us. Our human brains are simply inadequate when it comes to processing the vast amounts of data required to properly prevent future attacks.
For all the indicators of compromise (IOCs) we collect; for all the signatures, heuristics, reputation-based intelligence, attribution, hunting and hard work we do, we still are unable to get far ahead enough on the threat landscape to know what is coming, let alone stop it before it hits us.
Yet, the enemy… that nebulous collective of threat actors that plagues our lives and is becoming increasingly more criminally/financially motivated, is startlingly adept at predicting and undermining our defenses, getting ahead of us at nearly every turn.
Battling WannaCry, QakBot, and Beyond
Just looking at this second wave of Qakbot, we see that a full twenty percent of the code is dedicated to bypassing specific legacy antivirus (AV) defenses – defenses based on largely human-created signatures. And then there is WannaCry’s author, who knew going in that millions of systems wouldn’t be patched for the SMB vulnerability used for the ransomware’s propagation.
And when we look at the hundreds of ways the bad guys are using PowerShell to move laterally… knowing full well that this often-whitelisted tool will be present before they even gain an initial foothold… we know that it’s much easier to attack known defenses than to create brand new types of attacks.
To put it simply: malware authors have had an anvantage over us. We have been playing catch-up for decades.
That’s where artificial intelligence, or AI, comes into play.
We are in the middle of the fourth Industrial Revolution, from which has sprung forth a niche range of technologies such as predictive AI, the Internet of Things (IoT), and machine learning (ML). As Amazon’s CEO Jeff Bezos said recently, "It is a renaissance, a golden age."
Beginning in 2016, predictive AI has been exponentially beating humans at their own games. For the first time in Facebook’s history, its AI was able to predict and prevent the posting of offensive images to Facebook with better efficacy and speed than the rest of Facebook’s billions of users combined, via their legacy crowd-policing method.
For the first time ever last year, one of the world’s best fighter pilots, USAF Ret. Colonel Gene Lee, was summarily defeated in a virtual dogfight by an AI called Alpha that processes opponent moves hundreds of times faster than a human can blink… a predictive AI that runs on hardware equivalent to a $500 laptop.
Netflix’s predictive AI is now so effective that now you don’t even have to use a five-star rating system for it to know what you’ll want to watch for years to come… all based on a predictive self-learning AI that absorbs your movie and television tastes and extrapolates new viewing suggestions in ways you’ll never even comprehend yourself.
Then there’s Cylance, who now, after several years of analyzing billions of both good and malicious files, uses a combination of machine learning and predictive AI to predict and block malware weeks, months, and even years before it is first discovered, and before that first ‘patient zero’ gets infected. This sounds like something out of a science fiction story, and while the effects are indeed magical, it is not magic.
How Cylance Uses Predictive AI to Block Future Malware
Here at Cylance, we have crunched over a billion files to date. We look at millions of features of each of those files, and we spin up over 40,000 cores in Amazon web services (AWS). The model we have created is massive, complex and advanced. And by harnessing the power of algorithmic science, we were further able to shrink that model down to a local model that can run on a typical laptop CPU and make autonomous, pre-execution decisions in under 50ms. Magical, indeed.
But the true impact of what predictive AI has achieved, is by handing us the Cylance Predictive Advantage. This is quite literally the battlespace time advantage that we have teased out of the bad guys, and handed over to the defenders.
CPA is a measurement of how far in advance our AI is able to predict malware and autonomously prevent it from executing, and it does so using a local model that doesn’t require any of the overhead associated with cloud lookups, authentication, transport security, and network lag.
More than anything, CPA is a new metric for the security industry going forward.
What the CPA gives us, is the ability to measure that AI’s predictive capability in days. And it is that advantage that will ultimately restore the equilibrium on the battlefield and put time on the side of the defenders.
In fact, at some point in the very near future, all anti-malware solutions will need to leverage AI just to keep pace with the ever-changing and adapting threat landscape, just to have even a semblance of relevance and protection for its customers.
How is the CPA calculated?
Strictly speaking, the CPA metric is a measurement of the amount of time in days ahead of the first industry report that exposes a new campaign (or a significant variant of a campaign), by which Cylance’s AI successfully predicted and would have prevented that threat, using an offline local prediction algorithm.
The way this is calculated is by running the portable executables (PEs) for those hashes found in the original industry reports, against a predictive math model that pre-dates the original report by X days (those X days = the CPA).
A quick example would be last year’s worming ransomware Zcryptor, discovered in May 2016. This was an effective campaign that blew past Microsoft’s EMET defenses and wormed via removable media. If we take malware samples from May of 2016 and run them against a Cylance predictive/prevention model from October of 2015, we see that CylancePROTECT® successfully predicted and prevented any execution of those samples a full six months before any patient zeros were found in the wild.
In fact, given the quick-fuse nature of most ransomware campaigns, there is a good chance that our model predicted the Zcryptor campaign before the first malicious binary was ever compiled. Before the cybercriminals set up the crypto-system, the payment details of the campaign, the C2 infrastructure and before anything else was readied, our model was fully able to predict and prevent that campaign’s malware.
Figure 1: This graphic depicts the CPA against several well-known malware campaigns, shown in months. Note that these metrics are using completely offline (aka "local only") AI models that fully prevented these threats from executing.
Preventing Patient Zero
This isn’t us tooting our own horn for the sake of bragging rights. The reason that all this matters in the real world is that there doesn’t need to be a sacrificial lamb in order for our AI-based technology to protect against malware. It simply goes ahead and prevents it before anyone has to take the fall and react to/remediate the brutal damage malware can wreak on an organization.
This has played out recently in both a recent Qakbot resurgence, as well as preventing the recent WannaCry malware from running. It also plays out in the context of Incident Response (IR). Cylance’s Consulting arm does hundreds of IRs and Compromise Assessments per year, and one of the key weapons we have in our arsenal is the ability to detect tomorrow’s malware, today.
This means when we walk into a newly-compromised victim environment, our predictive AI is able to light up malware that won’t even have a name for another 18 months. Those customers we work with as consultants know that no stone will be left unturned - not even the stones that the rest of the human race won’t be able to identify for months or even years down the road.
Alternatively, those organizations still relying on signature-based, legacy AV, will continue to be in the dark for another year and half before those legacy methods of detection catch up to the malware campaign and let them know they have been breached. And all because there are no human-knowable IOCs, TTPs, signatures, heuristics, reputation, or other type of threat intelligence that can detect that specific malware.
More importantly, they will miss those high-quality, high-confidence pivot points from which to draw out the context and root cause of an attack. They won’t even know what they don’t know, which will invariably cause them to under-state the operational security risk in their environment.
Quantifying the Most Precious of All Resources: Time
This is how we articulate and measure the Cylance Predictive Advantage, and it is a metric that, in a few short years, will be ubiquitous across all predictive AI use cases, for it truly measures the rarest of all battlefield resources: time.
Ultimately, WannaCry never stood a chance. We were there protecting our customers before the enemy got there - back in 2015, to be precise. Time was on our clients’ side. You might even say that a year ago Cylance travelled into the future and made the autonomous decision to prevent the execution of this ransomware campaign.
In short, predictive AI gives us an advantage we’d never gain on our own without the math and data science that allows for it. It is a humbling realization for us all to make.