Bad actors are becoming more successful at evading AI/ML technologies

Deep Instinct Threat Research team extensively monitored attack volumes and types and then extrapolated their findings to predict where the future of cybersecurity is heading, determine what motivates attackers, and most importantly, lays out the steps organizations can take now in order to protect themselves in the future.

One of the most pronounced takeaways from this research on 2021 threat trends is that bad actors are becoming more successful at evading AI/ML technologies, prompting organizations to redouble efforts in the innovation race.

Specific attack vectors have grown substantially, including a 170% rise in the use of Office droppers along with a 125% uptick in all threat types combined. The volume of all malware types is substantially higher versus pre-pandemic.

In addition, threat actors have made a discernable shift away from older programming languages, such as C and C++, in favor of newer languages, such as Python and Go. Not only are these newer languages easier to learn and to program versus their predecessors, but they also have been less commonly used and are therefore less likely to be detected by cybersecurity tools or analyzed by security researchers.

“Recent major events, such as Log4j and Microsoft Exchange server attacks, have placed a heightened priority on security, but these threats have long deserved the attention they’re just now getting on a global level,” said Guy Caspi, CEO of Deep Instinct. “The results of this research shed light on the wide-ranging security challenges that organizations face on a daily basis.”

Other attack volumes and types

• Supply chain attacks: Large service offering companies became targets of significant supply chain attacks this past year with threat actors looking to not only gain access to their environments, but also target the environments of their customers by proxy. The most notable supply chain attack, Kaseya, compromised more than 1,500 companies through one unpatched zero-day vulnerability.
• The shift to high-impact and high-profile attacks vs. stealth and long dwell-time attacks: In 2021, there was a transition to high-profile attacks with a massive impact. The most significant incident in 2021 was the Colonial Pipeline breach, which halted operations for six days, causing major disruptions across the U.S. and demonstrated the significant and cascading impact of a well-executed malware attack.
• Public and private sector collaborations become more common: As predicted, there was greater partnership amongst international task forces this past year to identify and bring to justice key threat actors around the world. In early 2021, an international taskforce coordinated by Europol and Eurojust seized Emotet infrastructure and arrested some of its operators. Other high-profile threat actors such as Glupteba became the target of private companies that joined forces to interrupt their activity as much as possible.
• The immediate impact of zero-day: In 2021, there were major vulnerabilities being exploited and used within a single day of disclosing the vulnerability. One of the examples was the HAFNIUM Group, which surfaced shortly after Microsoft revealed multiple zero-day vulnerabilities.
• Cloud as a gateway for attackers: The transition to remote work has prompted many organizations to enable most of their services in the cloud rather than on premises. For those that are not experienced working with cloud services, there is the risk that misconfigurations or vulnerable, out-of-date components with external API access could be exploited.

While the increase in the highest profile threat, ransomware, has not continued to increase at the exponential rates initially seen during the outbreak of COVID-19 in spring 2020, a 15.8 percent growth of these threats was still recorded in 2021. Last year proved to both CISOs and cyberattackers that work-from-anywhere and hybrid models would likely become a permanent fixture. CISOs will need to carefully review, monitor, and update security considerations to ensure full coverage and protection.

A ransomware attack can affect any organization, regardless of size, industry, or location. As more and more security vendors use machine learning (ML) and artificial intelligence (AI) in their products and take actions to improve their existing defense mechanisms, bad actors will also continue to hone and improve efforts to evade and fool both traditional and AI-based defenses.

Defense evasion and privilege escalation are becoming more prevalent and we expect to see a continuation of EPP/EDR evasion techniques in 2022. Bad actors are clearly investing in anti-AI and adversarial attack techniques and integrating these methods into their larger evasion strategy.