AI fights back part 1: Halt, Quo Vadis? (Who Goes There?)

In a world where hackers relentlessly prey on healthcare providers, and cryptocurrency becomes synonymous with ransom, AI rises to the challenge to help ransomware victims fight back.

Roman soldier of a Scholae Palatinae unit in parade dress, end of 4th – early 5th century AD. Artwork by Alexander Yezhov. Source: Pinterest

Ever since computer viruses started appearing in the mid-80s (Brain, MS-DOS, 1986), anti-virus protection has been a reactive exercise in which we examine the virus after an attack, and create new anti-virus definitions to prevent the same virus from attacking again. This is a vicious, never ending cycle that is evolving in direct proportion to our growing and inevitable reliance on computers. This is true in virtually every aspect of our lives, professional and personal. If you remember playing Battleship when you were a kid, this process is not that different: hackers probe for vulnerabilities until they get a hit, then concentrate their firepower on the newly discovered vulnerabilities.

Details of this photograph include (1) it is the hex dump of the boot sector of a floppy (A:) containing the first ever PC virus, Brain, (2) PC Tools Deluxe 4.22, a file manager and low-level editor, was being used (3) the PC was a 8088 running at 8 MHz and had 640 Kb of RAM (4) the graphics card was a CGA (4 colours at 320×200) Source: WikipediaVector version of the MS-DOS logo, used as an icon in older versions of Microsoft Windows. Source: Wikipedia

Malware and ransomware play a perpetual game of cat and mouse with their victims. As targets learn to better protect themselves, and cybersecurity companies like CrowdStrike, Deep Instinct, and others continuously improve their detection capabilities, those with nefarious motives also learn from their aborted attempts and develop alternate, increasingly ingenious ways to circumvent anti-malware detection. Some succeed, and in turn, extort millions of dollars in Bitcoin, while others get thwarted, but continue to operate with impunity.

Healthcare Cybersecurity Challenges

Healthcare is an irresistible, target-rich sector for hackers and people with nefarious intent. Hospitals and healthcare systems constitute treasure troves of sensitive and broad clinical and financial patient data. Medical services are also mission critical, making hospitals particularly vulnerable to attacks. Healthcare service providers cannot afford to operate without their IT resources for very long, leading to nightmare episodes such as the ransomware attack on Scripps Health in San Diego. While unconfirmed, it’s quite possible that Scripps regained access to their own data after paying a ransom. It took in excess of 30 days for Scripps’ IT operations to resume with a semblance of normalcy. Over 100,000 patient records were lost during the timeframe, resulting in a class-action lawsuit by patients suing Scripps for failure to protect private health data. The operational, clinical, and financial toll such an attack can take on a healthcare system is immeasurable, and could in some cases prove to be a fatal blow to a provider’s reputation and bottomline.

AI-Based Security Solutions Are The Future

Paradoxically, the antidote to computer viruses and ransomware is none other than Artificial Intelligence (AI) and Machine Learning (ML), which are 100% based in computer science. Early anti-virus software bears little resemblance to today’s fast-evolving anti-ransomware solutions that leverage AI to quickly detect and share anomalies across vast interconnected global networks. However, we are still looking at a system that is still essentially reactive, yet on a much more efficient and massive scale.  Acceptto CEO and founder Shahrokh Shahidzadeh, an Intel Corp 25-year veteran and cyber-security expert, notes that for six decades we have treated authentication as a binary event, with a start and an end. Clearly a revolution in how we think about, and approach, cyber security is in order.

Fundamentally, we have to first admit that no matter how many barriers we place in front of bad actors, their determination and ingenuity will ultimately prevail and they will get in. Our reliance on multi-factor authentication (MFA) and antiquated password access can give us a false sense of security that has proven to be misguided at best.

Let The Hackers In: Tag Suspicious User Behavior vs. Login Events

So what is revolutional thinking in this context? In one simple phrase: “let them in.” This approach is almost whimsically brilliant, yet counter-intuitive. It accepts that determined bad actors will ultimately get in, so let’s systematically learn from legitimate user patterns, build a behavioral model documenting the user’s typical digital footprint and behavior, then contrast the bad actor’s behavior against known, normal user patterns. As individuals and professionals, the perimeter of our digital persona and footprint is in constant flux. Legitimate users leave discrete digital fingerprints and manifest behavior that can be logged and noted as normal by the organization’s IT. Any deviation from this “normal” behavior can be continuously monitored for consistency.

It’s far easier to compare normal from abnormal behavior than it is to distinguish a legitimate user from a nefarious one attempting to access a system illegitimately, using legitimate credentials.

IT solutions generate scores of activity logs that are specific to the industry they serve. In the healthcare imaging sector for example, DICOM and HL7 handlers log every image transmitted from one IP address to another. These logs are treasure troves that can be used to document bell curve behavior between these systems. Kafka topics are a variety of logs that can be leveraged across industry standard logs to be shared among multiple security monitoring systems, analyzed, categorized and perpetuated into a digital persona. This is true whether we are analyzing the behavior of a human, or that of a device. For an in-depth review of these principles, download Acceptto’s White Paper on Next Generation Authentication (NGA).

Halt, Who Goes There?

The exponential expansion of the number of devices (in addition to humans) now connected to the Internet, aka The Internet of Things (IoT), has long been identified as a substantial vulnerability for organizations and individuals. The inevitable digitization of every aspect of our lives is increasing this vulnerability proportionally. You want to change the temperature in your bedroom before you get home using your Google Nest thermostat? That’s a direct connection into your life. You want to manage your access to your Tesla via your iPhone? That’s another vulnerable entry point into your life.

In a September 21, 2021 techjury blog article, Christo Petrov noted that “LTE, WiFi6, and 5G expansion continuing to be a reality, wearable technology adaptation is becoming widespread. There have also been vast developments in crucial technologies like augmented reality, next-generation telepresence, and virtual reality, which has helped with the wearable technology evolution.”

Exciting Internet of Things Statistics

  • There are expected to be more than 64B IoT devices worldwide by 2025.
  • By the end of 2020, 5.8 billion automotive and enterprise gadgets wеre on IoT.
  • By 2022, 100% of the global population is expected to have LPWAN coverage.
  • IoT has the potential to generate $4T to $11T in economic value by 2025.
  • The main revenue driver for 54% of enterprise IoT projects is cost savings.
  • The wearable devices market will be worth $1.1 billion by 2022.
  • 97% of organizations feel there are challenges to creating value from IoT-related data.
  • The IoT in banking and financial services market size is expected to grow to $2.03B by 2023.
“Things” connecting to the Internet can be thought of as extensions of ourselves. On average, it is estimated that each person has four devices connected to the Internet at any given time, each representing a piece of our digital persona. With each such new device connecting to the Healthcare IT enterprise, a patient’s digital persona evolves, expands, and further exposes IT ecosystems to new potential vulnerabilities. Compounding the issue is that this estimated four devices per individual constitutes slow adoption compared to what is inevitably coming, thanks to new technologies such as 5G that are able to efficiently handle exponentially more devices per cell tower to connect these devices wirelessly to the internet.
The significance of IoT and how they expand peoples’ digital persona, is that individuals routinely use personal devices to perform work-related tasks, and work-related devices to perform personal tasks. This means that it’s not so easy to enforce strict IT monitoring, even if strong procedures are in place to prevent the commingling of enterprise IT resources between our work and personal lives. The inexorable growth of IoT and digital interactions among people means that we must embrace technologies that help us to augment contemporary authentication methodologies – this means augmenting MFA with continuous authentication that is able to flexibly recognize the fast evolving nature of digital personas and behavior models.
Stay tuned for part two in this blog series where Florent examines battleground protocols and how AI can help.