Cyber attacks continue to evolve at an ever-increasing pace. Threats have become more sophisticated and dangerous compared to just a few years ago. The velocity of malware evolution, an increasing number of end-user devices, networks and technologies that need protection, and petabytes of data to process combine to make it impossible for human-created models to give comprehensive, up-to-date protection.
Relying solely on traditional detection engines leaves organisations exposed to incredibly damaging attacks. Organisations, therefore, face an urgent need to continually ramp up and improve their cybersecurity.
Incorporating AI in all four stages of the adaptive security cycle
Check Point overcomes this challenge by incorporating artificial intelligence (AI) into its unified, multi-layered security architecture. By doing so, the company provides an ever-improving, intelligent system that doesn’t just detect, but actively prevents complex, sophisticated attacks.
Gartner lists the four stages of an adaptive security architecture as predict, prevent, detect and respond. In this blog entry, we’ll look at real world examples of how Check Point incorporates AI at each of the four stages to improve detection rates, reduce false positives and shorten response times.
Predicting an unknown cryptominer
Attacks tend to spread fast across organisations’ networks once the system has been breached, causing severe damage very quickly. Therefore, predicting attacks before they strike is critical.
Attackers frequently use a filename that is similar to legitimate, trusted programs (Mitre ATT&CK™ Technique: Masquerading) to deceive system administrators or security programs into thinking that the file is benign. However, legitimate processes sometimes use similar process names as well. Therefore, classifying an event as malicious based only on name similarity could lead to many false alerts – and result in genuine threats being missed.
To effectively and accurately identify new, unknown malware, Check Point developed a unique AI engine that evaluates the behaviour of the process and then classifies it. In this example, Sandblast Agent detected a look-alike process in one of Check Point’s customers’ endpoint devices. Check Point’s Behavioral Guard AI engine then evaluated the process’ behaviour and classified it as a cryptominer malware, at which point the attack attempt was prevented.
Preventing a new variant of the Fareit trojan
It is less costly to prevent an attack than to detect and remediate after the malware has breached the network and caused damage. This is why Check Point has invested heavily in developing industry-leading threat prevention AI engines. Check Point is able to achieve the best prevention across the industry in dozens of independent third-party tests because of these advanced AI engines.
Fareit is a Trojan that has been in the wild since 2012. Its variants typically steal users’ sensitive information such as passwords, FTP accounts and other credentials stored in web browsers. Fareit was detected by Check Point’s dynamic emulation AI model, five days before it was first seen in Virus Total.
Check Point Threat Emulation is a sandboxing technology integrated within both on-premise networks and in the cloud. The solution incorporates an AI model that evaluates the actions taken by an executable file during run time. The model’s output is a score that is used to determine whether the file is malicious. If the model determines that the file is malicious, SandBlast Network will then block the file and prevent the attack. This AI model is responsible for 50% of Check Point’s Threat Emulation detections.
Detecting “Agent Smith”
“Agent Smith” is a malware campaign discovered by Check Point’s mobile threat researchers. The campaign infected approximately 30 million devices for financial gain. Disguised as a Google-related app, the core part of the malware exploits various known Android vulnerabilities and automatically replaces multiple installed apps on the device with malicious versions.
Check Point’s AI engines detected this malware before the campaign was first discovered, and before the command and control sites were known to be malicious. The core malware was detected by three of Check Point’s AI engines, each of them focused on a different type of indicator. As an example, one model reviewed the application code as an input and returned a verdict based on the code flow analysis. The engines that detected this malware work independently, which meant that even if some of the indicators do not appear in the variants of the malware, it will still be detected.
Thanks to Check Point’s AI engines, “Agent Smith” was detected before it caused damage by replacing the installed apps with malicious versions.
Responding to bot attacks
Responding to an attack quickly and accurately can remediate damage or even prevent it completely. Check Point uses AI for several stages of the response process – such as victim identification, alerts elimination, and attack classification.
In this example, a company that provides IT services to critical government institutes contacted Check Point after receiving tens of thousands of alerts regarding allegedly malicious activities reported by a non-Check Point solution. Check Point’s ThreatCloud AI sifted through log entries and provided an accurate list of 25 infected devices. These devices were then cleaned before the malware caused any damage.
The concept behind ThreatCloud AI is to create a machine that emulates the thought process and decision making of a cybersecurity researcher. However, while the security researcher could spend weeks just researching a single type of threat, the ThreatCloud AI machine is able to make a decision in seconds. ThreatCloud AI correlates suspicious and malicious events from multiple sources, thus recognizing an infection behavior and identifying the infected hosts. The system will then point the customer to the top events in their network that need immediate attention.
As cybercriminals develop more sophisticated and more dangerous methods of cyberattack, it has become impossible to rely only on human analysis and decision making. In order to continuously improve Check Point’s excellent detection and prevention rate, Check Point has developed dozens of artificial intelligence engines and incorporated them in critical decision points across Check Point’s family of products.
Many cybersecurity vendors claim to incorporate AI in their products but few have shown its effectiveness. In contrast, Check Point has demonstrated real world results in all four stages of the adaptive security architecture.
Check Point’s models are effective at preventing attacks thanks to the vast amount of real-world data of known threats, and domain experts who develop, train, and validate the models. Check Point domain experts are constantly defining suitable features and labeling data for each engine. They use a vast amount of data for training, testing and validating the models, and the data is enriched with Check Point’s unique intelligence. The solutions integrate several algorithm approaches on the same input. The result of all of this, is the industry’s leading prevention rate for both known and unknown attacks.
Yaelle Harel and Adeline Chan, Threat Prevention Marketing Managers at Check Point Software Technologies