"Any cybersecurity company failing to leverage AI is obsolete"
"The bar has been raised for both attackers and defenders. No one will ultimately emerge victorious; it will remain a cat-and-mouse game. Education is valuable, but technology is the solution," says Team8 Chief Innovation Officer Bobi Gilburd
Bobi Gilburd, Chief Innovation Officer at the Team8 venture capital fund and former commander of the 8200 unit’s Cyber Center, didn't find the recent ransomware attack on Mayanei Hayeshua hospital surprising. He notes that such attacks are common globally and in Israel, and the distinction lies in an organization's response and recovery. Some businesses are severely impacted, even to the point of closure, while others recover swiftly.
Gilburd explains that ransomware attacks are increasing, partly due to generative artificial intelligence's introduction. He notes that AI is transforming the landscape, but emphasizes that the answer to AI-driven attacks is AI itself, encouraging the use of AI-enhanced security products to counter evolving threats.
Were you surprised when you heard about the ransomware attack against Mayanei Hayeshua hospital this week?
"I was not surprised because this is not the first such attack in Israel, nor the first on a medical institution. We are a small country, and attacks like this, whose purpose is to acquire money, happen all over the world. The difference lies not in whether organizations are attacked, but rather in their response during recovery. Some organizations are brought to their knees by such attacks, even to the point of going out of business. Others experience minor setbacks and are back in action within a few hours.
"In some ways, such an attack is inevitable. No one is shocked when a medical institution falls victim to ransomware. These attacks are widespread globally. They are not targeted at specific institutions. Attackers use some form of malware and extensively scan tens of thousands of websites to identify vulnerable ones. One in a thousand attempts may succeed, and of those, one in a thousand may pay. When these attacks are conducted on a large scale, they affect numerous sites. It's a global phenomenon. According to the surveys conducted by Team8, ransomware attacks are dramatically on the rise. It's a market that's gaining strength, partly due to the emergence of generative artificial intelligence."
We'll discuss the role of AI in cyber attacks, but first, let's understand the anatomy of a ransomware attack.
"Many times, these attacks start with phishing. Malicious emails are sent widely, and an employee opens one, executing a malicious file or visiting a malicious website. This is something that education can help prevent by teaching people how to identify unusual elements. For example, if the language is scrambled or the domain doesn't match the sender's, people should be cautious. Automatic tools can block such emails at the corporate level. However, in the case of a traditional phishing attack, education remains the best defense, regardless of whether the recipient is a manager or a receptionist; it's the first line of defense.
"Once an employee opens such an email, automatic protection products come into play. These tools are designed to detect unusual domain requests and halt the attack. This occurs dozens, if not hundreds, of times daily in Israel. In the case of Mayanei Hayeshua, it seems this line of defense failed. The product might not have been sufficiently powerful or up-to-date, as attackers are constantly evolving their methods. There's also the possibility of an attack exploiting a unique, unknown security vulnerability known as a zero-day. Such vulnerabilities are traded in a market and can have a short lifespan. As a result, attackers cast a wide net to target as many organizations as possible. An effective defense product can identify even zero-day attacks by recognizing patterns of such vulnerabilities. These capabilities are prevalent in advanced security products that utilize cloud-based AI systems."
What happens if this line of defense also fails?
"In such a case, the attack spreads online. However, this proliferation can be halted; reaching one computer in a network doesn't necessarily lead to extensive damage. The spread isn't inevitable. Protection products come into play within the network, preventing movement between computers rather than just at the network entrance. They do this by detecting abnormal computer behavior. Such products are also crucial for preventing unauthorized access. In the case of Mayanei Hayeshua, it appears this defense mechanism didn't work, and the attack spread widely.
"At a certain point, the attack is noticed. Ransomware attacks are easy to detect since affected computers become unresponsive when employees try to use them. Now a race against time begins because the ransomware spreads from one computer to another, encrypting databases. This process can take hours. In the past, attackers aimed only to cause damage, but now ransomware encrypts data, rendering it inaccessible without a decryption key. This operation takes time, especially for large databases. This is when the attack can be stopped.
"I'm not sure at what point they halted the attack. Detecting an attack requires heightened awareness. Excellent organizations operate on two fronts simultaneously: one assumes it's a minor malfunction, while the other acknowledges it could be a sophisticated attack. The most effective response is to shut down the server, disconnect it, and halt the encryption process. If the computer isn't operational, encryption can't proceed. The computer can then be repaired, and a remedy can be found. This is all relevant assuming not all computers have been infected."
There are ransom attacks that threaten to disclose data, like the hacking of the Shirbit insurance company in 2020.
"Indeed, there are ways to identify such attacks. When vast amounts of data are leaked online, protection products should spring into action. If gigabytes of data are released, it takes hours, even days. AI excels at identifying such anomalies. If, for instance, a certain volume of data typically comes out in the afternoon but suddenly increases to 100 times that amount, an AI system should detect and block it. This likely didn't work during the ransomware attack on Shirbit, where a substantial amount of data was leaked."
"Let's consider an organization under attack with encrypted data. At this point, the attacker presents their demand, often a reasonable amount. While no one would pay a billion dollars, millions might prompt the organization to consider the cost of recovery. Organizations may bring in experts to negotiate with attackers, much like with kidnappers. During negotiations, attackers may provide proof that they can decrypt the data. This verifies that they aren't just snooping around but have data they can release. After receiving the payment, attackers usually release the data. They maintain their reputation since no one would pay if they were known for deception. Attackers might provide remote assistance or send software to facilitate data release, concluding the event.
"Since Mayanei Hayeshua hasn't fully resumed operations, they likely chose not to pay. In such cases, a top-notch organization would have a hot backup system. This system continuously backs up data in real time, often on two or three sites simultaneously. If attacked, the organization can seamlessly switch to the backup site and continue unaffected. This strategy acknowledges the inevitability of employee mistakes and attacks, necessitating a well-practiced hot backup system in advance. Organizations with this setup face no issues in resuming operations. While a hot backup is optimal, even a weekly backup suffices. I'm unsure about Mayanei Hayeshua's backup status, but it's implausible they hadn't backed up their data."
Related articles:
How is generative AI altering the rules of the game these days?
"Until recently, it was relatively easy to spot phishing emails, particularly in Hebrew due to intricate language nuances. However, AI has eradicated this language barrier. The content of these emails appears remarkably genuine, featuring impeccable language, which complicates their detection. Israel once enjoyed an advantage, as much of the world doesn't speak Hebrew. Unfortunately, this advantage is waning. High-quality, AI-generated phishing emails are already emerging, complete with language and content that seems human-crafted. With tools like ChatGPT, it's possible to automatically draft highly personalized emails to individuals like receptionists or security managers, maintaining an authentic appearance. Government restrictions, including export limitations, on this technology seem likely. When an attacker can employ AI to create convincing phishing emails in any language, it's essentially a cyber weapon, possessing immense power.
"We must also consider AI tools that can synthesize voice, images, and even videos of real people. Free technologies already exist that enable voice synthesis, producing uncannily authentic results. Imagine receiving a phone or video call from someone who perfectly imitates your boss, instructing you to open a link or file. As a result, the human factor's role, a key vulnerability point, will intensify. More individuals will fall victim to generative AI technologies."
So, what steps can we take? Education isn't the solution here.
"The solution to AI lies in AI itself. Any cybersecurity company failing to leverage AI capabilities in their products is obsolete. The bar has been raised for both attackers and defenders. No one will ultimately emerge victorious; it will remain a cat-and-mouse game. Education is valuable, but technology is the solution. This is what makes our world more intriguing.
"There's another aspect to this. Traditionally, an asymmetry exists between defenders and attackers. Defenders must protect everything continuously, whereas attackers need to infiltrate only once. AI disrupts this asymmetry by granting defenders unprecedented capabilities. Cybersecurity companies using AI technologies are flourishing. Whereas organizations once relied on awareness, they can no longer solely trust people. While education remains vital, security products tailored to counter generative AI attacks mustn't be overlooked."
What's Israel's level of preparedness for safeguarding essential cyber infrastructure?
"The National Cyber Directorate is equipped with experienced individuals, including former attackers and 8200 unit personnel. Thus, in terms of the entities responsible for guidance and assistance, we're well-placed. Certain countries lack such systems or operate at a lower level. While improvement is always possible, Israel's awareness and evaluation of national infrastructure protection are satisfactory. It's now crucial to maintain this edge, not just in offensive capabilities, but also in defense."