Oct 28 2021

Smart Defense: How Artificial Intelligence Can Reduce Ransomware Risks

BlackBerry experts outline how AI can bolster cybersecurity.

Another day, another ransomware attack. Encouraged by expanding networks and empowered by the ongoing global shift to a hybrid and remote workforce, threat groups are aggressively developing new ways to extort money from vulnerable organizations.

In late summer, the Cybersecurity and Infrastructure Security Agency warned about potential ransomware attacks on federal services over Labor Day weekend.

While no breaches were reported, The Washington Post notes that ransomware attacks on government operations have steadily increased over the past few years, with at least 400 U.S. cities and counties compromised since 2016. CISA has launched a Stop Ransomware site, which offers educational and operational guidance to help agencies avoid attacks.

But information alone isn’t enough to curb ransomware. Organizations need solutions capable of proactively protecting endpoints, networks and services from security threats at scale. Artificial intelligence and machine learning technologies provide the foundation for improved defense — but how do they work in practice?

“We pioneered AI and ML in security and bringing these tools to the endpoint,” says Tom Cameron, a sales engineer at BlackBerry, which completed its acquisition of Cylance in February 2019. Now, the company is developing new ways to outsmart attackers and reduce ransomware risks.

DISCOVER: Learn how to protect your agency’s endpoints with advanced security features.

How AI-Driven Anti-Virus Tools Add Power to Cybersecurity Methods

Traditional anti-virus tools rely on signature-based solutions to help agencies defend against cyberthreats. During a typical workday, the tools scan disks multiple times for signs of possible compromise and regularly connect with update servers to download new signatures of emerging threats.

The challenge? With IT environments rapidly expanding and ransomware methods constantly evolving, signatures can’t be developed quickly enough to keep pace at scale. In addition, Cameron notes, “some solutions allow the execution to occur to determine if it’s good or bad, but this can modify the operating system, and bad things can happen.”

The Cylance AI that was acquired by BlackBerry takes a different approach. “We don’t allow ransomware to execute,” says Cameron. “Instead, AI intercepts that call at the kernel level. We don’t use signatures because they’re reactive.

“What we do is analyze potentially malicious resource calls using a math model that we’ve trained by feeding it billions of files. This allows the AI to extract the features of a file at a DNA level,” he adds.

If the tool detects a problem, no execution occurs. Instead, the issue is reported, and IT teams can investigate it while it’s quarantined on a machine.

Teams can dive further to determine which threat indicators were recorded and examine why the file is attempting to stop specific services or inject specific services. Cylance AI offers more than 100 human-readable threat indictors to streamline this process.

RELATED: Federal IT influencers offer tips on combating evolving threats.

Humans Are Smart, but AI Makes Them Smarter

Cameron puts it succinctly: “The math is smarter than humans. A phenomenal human analyst can know between 150 and 200 features in a file. We have the ability to look at 2.7 million features in 100 milliseconds or less to determine if something is good or bad.”

The Cylance AI model is currently in its seventh generation, and Cameron notes that new models are only deployed when exhaustive testing proves they’re more accurate than the current version.

“It takes a lot of files to achieve this level of machine learning,” he says. “It’s a huge training phase, but it allows the solution to make intelligent inferences about unknown files, which in turn protects against everything from traditional ransomware to emerging zero-day attacks.”

This inferential approach also makes it possible to protect against fileless attacks.

“It’s important to cover not just malicious binaries, but also fileless attacks,” says Cameron. “These could be a Word doc or Excel spreadsheet trying to trick users into executing something in the background, which could then go out, and execute and pull down ransomware.”

Cylance AI offers protection for both memory space attacks and techniques that exploit legitimate network and system services. “We have script control,” he says. “This includes active scripts, PowerShell and macros, along with two new scripts for .NET and Python. We’re constantly adding support for new scripting languages.”

DIVE DEEPER: Former Federal CIO Theresa Payton talks ransomware.

Cylance AI Is Cloud-Based, but not Cloud-Dependent

Cameron also notes that while Cylance AI is cloud-based, it’s not cloud-dependent.

“The AI model and its endpoint agent run locally on every system under protection,” he says. “So we don’t need a connection to the cloud to detect malware and prevent it from executing.”

Once a cloud connection is re-established, the agent checks in with the BlackBerry dashboard to update its status and changes to security policies.

In addition, agencies can configure the solution however it best suits their needs. “You have the ability to group your machines by servers, laptops, etc.” says Cameron. “It’s completely flexible. All admin functions and analytics are centrally managed in the cloud-based console.”

“This includes analytics about malware detection, threat indicators, how machines were affected and much more,” he adds. “You can quickly pull up whatever data you need for root cause analysis.”

Bottom line? Ransomware risks are rising. AI-driven tools make it possible to outpace and outsmart attackers with proactive, prevention-first, endpoint protection.

Brought to you by:

gorodenkoff/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT