Is “Mayhem” the future of cyber-war?
Digital crime is growing exponentially. Cyber-crimes has grown over 20% in the last 5 years and is only anticipated to grow exponentially with the advent of new exponential technologies (such as Internet of Things (IoT)) and increasing Internet user-base.
To add, the loss incurred by organizations due to cyber-attacks is unprecedented. However, to alleviate these organizations, a new form of defense mechanism has emerged in the recent times, an autonomous AI-based robotics system that is self-resilient and adopts dynamically to counter new and innovative cyber-attacks. The imminent question would be: Is this autonomous system going to be the future arsenal for fighting cyber-criminals?
Hackers/Hacktivists/script-kiddies of all types are committing historic levels of cyber intrusions and theft against consumers, businesses of all sizes, and governments globally. “In the past two years, we have seen a massive upswing in hackers breaking into some of the most highly secure corporations and stealing financial data, intellectual property, and very sensitive personal information — and it seems to be growing exponentially.” said Tyler Cohen-Wood, a cyber-specialist at security awareness training company Inspired eLearning, in the Cybersecurity Ventures report.
Unprecedented advances in computing, robotics, artificial intelligence, IoT and biotechnology hold the potential to radically transform our world for the better, they however, collect immense amount of data to provide the services that we desire and hence are the primary targets for cyber-criminals. Seth Berman, the executive managing director at Stroz Friedberg said, “The West is particularly vulnerable, due to its reliance on technology” primarily attributing to the fact that exponential technologies are the principal targets for cyber-criminals
VICTIM, THE ABETTOR?
Ironically, exponential technologies are also abetting the cause of cyber-criminals. “Advanced criminal attack groups now echo the skill sets of nation-state attackers. They have extensive resources and a highly skilled technical staff that operate with such efficiency that they maintain normal business hours and even take the weekends and holidays off,” said Kevin Haley, director at Symantec Security Response, shedding light on how cyber-criminals are honing their technical skills and leveraging exponential technologies to perform large scale attacks.
To add, with the growing Internet user-base, the number of cyber criminals is expected to grow unchecked. Microsoft estimates that by 2020 four billion people will be online. With more than 50% increase in cyber-reach and online availability of data, cyber risks are expected to grow exponentially and attacks are going to be more sophisticated.
The fragmented nature of such risks, from opportunistic criminals at one end of the spectrum to nation states at the other, means organizations are forced to engage in a game of cat and mouse, where the adversaries change with increasing regularity.
Cybersecurity Ventures predicts global annual cybercrime costs will grow from $3 trillion in 2015 to $6 trillion annually by 2021, which includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
As a knight in a shining armor, with foresight and tact, DARPA planned a Cyber Grand Challenge at DEFCON-2016, pitting seven automated security systems against each other to see which could find, exploit, and patch software vulnerabilities most effectively while watching for intrusions and protecting its own data with minimal human interaction. The crux of the challenge was the inclusion of a number of vulnerabilities that mirrored real-life security issues. During the 10-odd-hr of battle for the “flag”, Carnegie Mellon University’s “Mayhem” machine won the coveted $2million dollar grand price.
“MAYHEM combines patented techniques in automated program analysis with AI to scale to thousands of programs and does not require source code to find vulnerabilities with zero false positives, before they can be exploited. At the forefront of a new generation of autonomous cybersecurity tools, MAYHEM is designed to deliver the first truly scalable solution for application security.” Said forallsecure team, team that developed “mayhem”.
It is however, interesting to note that the current solutions like mayhem are still in their rudimentary stages of development. For example, when “Mayhem” was pitted against a human attacker, it fell short of its defense strategies and was broken in matter of hours and the question remained if autonomous systems would be the norm of the future.
Regardless of the drawbacks in these autonomous solutions, as the challenge’s program manager, Mike Walker, aptly stated “the event is a clear proof of principle that machine-speed, scalable cyber defense is indeed possible. I’m confident it will speed the day when networked attackers no longer have the inherent advantage they enjoy today,”.
The forallsecure team is also accepting limited number of design partners for early access to MAYHEM-as-a-service to automatically analyze binaries to find and fix security bugs. Until the MAYHEM-as-a-service becomes a norm, let us adhere to current security standards of timely patching of digital devices and avoiding suspicious emails and websites.