Recognizing and Defending Against Automated Cybercrime

Updated: 4 May 2021
Updated: 4 May 2021

Miklos Zoltan

Fact-checked by

In this guide you will learn about:

  • Automated technologies used in cyberattacks
  • Automated cyber-defense technologies and processes
  • Automated defense technologies and solutions
  • Advanced cyberdefense capabilities
  • Engaging a third-party managed security services provider

For SMB owners, reading about massive cyberattacks might seem like a faraway misfortune of international enterprise companies. Now, the tit-for-tat cybercrime war pits increasingly sophisticated malicious actors against businesses of all sizes. Attacks now involve smaller companies, SMBs, as well as solo professionals, professional practices, and remote knowledge workers.

To get the jump on security pros, cyber attackers use every tool they can lay their hands on. These include automated tools, machine learning, and robotic process automation (RPA).

All business operators—no matter how modest their operations might be—ought to recognize cyberattacks and the risks that these exploits create. Even basic awareness of network traffic patterns and behavior can add to security defenses and reduced risk of attack.

This guide is designed for solo professionals, remote corporate workers, and members of professional practices—people who run modest networks, often with modest security budgets. It describes trends in cyberattacks and the defense measures that can reduce or avoid the damage that these exploits cause.

Thinking about DIY cybersecurity measures? Or perhaps, handing off cybersecurity duties to a third-party managed security services provider (MSSP)? If so, the detailed descriptions in this guide should help you understand what you are buying—or risking.

Defending Against Automated Cybercrime

Automated Technologies Used in Cyberattacks

Several years ago, cyberattacks enabled by malware named WannaCry and NotPetya captured the attention of cybercrime watchers everywhere. Designing and installing advanced cyber security strategies to combat these threats became the need of the hour. Why? Times and cybercrime were changing:

  • Attack targets have changed. Attacks started with customer data and IP at enterprise companies but shifted to SMBs and government agencies. Now, the emphasis is on ransomware and phishing attacks, often at smaller companies.
  • Cyberattacks became more efficient. Cybercrooks have been using automation to do more harm to more targets in less time.
  • Business, legal, and compliance consequences continue to grow. It simply doesn’t pay to practice cyberattack denial.

Malware attacks + automation = big trouble for network users

For years now, cybercriminals have tweaked malware so that security software can’t discover it or identify it as malicious. Large-scale threat intelligence efforts were launched to spot every variation of known malware and put copies of it into databases, so that each instance could be identified and neutralized.

But identifying literally millions of bits of malware is difficult, especially when they are deliberately disguised. Increasingly, security pros started using machine learning to stop familiar and new, unknown types of malware.

Knowing an effective tool when they see one, cybercriminals started using machine learning, too. Unfortunately, they adapt and deliver software that is more adaptable and sophisticated than that of legitimate developers. Now, the bad guys developed machine learning-enabled attacks and are using them against businesses and government agencies.

But this is old news. Use of automation and related technologies are familiar exploits. What makes automated cybercrime riskier for smaller-scale business operations?

A Europol report warns that artificial intelligence (AI) and other forms of automation could make cyberattacks more dangerous and more difficult to spot than ever. For example, machine learning-based malware can automatically send phishing email messages to learn what sort of language works best in cyberattacks and how to design attacks for specific types of targets.

Modern cyberattacks use several types of automation: robotic process automation, artificial intelligence, and machine learning, a specific subset of AI. Each contributes its own capabilities to finding, organizing, analyzing, and distributing huge volumes of data at lightning speeds.

Robotic Process Automation

This is really a process, in which software intelligently automates (outsources) boring, repetitive tasks—typically performed by humans—to mechanical devices or other software programs. RPA is important because it can delegate manual, boring tasks to bots, which can perform them without humans having to monitor or control them.

RPA role in automated cybercrime. Outsourcing tasks to non-human workers saves enormous amounts of time and money and enables many tasks that humans cannot perform. (Example: Scanning 1.2 million instances of malware in a threat intelligence database.) However, the convenience that RPA provides encourages a “set it and forget it” mentality and all its security risks.

Bots often get access to sensitive network data and systems. RPA bots use privileged access to perform tasks, moving data between systems and processes. When exploited, RPA bots provide a handy pipeline to an organization’s data. Because RPA bots need access to different applications to handle data, access credentials are often hard coded into scripts or pulled in from insecure locations. These worst practices are common sources of illegal entry into networks and data stores.

Machine Learning

Machine Learning

Machine learning is the umbrella term for the ability for computers to adapt, learn, and respond to changes in the environment without being specifically programmed for specific tasks.

When it comes to modern cybercrime, machine learning takes center stage with machine learning-enabled attacks (MLEA).  By using machine learning, hackers can automate some or all steps in the data breach process, including:

  • Discovering vulnerabilities, finding a weakness in the targeted network.
  • Exploiting initial weaknesses, using a weakness to get into the network.
  • Exploiting a targeted weakness, finding vulnerabilities within the network.
  • Stealing data, removing sensitive or valuable data from the network.

The security trade press notes these MLEA-related trends and predictions:

  • With MLEA, phishing attacks are also expected to become more sophisticated. Computer programs can learn enough about you to accurately imitate a boss, coworker, friend, or reputable organization with increasing precision.
  • Hackers increased the number of attacks they carry out in each campaign. Hackers use machine learning techniques to carry out a greater number of attacks with a higher rate of success.
  • SMBs are preferred targets for hackers. Hackers view smaller businesses as lacking IT resources, which makes them easier to exploit with mass automation and machine learning tools.

Artificial intelligence

Cybercriminals now use AI to scale up their social engineering attacks and make them more efficient. Some forward-looking hackers are also using AI to identify new weaknesses in networks, devices, and applications as they emerge.

By rapidly identifying opportunities for human hackers, the job of keeping information secure is made much tougher. Now, real-time monitoring of all network access and activity combined with frequent, consistent patching are vital to combat these emerging threats.

Cloud-Based Services

The cloud isn’t an attack technology, but it provides a new and fertile IT environment, where automated cyberattacks occur with greater and greater frequency.

Little assumptions create big dangers

Small-office business operators often assume that compromised cloud services create less disruption than more traditional on-premises services do. This mistake can lead administrators and IT ops teams to cut corners when secure cloud infrastructure is concerned.

There’s also a naïve belief that hosted service providers take responsibility for the security of client data. Cloud-hosted services still require the same level of ongoing monitoring, risk management, backups, upgrades, and maintenance as traditional IT infrastructures do.

Attacks are now so highly automated that significant damage can be done in little time. This applies to attack targets and collateral damage (compromised servers are used to stage further attacks). If it’s been a while since you reviewed your cloud resource security, now is a good time.

Types of Automated Cyberattacks

Types of Automated Cyberattacks

So, what forms do automated cyberattacks take? When researchers studied underground cybereconomies, they listed 10 of the most common automation services that hackers use. Most of these tools and services are part of active hacking campaigns.

Or they are traded in dark-web forums. Why automate? It’s the simplest, fastest, most efficient way to launch more attacks and generate larger amounts of profit.

Data breaches and database sales

Hackers who distribute stolen database often use automation to choose and offer the most valuable data (email addresses, payment card data, passwords, and other personal information. 

  • Brute force attacks.
    
Credential stuffing and brute force attacks are commons way that threat actors use automation in cyberattacks. By using lists of stolen or frequently used passwords, hackers fully automate the account break-in process with automated password cracking tools, which do all the work.
  • Loaders and cryptors
.
    These bits of software enable hackers to deliver and hide other malicious software from antivirus programs. Malware authors automate attack processes in advance, which enables hackers to install the malware without hands-on effort.
  • Stealers and keyloggers
.
    These types of malware provide cybercriminals with preconfigured tools that steal login credentials from popular web sites or monitor every keystroke that occurs on a specific web site.
  • Banking injects
.
    Widely available on the dark web, these modules are typically bundled with banking trojans (viruses) that inject HTML or JavaScript code into a process. The malware reroutes users from legitimate financial websites to fake ones designed for data theft. Dark web operators provide users with an automated exploit kit—no IT experience required.
  • Exploit kits
.
    These comprehensive tools include several types of exploit, which infect damage to known web browser weaknesses without human attention or effort. Like the Fallout exploit kit (a big favorite of hackers), these tools can be found for sale on the dark web.
  • Spear phishing.
    Spear fishing is a type of social engineering exploit that requires more complex techniques than spam attacks. Hackers address this complexity by automating several steps of a phishing attack and using templates and frameworks easily bought on the dark web.
  • Bulletproof hosting services
.
    These third-party services are a cornerstone of the cybercrime economy. With the promise a haven to cyber criminals, BHS providers hide malicious activity and prevent law enforcement shutdowns. BHS services often run on automated techniques such as geo-spoofing, which prevents all detection methods.
  • Credit card sniffers.
    
Underground forums provide full-service trade in sniffers. This malware steals card-not-present data from checkout pages of online websites. Attackers use this valuable data themselves or sell it onto others.
    The sniffing process uses a malicious JavaScript injection, which automatically collects payment card information and personal data. The data is sent directly to an attacker-controlled command-and-control system for later use.

But, as threat actors use automation to scale their efforts, network security defense teams are not sitting on their hands. They are using a similar approach and many of the same automated tools as the criminals.

Automated Defense Technologies and Solutions

Automation provides impressive defense capabilities to IT security professionals everywhere. Increasingly powerful; cyber-defense measures can help organizations to avoid or reduce damage of cyberattacks. And automated tools and solutions can make cyber-defense measures more efficient and effective.

Automated Cyber-defense Technologies and Processes

Automated Cyber-defense Technologies

It’s safe to say that high-end hackers have gone corporate. With their own research budgets, 21st-century cyber-thieves constantly improve their products. Malicious software and processes are stealthier, smarter, and more able than ever to cripple IT infrastructures.

Criminals are using cloud services and automated technology to speed up attacks, which decrease the time that enterprises get to identify and respond to a data breach or disruption attack. Security specialists constantly develop innovative ways to win much of that time back. They do it by using automated technologies to defend data and network infrastructures from harm.

Cyberdefense technologies

Here’s the lineup of technologies that play important roles in cybersecurity defense.

Artificial intelligence/deep learning. AI plays an increasing role in cybersecurity. Data analytics tools engage in high-speed, high-volume processes to identify, gather, and analyze data from millions of cyber incidents. Results help to identify potential threats—an employee account acting strangely when someone clicks on a phishing link or a new malware variant, for example. AI now defends network cybersecurity by:

  • Identifying abnormal network behavior patterns
  • Identifying new malware.
  • Responding to and limiting damage of suspected incidents in real time.

Deep learning-based tools detect threats or unwarranted activities by analyzing data such as logs, transaction data, and real-time communications.

Network behavior analysis. This technique, which targets social media and online advertisements to a carefully defined audience, also has a place in cybersecurity. When combined with machine learning methods, behavioral analytics helps security pros detect harmful patterns of system or network behavior and respond to cyberthreats in real time.

Internet-connected devices (IoT). IoT devices enable organizations to connect devices to networks and transfer data between them without human intervention. They drive automation, productivity, and efficiency, which makes them valuable in cybersecurity efforts.

Embedded authentication hardware. Embedded authenticators are emerging technologies that confirm a user’s identity. First introduced in 2016 as Intel’s sixth-generation vPro chip, this approach to hardware authenticators was claimed to offer better protection from interference and manipulation than their software equivalents.

These powerful user authentication tools are embedded into a device’s hardware. Each device uses several levels and authentication methods that work together. Now, interest and the market value for this technology are growing at a rapid pace.

Automated cybersecurity processes

Automating these IT processes give organizations remarkable improvements in their cybersecurity defenses.

Detecting malware and disruptive activity. Implementing good data governance through automated techniques limits total risk when an incident happens. However, you should want to detect and try to stop an attack before it advances.

Unfortunately, when security defenders use conventional techniques such as virus scanners, modern malware such as Sodinokibi, is hard to detect using. One reason for this difficulty is that the malware takes advantage of existing Window software such as PowerShell and other standard utilities.

Responding to attacks in real time. Machine learning-based, defensive software identifies and reacts to suspected problems almost immediately, preventing potential issues from disrupting business without relying on humans having to monitoring everything at once.

Advanced security software compares data that describes current application behavior against baseline data stored online. (This includes all aspects of a web application’s normal behavior such as directories, URLs, parameters, and acceptable user inputs.) Rules-based analysis determines if app behavior is “safe.” If the situation isn’t safe, the application blocks attacks within seconds.

Advanced Cyberdefense Capabilities

Advanced Cyberdefence Capabilities

With their own R&D budgets, 21st-century cyber-thieves are always improving their product, making it faster, stealthier, and smarter about detecting and deleting backups and crippling other defenses.

Finding sensitive data for millions of files, adjusting permissions, and then monitoring for threats in these enormous corporate file systems is beyond the capabilities of IT teams. That is, unless they have significant help from software automation.

Detecting malicious software and disruptive processes

Uncovering new kinds of malware isn’t the only way machine learning can boost cybersecurity. Important capabilities also include:

  • Describing typical network behavior. AI-based network monitoring tools can also track what users do daily: build a picture of typical network behavior, against which they can detect anomalies and react accordingly.
    AI can be highly effective in detailed network monitoring and analytics, establishing a baseline of normal behavior and flagging discrepancies. The difference between machines and humans: efficiency. AI tools can do many more operations in a short time (think milliseconds) with fewer false positives.
  • Learning when alerts are effective. As the data set grows and receives more feedback on its decision-making, it can gain more experience and get better at the task of defending your network.
  • Finding and neutralizing intrusions. Rapid response times provide the best chance of limiting the many types of damage that hackers, break-ins, and stealth exploits can do. Advanced security software gives software users the authority to nullify threats and block intrusions in real time.

Role of automated tools and processes

One important first step is to have automated data governance practices: software for efficiently scanning file systems, determining employee access patterns, and then setting permissions that limit access to those who really need it.

In addition, cyber defense software should be able to classify corporate data to find sensitive information — credit card numbers, passwords, and other account data — and lock these files down with special permissions.

Resource Requirements

The benefits of using an infrastructure as a service (IaaS) provider are obvious. There’s no need to spend money to buy and maintain expensive servers and computing power to manage your data and IT operations. And you get a general sense that your data is safe. After all, it’s in the cloud, right?

Well, maybe. Business owners: take a long look at the fine print in your service contract. Your data might not be as thoroughly protected as you think.

When you post your data in the cloud, the IaaS (cloud hosting) provider is responsible for the protection of the basic IT infrastructure that contains your data and apps. You, the business owner, are responsible for protecting your own data. Look at this graphic. (Source: Amazon Web Services)

[image]

This model clearly portrays how the customers and cloud services communicate with each other. The IaaS provider can support you by giving you secure infrastructure, bandwidth access, and disaster recovery, but it is up to you to be aware of the limitations of cloud computing and how you protect your information.

Engaging a Third-Party Managed Security Services Provider

Engaging a Third-Party Managed Security Services Provider

Security technical reports and white papers share a gloomy outlook for SMB owners. Small to mid-sized businesses continue to face a threat from cybercrime. And your chances of flying under the radar of cybercrooks are not good.

The recent demand for reliable security services has created one more as-a-service: the MSSP. Managed security services providers sell specialized cloud-based services to organizations of all sizes. MSSPs support some or all aspects of their clients’ security functions, which typically include some level of:

  • Continuous security monitoring.
  • Vulnerability risk assessment.
  • Threat intelligence monitoring.
  • Intrusion response and management.

Before you groan, “But I can’t afford that!” consider this: In terms of time, money, and on-premises talent, can you afford to:

  • Assemble the tools and talent to monitor your network security on a 24 x 7 basis? Cyber crooks (or rather, their automated bots) don’t sleep.
  • Hire the talent that performs preliminary risk assessments, tests the security capabilities of your software and hardware assets, and finds vulnerabilities in your network assets?
  • Do all the security-related administrative tasks you hate (patching!), thoroughly and consistently?
  • Assemble the latest tools and software to minimize the damage of a breach or ransomware?

If you answer “no” to any of these questions, we understand. But ultimately, it all comes down to judging the costs of ongoing security support services versus the expected value of Something Going Terribly Wrong at your business.

Written by: Patricia Ruffio

Connect with the author:

Ms. Ruffio’s career spans more than 45 years’ experience writing about technology and science for business, technical, and government audiences in the United States and overseas. Her work includes:

  • Technical writing and editing for companies in the petroleum, biotech, and information technology sectors.
  • B2B technical content and copy writing for companies in the information technology, healthcare, and education sectors.

Her qualifications include:

  • Bachelor of Science in Biology (Portland State University)
  • Master of Marine Studies (University of Washington)

Ms. Ruffio has worked with companies of all sizes and stages of business maturity. However, she has worked with enterprise companies such as Microsoft Corporation, Intel, Hewlett-Packard, Compaq, Cognizant Technologies, Amoco Oil Company, Shell Pipeline, and Tata Consulting Services.

Her notable projects include:

  • For National Oceanic and Atmospheric Administration (NOAA): Wrote field reports for the Outer Continental Shelf Environmental
  • Assessment Program, a first-of-its-kind regional baseline survey of Alaskan waters.
  • For syndicate led by Hudson Engineering: helped edit Sakhalin Island Environmental Impact Statement (part of drilling proposal); submitted to the Republic of Russia.
  • For syndicate led by Amoco Production Company, edited Eighth Licensing Round North Sea drilling proposal; submitted to the Republic of The Netherlands.
  • For Amoco Production Company: Senior editor on two-year rewrite of APC purchasing specs.

Leave a Reply

Your email address will not be published. Required fields are marked *