How Machine Learning Stopped a Brute Force Attack

Print Friendly, PDF & Email

In this special guest feature, Sekhar Sarukkai, Chief Scientist at Skyhigh Networks, discusses the power of machine learning and user behavior analytics in detecting and mitigating the effects of cyberattacks before financial loss occurs.  Sekhar is responsible for driving innovations in cloud security technology. He brings more than 20 years of experience in enterprise networking, security, and cloud services development. Prior to founding Skyhigh Networks, Sekhar was a Sr. Director of Engineering at Cisco Systems responsible for delivering Cisco’s market leading network access control products, including Cisco’s Identity Services Engine. He started his career at NASA Ames Research Center after obtaining his MS/PhD in Computer Science from Indiana University. In addition, he has worked as a graduate intern at IBM Watson Research Center.

For years, security technologies and hackers have been stuck in an arm’s race, with each trying to outsmart the other. As both security solutions and cyberattack strategies become increasingly sophisticated, more advanced technologies need to be used. Recently, this cybersecurity arms race was put to test as hackers employed a novel “slow and low” strategy to try to break into high-value Office 365 accounts of 48 companies. This technique would have likely gone undetected if not for machine learning algorithms and user behavior analytics (UBA).

Slow and low strategy

Traditionally, cyberattackers would cast a very wide net, targeting as many users as possible, with hopes of breaking into a small fraction of the user accounts. Most cloud service providers have since developed defenses that can detect this type of attack. This time around, the hackers used several key tactics to avoid existing modes of detection.

First, they staggered their login attempts over the course of 6 months. Over such a long period of time, it would be difficult to manually link the hackers’ anomalous logins together, especially since it’s distributed across different companies. Second, they closed in on just a few important accounts because the high-value users had the greatest chance to hold access to sensitive information, while also limiting detection. Lastly, the attacks originated from 67 different IP addresses and 12 different networks, making it difficult to detect a pattern.

How was the attack detected?

The hackers’ plan was evidently well thought-out and organized, so how was the attack discovered in the first place? The answer lies in the Cloud Access Security Broker threat protection capabilities, powered by a pairing of machine learning and user behavior analytics (UBA).

In this case, these systems were observed for a certain amount of time to create a baseline for what would be considered normal behavior. Once the baseline was established, any activity that was outside of the pattern seen during the initial observation period triggered an anomaly alert. As alerts were resolved and a human provided the feedback, the algorithm adapted to the slightly altered baseline behavior. In this way, patterns of behavior that deviate, even in subtle ways, could be detected.

While a cyber attacker might be able to steal a user’s login credentials, he cannot mimic the user’s behavioral patterns. It turns out that the way people navigate and use applications is distinctive, a kind of digital body language.

Observing the 48 companies’ employee interactions with cloud applications in isolation would likely have caused this brute-force attack to go undetected. But once that data was combined across companies, over time, a pattern of anomalous events emerged. Upon further investigation, it became clear that the failed login attempts were all linked together..

Using machine learning and UEBA, the threat protection engine ultimately discovered 100,000 failed logins spanning several months. Luckily, all of the targeted companies were notified and the attack was prevented.

Other Applications of Machine Learning

Machine learning has been widely covered over the past few years precisely because it has made life much easier in the age of big data. The following examples are just a few of many machine learning applications, as more varieties are developed every year.

Credit Card Security: Another machine learning use case where machine learning is combined with UBA is credit card security. Credit card companies use machine learning to detect fraud. This form of fraud detection works by comparing a user’s behavior to his or her transactions. When a transaction, even if it is only for a few dollars, is unusual based on the user’s past actions, it is flagged and reported. A similar mechanism is used by PayPal to detect whether or not a transaction between a buyer and a seller is legitimate or fraudulent.

Financial Trading: Machine learning might have more applications in the stock market than anywhere else, based on the abundance of historical information and the volume of trades involved. At the moment, financial trading machine learning is limited to portfolio management, algorithmic trading, and fraud detection, although as the technology becomes more sophisticated it could easily be applied to almost every facet of the industry.

Natural Language Processing: Another interesting application of machine learning is natural language processing (NLP). Although machine learning has been applied to NLP since the 1980s, only over the past few years has the technology become more widely implemented. This ranges from customer service agents to commercially available apps, such as Siri. With machine learning, the algorithm can learn from its mistakes and scour billions of data points to come up with the ideal response to a query or statement.

Clearly, machine learning is still in its infancy. We have seen a lot of potential with machine learning, with its applications in artificial intelligence showing the greatest promise.


Sign up for the free insideBIGDATA newsletter.

Speak Your Mind