Recently, Microsoft published a fascinating blog post. In the blog post, they said they were experimenting with “novel approaches” when it comes to harnessing the power of AI to spot threats on the threat landscape before they become a problem.
In particular, the company is focused on stopping ransomware attacks while they’re still in their earliest stages.
To get even more fine-grained than that, they are specifically targeting human-operated ransomware campaigns. They note that there are certain indicators in common where human-operated ransomware campaigns are concerned, and these commonalities can be used to stop future attacks.
The example that Microsoft gives in their blog post is that of a hacker who has stolen the network credentials of a company. They will first log in to test those credentials, and once inside, will almost certainly move about inside the network in ways that the proper owner of those credentials would not.
This creates specific data points that the AI can be on the alert for.
Broadly speaking, these fall into three categories: Time based, Graph based, and device-based.
An example of a time-based data point would be if the hacker logged in to test the credentials at 3:00 in the morning and the owner of those credentials historically logs in at 8am.
Graph-based patterns are the graphical representation of physical moves across a network space, plotted against expected moves.
And device-based data points are exactly what they sound like. The AI would expect that the owner of the stolen credentials would log in from his or her workstation and not a laptop hidden behind layers of proxies, which is suspicious in and of itself.
It’s a great idea, though Microsoft is quick to point out that it is still very much in its infancy. Even so, it’s easy to see how this could become an indispensable tool.