Artificial intelligence (AI) has emerged as a potent weapon in the fight against cybercriminals. Its effectiveness lies in its ability to create patterns of standard user activity and detect anomalies. Consequently, it can identify situations where attackers exploit stolen authentication data.
Every user of corporate systems and devices has a unique digital profile, based on factors such as how, where, and when they work. Activities that deviate from this pattern can be detected by AI, which then generates an alert.
“In the first half of 2023, AI-based pattern analysis helped our tool, Barracuda Managed XDR, detect and neutralize thousands of high-risk security incidents. The most frequently observed threats requiring immediate action were logins from suspicious locations, non-standard user behaviors, and communication with known malicious entities,” says Michał Zalewski, an engineer at Barracuda Networks, a producer of IT security solutions.
So, what characterizes these threats?
- Logins from a Suspicious Location: This occurs when a user attempts to log into a resource within a short time frame from two physically distant locations. Such distances that would be impossible to traverse between the two logins. This might also indicate the use of a VPN for one of the sessions. However, often, it signals that attackers have gained access to the user’s account. “In one incident investigated by our SOC team, a user logged into their Microsoft 365 account from California and then, just thirteen minutes later, from Virginia,” explains Michał Zalewski. “To travel that distance in such a short time, one would need to move at speeds exceeding 16,000 kilometers per hour. Moreover, the IP address used to log in from Virginia wasn’t linked to any known VPN, and the user typically did not log in from that location. Our team informed the client about the situation. The client confirmed it was an unauthorized login and immediately reset their passwords and logged out the unauthorized user from all active sessions.”
- Unusual Activity: AI can also detect atypical or unexpected activity on a user’s account. This includes logins at unconventional hours, unusual file access patterns, or creating multiple accounts for a single user or organization. Such actions can signal various issues, including malware infections, phishing attacks, and threats from internal employees.
- Communication with Known Malicious Entities: AI identifies this threat when users communicate with suspicious or malicious IP addresses or domains, or when they download/upload files with a suspicious signature. Such activities might indicate a device has been infected with malware or is under a phishing attack. In such cases, the affected computer should be immediately isolated at multiple levels.
“It’s crucial to remember that AI can also be used by cybercriminals, for instance, to craft convincing email messages or to tailor malicious code for specific targets. To protect your organization and employees against increasingly sophisticated cyberattacks, multi-layered defenses should be implemented. These include strong authentication mechanisms, regular employee training, and software updates. It’s also wise to ensure continuous monitoring of the entire network, applications, and endpoints,” concludes Michał Zalewski of Barracuda Networks.
