Double Edged Sword: Employing and Exploiting Machine Learning and AI

The cybersecurity world is beginning to find practical ways to use machine learning (ML) for good and for bad, for offense and for defense and on both sides of the red/blue and safe/block cyber security divides. The first thing most of us think of when ML comes up in cybersecurity is blue teams using ML to detect malicious entities such as files, domain names or packets. But there are so many other possibilities we are beginning to see

• Red teams using ML to identify deception entities like honey tokens and sand boxes
• Cybercriminals leveraging ML models and tactics published by red teams
• Red teams poisoning data sets to defeat blue teams and criminals leveraging AI

With ML all of these can become features. Then a data model is built by analysis of multiple samples of both real and sandbox systems. In fact, we’ll explore one red teamer’s proof of concept for just such an attack. It’s easy to follow because it uses just a handful of features based on the list of active processes.