Can generative AI help break attack chains?

Every year, cybercriminals come up with new schemes to deceive their victims and bypass their defenses. Companies are introducing new security measures to protect themselves, and cybercriminals are adapting ever more rapidly.

Over the past two or three years, attackers have added complex techniques to their arsenal, such as telephone attacks and multi-factor authentication (MFA) bypassing. Unbeknown to most users, these techniques have given cybercriminals an unprecedented advantage. According to the 2023 State of the Phish study published by Proofpoint, between 300,000 and 400,000 attempted phone attacks took place every day in 2022, peaking at 600,000 per day in August 2022.

Hackers’ progress is reflected in the growing number of attacks targeting companies’ supply chains. « The trend is gathering steam, for reasons of resources, knowledge and budget. Cybercriminals are more likely to succeed if they attack one of a major group’s suppliers, who is likely to be weaker in these respects than the group itself. Furthermore, the bond of trust established between a supplier and its customer’s financial department facilitates matters by lowering the level of vigilance, » says Xavier Daspre, Proofpoint’s Technical Director.

Business Email Compromise (BEC), a key technique for hackers

Attacks via the supply chain mainly involve Business Email Compromise (BEC). Attackers are motivated primarily by the damage they can cause to IT systems (destruction and demand for ransom), the modification of financial information (IBAN, bank details) to divert transfers, data theft and, last but not least, phishing, the aim of which is to fraudulently collect credentials (access to CRM software, Office 365, etc.) to advance the attack.

Of course, more rarely a company’s supply chain can be compromised by malicious software, as was the case with SolarWinds. « By compromising the source code, the attack can be distributed by the publisher itself. Thankfully, following the SolarWinds incident, companies who distribute their code have significantly increased their level of protection, » notes Xavier Daspre.

To stay ahead of the game, companies are stepping up controls and procedures with their suppliers. For maximum protection, however, they must also have signals in place so they can check that these procedures are being followed and to alert them if one of their suppliers has been compromised.

« So-called ‘pre-release’ protection is essential because, according to Proofpoint’s telemetry data on over 230,000 organizations worldwide, post-release detections often arrive far too late. Nearly one in seven clicks on a malicious URL occur within one minute of a phishing email being received, and more than a third respond to an email from a Business Email Compromise (BEC) within five minutes. These very short time frames, during which a user can fall prey to an attack, highlight the importance of blocking malicious attempts before they reach a user’s inbox, » says Xavier Daspre.

Artificial intelligence to back up businesses

The research is clear: human error is one of the main factors contributing to the success of cyberattacks. According to Proofpoint’s 2023 Voice of the Ciso report, almost two-thirds (60%) of CISOs consider this type of mistake to be their company’s biggest cybersecurity vulnerability. This figure is in line with observations made in 2021 and 2022, when respectively 58% and 56% of CISOs agreed with this statement.

« As long as these vulnerabilities persist, CISOs will struggle to protect their data and systems. Although human error is inevitable, putting in place safeguards alongside robust rules and procedures can go a long way to reducing these risks and strengthening your human scope, » says Paige H. Adams, Global Chief Information Security Officer at Zurich Insurance, interviewed by Proofpoint.

To reinforce existing cybersecurity systems, artificial intelligence is now a must. But to achieve effective detection rates, AI and machine learning require robust detection models and data sets that are as faithful to reality as possible. « Proofpoint’s customers benefit from one of the world’s largest and most diverse cybersecurity data pipelines for email, cloud and mobile computing. Every year, we analyze an unprecedented amount of data resulting from over 2.8 trillion email messages, 17 trillion URLs, 1.3 trillion SMS and MMS messages, and 46 million DLP (Data Loss Prevention) end-users, » Proofpoint says in a press release.

AI is also used to help cybersecurity analysts. With Proofpoint Security Assistant, Proofpoint offers a new generative AI user interface that lets analysts ask questions using natural language. Available in Q4 2023 as a technical demo on the Sigma Information Protection platform, the interface allows DLP SOC analysts to submit questions such as « show me John Doe exfiltration attempts and recommend DLP controls we should add« .

Over time, Proofpoint’s AI-based generative interface will be extended to the Aegis and Identity Threat Defense platforms. Security professionals will then have access to more in-depth information on threats, thanks to questions such as: « Show me the most frequently attacked people who have the most attack paths that could lead to data theft in the event of a ransomware attack. » Proofpoint’s AI and ML technologies draw on telemetry from its customer portfolio of over 230,000 enterprises and SMEs worldwide, as well as 150 ISPs and mobile network providers.