Under the Hood: What Artificial Intelligence on the Endpoint Looks Like

In light of a recent Cybereason research report, Organizations at Risk: Ransomware Attackers Don’t Take Holidays, regarding the prevalence of ransomware attacks that occur during off-hours, it’s imperative that we look towards robust AI security solutions, such that you can know your organization is protected even when none of your staff is online.

Effective defense against the holistic issue of ransomware is much larger than just a technology problem. At its highest level, the fight against ransomware is a race against time. From the moment an attacker enters your environment, they stay there as long as necessary engaging in subtle yet detectable activity long before encrypting any of your data.

The reason for this is that ransomware is financially motivated, meaning that attackers want to exfiltrate enough sensitive information and infiltrate as many systems as they can in order to demand the highest ransom possible, making their attack operations very methodical and intentional.

Predictive Ransomware Protection, a revolutionary AI-based endpoint protection solution, detects attacks at the earliest stages in real-time by bringing artificial intelligence to each and every endpoint.

In order for your organization to effectively defend against complex ransomware attacks–or RansomOps—sophisticated and artificially intelligent endpoints are required. An effective solution employs a combination of AI-Powered NGAV Engines and File Manipulation Detection.

AI-Powered NGAV Engines

It’s no secret that legacy AV just doesn’t hold up anymore. Ransomware attackers themselves use artificial intelligence and highly sophisticated tools to automate aspects of their attacks, and new ransomware strains or re-packed binaries are continually developed that render traditional antivirus solutions useless.

Next-generation antivirus goes beyond simply monitoring for already known Indicators of Compromise (IOCs) by detecting attacks based on Indicators of Behavior (IOBs), the more subtle chains of potentially malicious behavior.

This is critical because the complex RansomOps of today, as mentioned above, are multifaceted operations which occur in distinct phases that only an AI-powered behavioral analytics solutions like NGAV can prevent and detect early in the attack chain.

NGAV includes several layers of protection to address each of the following types of threats:

    • Known and Unknown Malware
    • Polymorphic and Re-Packed Malware
    • Ransomware
    • Fileless Malware, Living-off-the-Land and In-Memory Attacks
    • Zero-Days and Exploit Kits
    • Other advanced techniques

All ransomware strains are forms of malware (however, not all malware are ransomware); highly effective malware prevention—such as that provided by AI-Powered NGAV Engines—has proven to be a formidable preventative control against commoditized and never before seen ransomware strains.

File Manipulation Detection

In some novel cases, attackers will be able to bypass the multi-layered defenses of advanced NGAV. When an attacker is able to get far enough in their campaign to begin performing encryption, it is important that a solution provides a fail-safe to prevent wide-spread encryption and thus eliminating the attacker’s ability to demand a ransom.

File Manipulation Detection provides a means to predict and respond to an attack before it propagates far enough to disrupt business operations. This technique analyzes files at the kernel layer—below the operating system–such that it is able to detect initiation of the encryption process of a file at the most fundamental level.

With this deep visibility extending as far as the binary level for each file, machine learning algorithms provide a combination of novel and sophisticated techniques such as Natural Language Detection, Binary Similarity Analysis, and extension-alteration identification and other advanced approaches to battling encryption.

By evaluating the structural make-up of the document contents, Natural Language Detection identifies when the written sentences in a file are becoming jumbled, indicating the earliest signs of encryption.

Binary Similarity Analysis leverages a technique known as fuzzy matching, meaning that it calculates a significant level of difference between file contents that enables malicious alterations to be identified. Monitoring files at the binary level enables this analysis to detect when the contents of the file are being randomized, indicating malicious activity.

Modern cybersecurity solutions, such as Predictive Ransomware Protection, provide a significant advantage over other endpoint protection approaches by employing Global File Manipulation Detection to protect local and network files. Solutions that cannot deliver artificial intelligence at the endpoint leave an organization vulnerable to mass encryption. With kernel-level visibility, a full scale ransomware attack can be predicted and prevented, ensuring that business operations can continue without interruption.

The Cybereason Predictive Ransomware Protection solution is unmatched in the industry, and is why Cybereason remains undefeated in the fight against ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can stay undefeated.

Karishma Asthana
About the Author

Karishma Asthana

Karishma is a Product Marketing Manager at Cybereason. She was previously with Accenture Security where she worked as a penetration tester and was responsible for helping clients understand and manage their security vulnerabilities. Karishma is passionate about exploring large shifts in the cybersecurity industry from a technical and strategic point of view.

All Posts by Karishma Asthana