-1

Since Solarwinds Hack and Hafnium attack involved some degree of unauthorized code modification (orion DLL, creation of web shell), is it possible to use Artificial Intelligence (AI) built into the very application (Solarwinds, Exchange Server) itself to detect and report any unauthorized code modification and unnatural modification its immediate environment (e.g., processes supporting the application, or detection of files such as exfiltrated files that should not be there, in the application binaries folders)?

It is my firm belief that building AI into these application is the only way forward to reduce/stop zero-day exploits.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Nathan Aw
  • 1
  • 7
  • 12
  • 1
    What stops an attacker from modifying the code to skip the call to AI/ignore AI triggers ? – Limit Mar 10 '21 at 02:27
  • @Limit Depends on how it's implemented. – forest Mar 10 '21 at 02:54
  • 3
    AI is not a clearly defined existing thing. You could also say "Magic wand" which has about the same amount of detail as "AI". And yes, something magic might solve all our problems, only it does not exist. Also, you seem to focus too much on 0day. Most IT security problems out there are not caused by 0day in the first place. – Steffen Ullrich Mar 10 '21 at 04:54
  • 4
    Nathan, you have suggested a number of different things in different questions as "the only way to stop zero days" and at some point, something should dawn on you: alone, no one thing will, but defence is made up of layers and each layer plays a *part* in the overall defence. – schroeder Mar 10 '21 at 07:57
  • these companies that were affected had layered defenses too. I think everyone is just very uncomfortable with the fact that we are completely helpless in the face of the onslaught of zero-day exploits by these highly-skilled, highly-sophisticated state actors (a great way to absolve security professionals - just use the state actor reason) and that we are completely beholden to software companies for a zer0-day fix. My point is this: There has got to be a better way to address zero-day at a more fundamental level -- not just the usual layered defenses, not just motherhood statements. – Nathan Aw Mar 11 '21 at 01:47
  • You cannot fix complex problems with simple solutions. Your stated premise is that the way we are doing things is not working, we are using layered defences, therefore we should replace layered defences with a single defence. That's not a logical conclusion. That's a logical fallacy. The rest of your statements about the industry are just naive. You are making wild judgement and jumping to wild conclusions. And that's why these questions are unanswerable. We have to address your underlying beliefs before we can start to answer your loaded questions. – schroeder Mar 11 '21 at 18:54

1 Answers1

1

It sounds like you're talking about anomaly detection which is often implemented using machine learning. It's a useful tool, but it is not perfect. It is just one technique of many that can be utilized to reduce the chance of security issues. We (as in humanity) currently lack the knowledge to implement a machine learning solution that is completely able to mitigate supply chain attacks or 0days.

"AI" is all too often just a buzzword and its capabilities are limited. It is certainly not the only way, nor even the most important way, to reduce 0days. The only way to truly stop them is to use formally-verified code which can mathematically prove that the code matches specifications, but it is a very involved technique that isn't practical for large code bases. seL4 is an example verified microkernel.

forest
  • 64,616
  • 20
  • 206
  • 257
  • i dont mean AI in the buzzword sense. imagine if developers like myself is supported by AI to identify the potential coding pitfalls, we can avoid many painful incidents like solarwinds, hafnium. this whole layered defense seems to be barking up the wrong tree -- if we can target the root and address that, we will have no need of these multiple security solutions. – Nathan Aw Mar 11 '21 at 10:04
  • So, you suggest adding another security solution ... else you're suggesting ***removing*** all the rest of the layers of defense? We have seat belts and crumple zones, but people still get hurt in car accidents, so let's take all that out and put in autonomous driving? That's not logical. You need the right defences to address the right weaknesses in a complex system. What we have are inefficient layers to try to cover the unidentified weaknesses in the system, Please look up Complexity Management and Cynefin for more ... effective inspiration for how to address the problem. – schroeder Mar 11 '21 at 18:59