4 minute read
protect against cyber intrusions
100
Utilizing AI and information sharing to protect against cyber intrusions
“Data today is monetized,” says Jean-François Agneessens, head of incident analysis and response section at the NATO Cyber Security Centre (NCSC). “Ransomware is used to extract payment to unencrypt data, while the exfiltrated information can be sold into the dark web.” As a result, the cyber threat to NATO from criminal gangs is similar to that experienced by any network infrastructure, and as prevalent as the threat from other state or state-sponsored actors.
Agneessens says it is important to distinguish between ‘tentative’ and ‘actual’ intrusions. Threats tend to be multilayered and start with a minor intrusion, followed by further breaches if allowed to progress unchecked, until the threat actor can establish persistence in the network. This is the reason why defence in depth is so important. A large part of the NCSC’s daily business involves identifying event Jenny Beechener asks Jean-François Agneessens, head of incident analysis and response within the NATO Cyber Security Centre (NCSC), how the Alliance is using artificial intelligence (AI) to keep ahead of the cyber threat, while the NCI Agency’s Michaela Simakova highlights the benefits of sharing information to spread cyber resilience
anomalies or inconsistencies in the traffic flow, users and systems behaviour to prevent these tentative intrusions becoming real.
NCSC believes artificial intelligence (AI) can help track the everincreasing volume of data and help to identify events undetected by humans. “The complexity of cyber-attacks is steadily increasing – it’s a moving target,” he says. The challenge grows as cloud-based services become more common, blurring lines of responsibility and removing national boundaries.
NCSC has started to create a data lake as part of a wider programme to expand cyber-threat detection capability. “We need to have relevant information and be able to extract what we need to use in an AI algorithm, and it relies as much on data gathered on NATO networks as on external sources of information, provided by the private sector,” explains Agneessens. This includes validating the information to avoid generating false positives.
Once there is a record of what is normal, then AI can be used to help identify anomalies in the system – for example, looking for inconsistencies in the Fully Qualified Domain Name (FQDN) within a web address. “A machine can identify an unusual domain name relating to content similar to a legitimate company and alert to a phishing attempt, for example,” says Agneessens. Other activities include collecting and analysing data from Locked Shields cyber-defence exercises, and leveraging this to train detection algorithms to protect the real network.
These activities come under the umbrella of the NCI Agency Capability Package 120 (CP120), the 70 million EUR phased upgrade of NATO information security systems through a series of capability enhancements between 2020 and 2024. To identify these capability initiatives, NCSC is working closely with the Agency’s Innovation and
Data Science team to define the technology needed to expand NATO’s cyber processing capability.
The CP development pathway, however, is a process that typically takes several years to approve and deliver. Therefore, NCSC works in parallel with the private sector to accelerate cyber security capabilities and benefit from work already being addressed in this domain. “If the Agency is already using a capability from industry that subsequently were to become expanded with an AI module, it is likely we would use it. This means we don’t always have to wait for the capability package for some use cases.”
SHARING INFORMATION
Following the launch of the NATO Cyber Industry Partnership (NCIP) in 2014, the NCI Agency has established dedicated workshops, training programmes and shared exercises to boost cooperation on cyber threats and challenges. Industry Relations Coordinator Michaela Simakova says a lot of information exchange takes place when it comes to non-classified information. The partnership extends to non-traditional defence and technology companies, and this is “crucial to enabling effective response to cyber threats”.
Among key developments, NCIP has established a framework for voluntary cyber information-sharing. In addition to bringing better situational awareness at expert level, this encourages the use of a common taxonomy and standards. Regular workshops are expected to resume once travel is permitted again to share information about measures to counter potential threats, user behaviour and other challenges. “There are different channels,” explains Simakova. “Specific agreements may restrict information-sharing within a specific industry, while some platforms – such as NATO’s Threat Information Sharing Platform (MISP) – are shared with everyone.”
NCIP also supports training events, including the International Cyber Security Summer School, which is run in cooperation with The Hague Security Delta – a Dutch security cluster. This enables NATO to pool resources when it comes to scarce tech talent, mutual learning and capacity-building to improve collective cyber defence and raise awareness of NATO requirements in the private sector.
These initiatives are additional to the more formal agreements NATO holds with Member States and partner nations. The rules of engagement contained within memoranda of understanding between NATO and NATO nations, for example, can be used to monitor cyber activity and help identify cyber-attacks, and can be further expanded with the technical agreement in place with the European Union Computer Emergency Response Team (CERT-EU). NATO’s strong engagement on information with allies and partner nations, the EU and the private sector increases its cyber defence posture and assists others in defending themselves better. 101
