CrowdStrike Advances the Use of AI to Predict Adversary Behavior and Significantly Improve Protection

May 23, 2023

Endpoint Security & XDR
  • CrowdStrike is announcing new AI-powered indicators of attack (IoA) models, designed to combat advanced adversary tradecraft, available later this year.  
  • AI-powered IoAs use machine intelligence to stop breaches, detecting and predicting malicious patterns of behavior in real time, regardless of tools or malware used. 

Since CrowdStrike’s founding in 2011, we have pioneered the use of artificial intelligence (AI) and machine learning (ML) in cybersecurity to solve our customers’ most pressing challenges.  Our application of AI has fit into three practical categories:

  • Using AI to combat increasingly sophisticated attacks by identifying adversary behavior and threat patterns
  • Solving hyperscale data challenges by analyzing intelligence and threat telemetry with speed and at scale
  • Closing the cybersecurity skills shortage by using AI to automate repetitive security tasks and unleashing machine-speed intelligence to automate detection and response

Among the areas CrowdStrike has pioneered are the industry’s first AI-powered indicators of attack (IOAs). A concept first introduced by CrowdStrike, IOAs are sequences of observed events that indicate an active attempt to breach a system (such as code execution, persistence and lateral movement). By examining these events and processes across an attack surface, IOAs enable organizations to supersede silos between tools to holistically study their environments, enabling them to better predict and prevent indicators of suspicious activity and uncover sophisticated adversary tradecraft. 

Last year, we turbocharged the IOA-generating process with the launch of AI-Powered IOAs, applying AI to the process of generating new indicators of attack and further expanding our multi-layered defense from the sensor and the cloud (alongside ML-powered malware classification and existing IOCs and IOAs). Applying the power of cloud-native machine intelligence to the process of generating IOAs allowed us to increase the speed at which we detect new behavioral patterns while dramatically improving the precision of the models. We leverage deep learning through convolutional neural networks — technology resembling the structure of the animal visual cortex — to uncover and anticipate new adversarial patterns. 

At launch, we released two inaugural models: one targeting malicious post-exploitation payloads, and the other detecting malicious PowerShell scripts. Today, we’re excited to share that we’re expanding our existing AI-powered IOA capabilities to all clouds. These protections will be available to CrowdStrike customers globally later this year. 

The Arsenal Expands: New AI-Powered Indicators of Attack 

Adversaries are continuously evolving their tradecraft by authoring new scripts, hijacking legitimate tools and uncovering new methods of evading detection. According to the CrowdStrike 2023 Global Threat Report, 71% of attacks are now malware-free, while 80% of attacks now use stolen or compromised credentials. 

Adversaries find new ways to gain initial access and achieve lateral movement — and they are moving faster than ever, with a new average breakout time of 84 minutes. These new classes of AI-powered IOAs expand AI-powered coverage across many of these emerging attack vectors to give security teams the speed and precision needed to stop today’s adversaries. New innovations include the following. 

Innovation: Multi-process Atomic Behavior Analysis in Windows 

An atomic behavior is an operation performed by a process that is not sufficiently malicious to create a detection but may indicate an adversary activity. For example, taking a screenshot may be malicious but can also be benign. Falcon uses indicators of attack, indicators of compromise and behavior indicators that are sent to the cloud to initiate CrowdScore incidents and specific combinations of atomic behaviors to support detections. However, there are large numbers of atomic behaviors that are not stored in the cloud nor exist as existing detections. This data provides rich information for machine learning.

Adversaries often leverage multiple tools, file formats and processes to orchestrate attacks across a target environment. Observing activity across any one tool or process may not provide sufficient context to discern with confidence whether it’s benign or malicious. By examining multi-process atomic behaviors, this model harnesses the rich context collected by the platform to deliver even higher-confidence detections. 

Customer Impact and Benefits: Increased proactive detection and prevention across all threat types.

Innovation: Detecting Malicious Command Lines and LOLBins 

Adversaries are increasingly leveraging living-off-the-land binaries (LOLBins) to hijack native, legitimate tools in target systems in order to carry out attacks. These methods allow adversaries to easily evade traditional security tools that rely on detecting known malware signatures, allowing them to dwell in victim environments for extended periods. This new model will target LOLBins by examining anomalous command line executions and analyzing the combined sequences of child, parent and grandparent processes to more effectively detect suspicious activity. 

Customer Impact and Benefits: Accelerated time to detect and respond to fileless attacks leveraging malicious command lines and LOLBins.

Innovation: AI-Powered IOA Coverage for Malicious Linux Scripts 

Linux is one of the primary operating systems for many business-critical applications. As Linux adoption and Linux-targeting malware continue to grow, this AI-powered IOA will enable Falcon to detect malicious scripts in several formats. Linux scripts, Bash, JavaScript, Python and Perl enable us to deliver more comprehensive coverage across major operating systems. This model will also detect malicious Python and batch scripts in Windows environments. 

Customer Impact and Benefits: New visibility and proactive coverage for malicious scripts on Windows and Linux-based endpoints.

Innovation: Detecting Malicious Windows MultiScript Content 

Adversaries frequently modify and obfuscate scripts to evade detection. This model will allow us to target high-frequency adversary tactics, techniques and procedures targeting PowerShell, JavaScript, VBScript and VBA script types supported by Windows ScriptControl, with resilience against obfuscation methods such as modifying debugger registries and other tactics. 

Customer Impact and Benefits: New visibility and proactive coverage for commonly used Windows-specific script types.

Innovation: Detecting Fileless .NET Assemblies 

With widespread developer adoption of .NET frameworks, we’re launching our first machine learning model dedicated to predicting adversary activity on in-memory .NET assemblies. In-memory .NET assemblies are attractive to adversaries as they are harder to detect with traditional antivirus solutions that primarily monitor file-based activities. This model helps us detect some of the common adversarial techniques used in these attacks, such as the use of  reflective DLL injections to load .NET assemblies directly within memory, or hiding artifacts left behind by their activities by using NTFS file attributes. 

Customer Impact and Benefits: Proactive AI-powered coverage for malicious fileless attacks using .NET. 

Conclusion 

Machine learning and AI are powerful tools for detecting emerging patterns in data and conducting in-depth behavioral analysis to understand adversary intents and objectives. CrowdStrike is excited to continue harnessing the combined power of AI and the cloud to enhance defense, upend adversary tradecraft and help our customers stay one step ahead of adversaries to stop breaches.

Additional Resources

Related Content
CVE-2024-3094 and the XZ Upstream Supply Chain Attack: What You Need to Know
March 2024 Patch Tuesday: Two Critical Bugs Among 60 Vulnerabilities Patched
CrowdStrike a Research Participant in Two Latest Center for Threat-Informed Defense Projects