Can we predict cyber attacks? Bfore.AI says they can
In this Help Net Security interview, Lenguito talks about threat prevention challenges and how his company can predict cyber attacks before they begin.
What are today’s main threat prevention challenges for large organizations?
The vast majority of attacks and losses incurred are still caused by trivial impersonation attacks (phishing, email compromise, etc.) and other identity-related scams (information leakage, credit card frauds, etc.).
Large organizations are slowly improving their security posture, but still, less than 10% have a proactive and preemptive stance. We have had a guardrail-to-guardrail approach in this industry, and nowadays, most are skewed toward “assume breach” and “resilience,” accepting to be victims and focusing on minimizing the impact. While that is important, a balance between detection & respond posture and a more prevent & prepare one must be achieved.
A new category of technologies are emerging. Predictive and preemptive cybersecurity solutions are seen as the future, and the use of novel approaches – like applying machine learning and artificial intelligence techniques to network and behavioral data – show promise in helping rebalance companies’ security posture.
Bfore.ai promises to identify attacks before they begin. How are you able to do that?
The system works similarly to weather forecasts. We collect daily a snapshot of all network metadata for internet infrastructures. Over time the machine learning algorithms convert such static information into behaviors (time series), and we perform supervised learning to teach the system about good and bad behaviors.
Agatha (our AI) constantly seeks behavior changes in infrastructures, and when such behavior gets close to something malicious, a prediction is supplied to our threat feed customers. On average, the foresight compared to detection-based threat intelligence feeds is 18 days in advance. Our technology took ten years to develop. It improves continuously thanks to self-learning features and our engineering team efforts. It was recently recognized by the prestigious ILAB award granted by the French Ministry of Research.
What threats do you see the most? What should organizations be worried about?
Each organization is different, and it is important to run a proper risk assessment to define where to focus one cybersecurity priorities. What we see at global scale is a shift away from small/focused attacks, toward more generic and large scale ones. The emergence of RaaS (ransomware as a service) and marketplaces for phishing kits has increased the pool of criminals and lowered the required skills to perform intrusions.
The underground criminal scene is evolving from fragmented small teams acting independently, to organizations made of hundreds of people with “real jobs” – from front/back end developers for ransomware or deception code, to simpler community management for dark web forums.
A criminal economy is developing much similar to the one we see in start-ups, with new technologies being funded by organized crime, and diverse business models like “as a service” or “revenue sharing”. But all of this should not be the focus of commercial organizations, security team have the remit to safeguard their business and avoid disruption, and that’s where operational threat intelligence, and pre-emptive technologies play their role.
What are the limitations of your technology? How do you plan to improve?
While the company is born in Montpellier, France, the city of Nostradamus – we cannot predict everything. Our IoFA (Indicators of Future Attacks) focus on network artefacts. Code vulnerabilities, SQL injection, insider threat actors and so on are out of scope for our capability – and it’s why a balance of predict/pre-empt and detect/respond is important.
Our development focus on continuously increase our coverage (today at 95% of the Internet) results in more than 100,000 IoFA daily, reduces the false positives (less than 0.05%) and false negatives (less than 4%). While research on new features is concentrated on deepfake video impersonation identification in real-time web conference feeds, and preemptive fraud detection based on phishing kits inspection while running live.
Who are your typical clients? What prerequisites are needed to take advantage of Bfore.ai?
Today, our customers are the most sophisticated enterprises with very mature cybersecurity teams. The PreCrime Brand sees more traction in the banking and finance sectors, while PreCrime Network is more adopted in industry/manufacturing.
Our services are available to all, both directly from Bfore.Ai or via our reseller partners network. There is no prerequisite to be protected by Bfore.Ai as no agents or other heavy integrations are required. PreCrime Network is a read-only API and we have integrations for most cybersecurity solutions. PreCrime Brand is entirely SaaS and customers have just to indicate how to receive alerts.