Artificial intelligence (AI) is being touted, across the board, as an accelerator for businesses of all shapes, sizes, and moral integrity. A much maligned and scoffed at group of threat actors, known as Script Kiddies, have taken hold of the potential offered by AI and are beginning to enter the dark market of bad acting in new and more threatening ways.
Script kiddies are that group of threat actors that, until recently, used simplified tools that were readily available in penetration testing systems as well as scripts that others had written that were then re-used for the purpose of the kiddie. Their forte wasn’t in creating a unique new way of developing code to break into a system. Instead, they used a “spray and pray” set of attacks utilizing these pre-built tools and code under the “hope” that they would get lucky.
The good news, from a defense perspective, is that the tools these kiddies were using were a pretty well-known set of commodities. They had well-defined signatures that would quickly and easily be detected in the tools that are universally used. The bad news? The times are definitely changing.
A New Day for Script Kiddies
Recently, a threat actor group out of Russia known as Matrix, acting almost entirely as a script kiddie, developed a record-sized botnet army that could be used for activities like distributed denial of service (DDoS) attacks. The initial approach is to take over internet of things (IoT) devices and forge them into the botnet army. This group is reported to have used AI as a means to “tune-up” their attack protocols and better mask the signatures that the tools use.
Another group out of Europe has been using AI in phishing campaigns to drop a remote access tool into environments to gain system access. The resultant code was clean, crisp, and well-commented which is something that almost no threat actor will do.
While the second set of attacks may, or may not, be considered the work of a script kiddie actor, it shows the potential path of script kiddies to improve their overall attacks through better masking and obfuscation.
Endpoint detection and response (EDR) systems have historically been reasonably well-trained to detect most of the actions that a script kiddie can take once they land in your environment, but early indications suggest that even these systems can be defeated by threat actors creating mutating/morphing malware that shifts at run-time.
In the security defense side of the equation the potential for a less sophisticated attacker being able to modify and avoid detection is quite troubling. This change must be met with smarter and more efficient means of detecting both the maliciousness of a script and the anomalous behavior produced by the script once it lands.
AI Versus AI
If the world just got more complex because lower-level threat actors are suddenly able to act at a much higher and more sophisticated level, then the tools that defend against these changes must get smarter to meet this rising challenge.
Script kiddies often rely on weaknesses that are built into the products that are being attacked. These can be common attacks based on the OWASP top ten. In today’s software delivery pipelines, AI is being injected into the development process that allows for the detection of these weaknesses (and more) and automating routines that can be used to fix those gaps.
If you are being attacked by Matrix and the botnet army is knocking on the front door, then your company’s firewall should be configured to automatically adapt the noise and filter any distributed denial of service (DDoS) attack. In many cases an AI agent can enact a cyber playbook to block the noise so that the rest of the network is not absorbed by the noise on a subnet. As SIEM tools move to employ AI agents, malicious activity can be captured by the SIEM, either through out-of-the-box rules or managed through cyber playbooks. A human in the loop could be employed until such time as trust is gained for the actions of the agent.
In some cases, the script kiddie deploys a malicious link through new, completely scripted and AI transformed code. When the unsuspecting user happens to click on a malicious link and pulls down a set of malware, whose only goal is to “land and expand” in the environment, that detail must be logged and the security team alerted. Again, an AI agent can enact a cyber playbook, this time isolating the affected endpoint, and the security and IT teams can take action.
The scariest action that a script kiddie can now take is to adapt existing malware to change every time it lands or is moved in an environment. If that malware suddenly shifts and looks like another product/software or instruction, that’s where it becomes very interesting —and challenging without the right solutions in place. Advanced user and entity behavior analytics (UEBA), having learned the definition of normal activity, can quickly recognize the changed signature for the activity as abnormal and flag it. The UEBA tool does this by utilizing machine learning-based capabilities to learn what each endpoint and entity on the network acts like over time.
Shine a Light on Unusual Activity
Tools that have a comprehensive set of management and behavioral analytics capabilities built in should be able to lift the mask off script kiddies and shine a light on the changes in behavior that occur downstream of the deployment of the malicious code. Layer in machine learning and automation through AI-enhanced cyber playbooks and security teams have an even stronger chance of protecting their organizations.
Whether replacing an existing SIEM or complementing an ineffective one with advanced analytics and automation, Exabeam can help security teams achieve security operations success faster with powerful intelligence-driven solutions. Exabeam equips defenders with AI-powered capabilities that help them stay ahead of ever evolving attack techniques — from shifting script kiddies to threats unknown.
