The Gately Report: Extreme Networks Using AI in 'Arms Race' with Cybercriminals
Plus, Kaspersky discovers dark web scams targeting other cybercriminals.
![Extreme Networks takes on hackers Extreme Networks takes on hackers](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltc6c9b2008e1a8f5d/6537c5c567a51af95e62390d/Foreign-Hacker.jpg?width=700&auto=webp&quality=80&disable=upscale)
ozrimoz/Shutterstock
Channel Futures: With attacks running rampant, how are you keeping Extreme Networks, and its partners and customers safe?
Phil Swain: My role with Extreme Networks is about ensuring, whether it’s the physical products, the switches or the access points (APs), or the ExtremeCloud IQ as a solution set, are secure in terms of how the customers buy them. The XIQ team works with the users to support best practices in terms of configuration, in terms of how they use it. But in terms of supporting the product sets as they’re delivered, we have a strong process where we’re also managing our vendors from a supply chain perspective. It’s about managing the risk of the supply chain. So thinking about it from opening a box with an AP in it or a switch, that the customer gets what they expect to get, it operates and is free from vulnerabilities.
CF: Is how Extreme Networks incorporates cybersecurity into its offerings changing along with the evolving threat landscape?
PS: In terms of internally, sort of watching the house, we’re evolving. We’re monitoring and are obviously aware of what’s happening in the market, in the industry, and so constantly looking to have further focus and monitoring of supply chain, constantly taking advantage of and looking at AI and tools to give us better understanding of activity and response times of everything from phishing to what’s knocking at the firewall doors. The attacks are getting more complex. The bad guys are using AI and getting more efficient at that. So it’s an arms race and we’re always trying to be one step ahead as much as possible.
CF: We’re seeing the continuing rise of as-a-service in cybercrime. How is that changing the threat landscape?
PS: It’s making it easier for the bad guys. The skill set required to launch a major attack, that bar of entry, is getting lower. You don’t have to be a genius programmer. Now to be able to do this, you can literally buy it as a service. You can buy 24/7 help-desk services. So in that essence, there are more people trying to raise attacks and that in itself just creates more noise and levels of attack.
I think what becomes more challenging for cyber professions is there was a tendency for attacks to be isolated. You would have an attack. You’d deal with it, you remediate it, and then hopefully not have to deal with another one for awhile. But because they’re sharing source information and the vulnerabilities, it allows multiple different parties to use that source information to then create attacks. So you end up with layering of attacks. While any one of those attacks isn’t necessarily unique, it makes the remediation more tricky because you’re not dealing with just one adversary. You’re dealing with multiples. There are bands of bad guys, malicious actors, who are just stealing credentials and vulnerabilities to then sell them on the black market. And then multiple people are using the same set of credentials or vulnerabilities to attack.
CF: We saw the news recently of the massive attack on MGM Resorts, and before that Caesars. What are your thoughts on that? Could those have been prevented?
PS: I’m not actually party to all the details, the inner workings and controls of those, but just from the public news, ultimately, it’s about identity and validation — are you who you say you are — and attacks on help desk and trying to impersonate a user. That’s not new news. Those attacks have been going on for years and it just comes back to identity. It’s the basic controls. How do you validate someone’s identity? Key to any organization is how do you operationalize that. How do you build that into how everyday users understand those controls? And they’re there for a reason. And how do your IT teams understand those and how can they validate that.
CF: What’s the role of the network in monitoring for and mitigating risk?
PS: The reality is traffic — good traffic, bad traffic — all transverses in the network so clearly it’s about visibility. And the network is clearly in a unique space to see everything that’s going on around it. So the network is often a good window into what’s actually happening in the organization. Tools that provide great visibility, and allow you to manage and see the traffic, are clearly what you need in an organization.
If you think about the principles of zero trust, you’ve got five elements. You’ve got the user identity. You’ve got the device, how you are accessing the data, what application you are accessing the data on and what data are you accessing. But the network is a key element of that. Whatever device, you still at some point are traveling across the network. So that gives you a great opportunity to watch what’s going on.
CF: In the post-pandemic, hybrid work model, what aren’t enterprises doing that they should be doing to protect themselves against the latest threats? How can partners help?
PS: The enterprise now is not just the office. It’s wherever you are. It comes back to the same principles we talked about on zero trust. It’s about understanding where your users are, what they’re doing, why are they doing it and how they’re doing it. And those are the key elements. So whether they’re sitting in an office or in a home, do you know what they’re doing, why they’re doing it? Do they have the right role? If they’re a finance person, are they doing finance activities or is the finance person looking at marketing material? It’s about roles: Ddo you have that role model set up and can you track users to that role?
CF: What sort of feedback are you receiving from Extreme Networks partners?
PS: Obviously in the conversations I’m having, it’s security-focused. It’s less about the network. Security of the network and of the operations for their customers is as equally important as the operations of their customers. The message I hear from partners is no different than the message that I talk about in the organization. If you think about cybersecurity, I think it fundamentally exists for two reasons. I tell my teams everything we do is for two reasons. One, protect the data of your organization and your stakeholders, customers, employees, vendors, etc., and two, keep the operations running from a cyber perspective. Everything else you do supports those two key elements. Those are all part of just ensuring that business runs whatever your business and you protect the data. Partners are saying exactly the same phrases. Those are the conversations they’re having with their customers: How can I ensure we protect stuff and how can we ensure the customer operates, whether it’s a hospital or a school, or a retail organization? It’s the same fundamental concerns.
CF: What do you find most dangerous about the current threat landscape?
PS: It always comes back to the humans. Phishing is the primary concern. And it always has been and primarily always will be that a user is able to click on a link, be directed to a malicious website or whatever, and persuaded to give up information that, in a perfect world, you would not want them to. And you can put controls in place, but ultimately it’s down to user education and awareness. That’s the biggest challenge. Then you think about speed of innovation. So techniques and tools change, and you ultimately need to understand all of this. Ultimately it’s operations and data we’re trying to protect. Understand what’s important for your organization and focus on that, and don’t get distracted.
CF: What can partners expect from Extreme Networks in the remainder of 2023?
PS: Clearly security is important, and all of the partners and customers are ramping it up. We agree with that. I think how Extreme Networks can enhance the network operations of an organization, and help organizations to be more efficient and more secure, is part of our thinking and plans.
In other cybersecurity news …
Kaspersky researchers are sharing evidence of what appear to be phishing scams targeting other cybercriminals on the dark web, using WormGPT, the nefarious ChatGPT alternative, as bait.
The researchers say the existence of the scams highlights just how popular WormGPT has become in the cybercriminal world.
The cybercriminal community has started leveraging AI capabilities, and the dark web currently provides a range of language models specifically designed for hacking, including WormGPT, which, unlike ChatGPT, lacks specific limitations, making it an effective tool for carrying out attacks such as business email compromise (BEC).
On darknet forums and in illicit Telegram channels, Kaspersky experts have found several websites and ads, which appear to be phishing sites, offering cybercriminals fake access to the malicious AI tool. Some of the pages advertise a trial version, but access is only granted after payment.
The ads are designed as typical phishing pages and range in pricing and payment method, including cryptocurrencies, credit cards and bank transfers.
“In the dark web, it is impossible to distinguish malicious resources with absolute certainty,” said Alisa Kulishenko, digital footprint analyst at Kaspersky. “However, there are many indirect pieces of evidence that suggest that the discovered websites are indeed phishing pages. It is a well-known fact that cybercriminals often deceive each other. However, recent phishing attempts may indicate the level of popularity of these malicious AI tools within the cybercriminal community. These models, to some extent, facilitate the automation of attacks, thereby emphasizing the increasing importance of trusted cybersecurity solutions.”
Johnson Controls reportedly has suffered what is described as a massive ransomware attack that encrypted many of the company’s devices.
According to Bleeping Computer, Johnson Controls suffered the attack after initially being breached at its Asia offices. Johnson Controls confirmed the attack in a U.S. Securities and Exchange Commission (SEC) filing.
“Johnson Controls International … has experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident,” it said. “Promptly after detecting the issue, the company began an investigation with assistance from leading external cybersecurity experts and is also coordinating with its insurers. The company continues to assess what information was impacted, and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate.”
Last week, many of the company’s applications were largely unaffected and remained operational. To the extent possible, and in line with its business continuity plans, the company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers.
“However, the incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations,” it said. “The company is assessing whether the incident will impact its ability to timely release its fourth quarter and full fiscal year results, as well as the impact to its financial results.”
Nick Tausek, lead security automation architect at Swimlane, said the attackers claim to have stolen 27 terabytes of corporate data from the company, which builds industrial control systems, air conditioners, fire safety equipment and security equipment. If the exposed data includes source code that could be used to facilitate compromising Johnson Controls products, this breach could result in the discovery of new exploitable vulnerabilities in customers using network-connected Johnson Controls equipment.
“Organizations should turn to low-code automation to prevent the chances of a targeted cyberattack such as the one on the Johnson Controls,” he said. “Utilizing the power of this type of automation removes the need for heavy coding from the user and gives security teams time back to focus on triaging alerts and proactively protecting assets.”
Johnson Controls reportedly has suffered what is described as a massive ransomware attack that encrypted many of the company’s devices.
According to Bleeping Computer, Johnson Controls suffered the attack after initially being breached at its Asia offices. Johnson Controls confirmed the attack in a U.S. Securities and Exchange Commission (SEC) filing.
“Johnson Controls International … has experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident,” it said. “Promptly after detecting the issue, the company began an investigation with assistance from leading external cybersecurity experts and is also coordinating with its insurers. The company continues to assess what information was impacted, and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate.”
Last week, many of the company’s applications were largely unaffected and remained operational. To the extent possible, and in line with its business continuity plans, the company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers.
“However, the incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations,” it said. “The company is assessing whether the incident will impact its ability to timely release its fourth quarter and full fiscal year results, as well as the impact to its financial results.”
Nick Tausek, lead security automation architect at Swimlane, said the attackers claim to have stolen 27 terabytes of corporate data from the company, which builds industrial control systems, air conditioners, fire safety equipment and security equipment. If the exposed data includes source code that could be used to facilitate compromising Johnson Controls products, this breach could result in the discovery of new exploitable vulnerabilities in customers using network-connected Johnson Controls equipment.
“Organizations should turn to low-code automation to prevent the chances of a targeted cyberattack such as the one on the Johnson Controls,” he said. “Utilizing the power of this type of automation removes the need for heavy coding from the user and gives security teams time back to focus on triaging alerts and proactively protecting assets.”
Extreme Networks is using artificial intelligence (AI) to better analyze and spot issues more quickly in the ongoing arms race with cybercriminals.
That’s according to Phil Swain, Extreme Networks’ CISO. The company provides cloud-driven networking solutions powered by machine learning (ML), AI, analytics and automation.
When it comes to AI and generative AI in cybersecurity, the risk is all about data loss, he said.
Extreme Networks’ Phil Swain
“It’s about potential malware being injected into the code,” Swain said. “It’s about unapproved software. So in one sense, these tools haven’t introduced new risks. It’s how they’re materializing is the new element to it, the democratization of the tools. Anybody can use ChatGPT. The reality is, AI is a powerful tool. And so the bad guys are using it, too. For example, you see it now in phishing. There’s a big trend in in phishing attacks to be less of the mass email. It seems that the days are numbered now for the mass email saying you have a package and you need to click here for the link where they’ve spelled wrong and it’s sort of very obvious. Now you get tailored emails where the spelling and the language in the email is correct. There are no grammatical errors now. AI is helping the bad guys craft better attacks.”
Extreme Networks Staying On Top of Threats
Extreme Networks‘ job is to be one step ahead of cybercriminals using AI, he said. And cybercriminals aren’t necessarily further ahead.
“It’s the same situation whether you go back 10 years and there’s an advancement here and the other side has an advancement back,” Swain said. “It’s a back and forth; everybody has different techniques. It’s not just about the tools; it’s about the processes. It’s about the understanding. It’s about the attack frameworks that provide you insight into sort of the methodology of attacks. So conceptually, that hasn’t changed with AI. It’s just the next set of tools that are being used. And I’m sure years from now we’ll be talking about something else.”
Voice is going to be the next frontier in AI and cyber crime, he said.
“We’ve heard the news recently that you can command ChatGPT with your voice, so it’s not going to be hard for the bad guys then to impersonate a voice,” Swain said. “We’re talking to you, but it won’t be you because someone is impersonating you. So you can see how this just moves along all the time with new techniques. Companies like Extreme have to look at that and understand how do we validate that you are who you say you are.”
Scroll through our slideshow above for more from Extreme Networks and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like