Cyber Security Blog

How Machine Learning Saved a $1m Whiskey Bottle from a Cyberattack

Written by Aditi Uberoi | 1 September 2020

Artificial Intelligence (AI) and Machine Learning (ML) have become the kind of buzzwords that are used so often, it’s fair to say that they are almost abused. They are usually over-publicized and there are vendors who indiscreetly exploit these terms for their own benefit. Very few people understand these technologies and many also consider them a new-age sect of the Dark Arts. 

In this blog, we cover: 

Unravelling the secrets of AI and ML and providing clarity on the true powers and capabilities of these technologies was the primary objective of the webinar hosted by Cyber Management Alliance in association with Link11. Titled ‘Creating the Fastest Cyber-Attack Response Tool Using Machine Learning’ the webinar on Cyber Management Alliance’s BrightTALK channel also turned the spotlight on how Karsten Desler of Link11 created a cybersecurity toolset that can detect a sophisticated attack and take a calculated, automatic and immediate mitigating response.

In this really engaging and eye-opening discussion, Amar Singh, Founder and CEO of Cyber Management Alliance, Karsten Desler, Chief Developer and Co-Founder at Link11 and Joss Penfold, Regional Director at Link11 delve into the solution that Link11 has created using ML algorithms that can continuously learn and analyse malicious traffic and automatically take corrective action, with no human interaction. 

Key Quotes

Amar Singh: “We often tell our clients that they have to trust Machine Learning a little to derive its full benefit. Attackers are using AI and ML. You will lose out if you don’t embrace these advanced technologies.”

Karsten Desler: “It’s important to understand that AI and ML are not negative technologies. It’s how you use them and how targeted you can be with them that truly makes the difference.”

Joss Penfold: “You need to be aware of the potential threats and know that cyber-attackers are using bots and botnets to attack infrastructure. There isn’t any need to be afraid of advanced technologies but it’s important to look at them as a tool that can enable better protection.”    


The challenge with AI and ML technologies

  • Very few people truly understand AI and ML. 
  • Many Marketing teams have overused the words and they’ve lost their meaning 
  • Clients don’t completely trust Machine Learning so they’re unable to derive its full benefit. 
  • Cyber-attackers are using bots and botnets to identify and attack infrastructure. You definitely don’t want a scenario where you have a botnet being used for an attack which humans are trying to mitigate, especially if this is happening in the case of business-critical online infrastructure.    
  • Response times, currently, are slow and manual. If you don’t increase your response time, if you don’t automate it, you are going to lose out to the criminals.       

Introduction to Link11 & its core value proposition

Link11 launched its DDOS mitigation service in 2012. It has, since, shifted focus towards cybersecurity and hyper resilience. Karsten has been the Co-Founder and CTO of Link11 and the initial version of the DDOS service was developed by him.   

For Link11, the core technology and chief offering is focused on detecting anomalies. In other words, as Karsten puts it, it’s about mapping what normal traffic looks like, building really fine-grain profiles of normal traffic and then using these profiles to detect anomalies which can be in the form of DDOS attacks or a bot trying to crawl a website. 

The Artificial Intelligence-backed solution 

Link11’s products take two different paths: 

1. The Self-Learning AI Shield: This Shield continuously feeds global, shared Attack Sequence Database to gain intelligence across the customer base. It looks at normal traffic profiles and feeds this information into the signature database. These traffic profiles are, then, used by all products that that profile is relevant to. 

 

2. Fingerprint Technology: A virtual fingerprint of every user exists to ensure IP agnostic decisions are possible. A lot of botnets come from different IP addresses, so the technology looks at deeper profiles and not just IP addresses. Link11 creates IP agnostic detections that work over different parameters and then out of that a fingerprint is created which is used to identify an attacker or a non-attacker. It’s a multi-dimensional approach where you don’t look at one single bit of data but try to aggregate different sources and different dimensions. 


Karsten explains what the anomaly detection looks like with the Link11 Artificial Intelligence tool.

More details on this are at 19:28 onwards in the recording. 

View Webinar Here

A demonstration of the scoring model shows why it’s imperative to not look at things in black and white and use ‘goodness’ and ‘badness’ points to judge anomalies. 

More details on this are at 21:14 onwards in the recording. 

Case Studies of how Link11 products have worked for existing UK customers

1. Ransom Spares – It’s a mid-sized electric spare parts company. With the number of parts they have on their website, it’s a huge index which makes up very valuable data. Ransom Spares came to Link11 earlier this year because they thought they were facing what was a DDOS attack. Their CPU usage was going through the roof and they couldn’t work out why. Eventually, this did result in an outage.

When Link11 investigated the case, it turned out that while it did look like a DDOS attack, it was actually a Bot attack. Link11 implemented the web data protection it provides and removed the DDOS threat and managed to bring the site back online. The CPU usage traffic was still high which was causing some performance degradation and some fundamental problems with internal systems. 

There was a lot of traffic targeted at their site. The nature of the traffic i.e. AWS traffic also stood out. This is interesting because one of the biggest growing threats in the cyber landscape, when we talk of DDOS attacks, is hacked cloud accounts. This means the hacker can actually use the cloud to amplify the size of the attack. That’s why its also so important to have a cloud provider. 

In this case, once Link11 identified this as AWS traffic they discovered that a bulk of the traffic was coming from Microsoft Azure and it was kept in the 80-90% territory which made it clear that the objective here was performance degradation. Link11 implemented its latest product i.e. the Bot Mitigation Protection alongside the Zero Touch WAF and the combination of the  products helped identify what the bad traffic was and where it was coming from, but also prioritize the human users on the website and give them the best performance and bring them back online. 

2. Whiskey Auctioneer – This is one of the most high-profile whiskey auctioneers in the world and they were having an auction that was of the highest value to ever go live. For instance, shares Joss, one bottle of whiskey sold for over 1 million dollars. Whiskey Auctioneer used AWS infrastructure for their hosting environment. 

They underwent a Test Attack with 30 GB per second of attack traffic that wasn’t enough to take them offline but enough to help them understand the magnitude of what could come their way. In the subsequent days, a full-fledged DDoS attack came their way which completely took them offline and took their auction down. They got enough negative PR.

They approached AWS first as it was their hosting provider and implemented AWS Shield at an extra cost, but they still went down again after 3 days. Perhaps, it was the lack of implementation and the lack of support around the technology that caused the issue. 

Link11 brought the company under its wing and thanks to their Machine Learning technology, Whiskey Auctioneer got what they needed - something that did a lot for them. They didn’t have someone dedicated for each type of incident or for each type of IT activity. So, having technology that could take off that resource burden off them and constantly update them with every latest threat and attack was really important for them and this is what Link11 was able to achieve for them. 

Questions asked during the webinar

1. How advanced are the attackers? 

Ans: A lot of attacks are ineffective and don’t cause any real outage. But the percentage of actually damaging attacks is growing. With the growth in use of public cloud services, we see more and more attacks that aren’t just high bandwidth, but also high volume and high intelligence. Definitely, if you don’t have an approach that can react quickly and can distinguish between good and bad, you will be in trouble and won’t be able to identify false positives.

2. How does Link11 keep up with the evolving attacks?   
Ans: One big problem with ML is that there is a human AI language called GPT (version 3). If you throw random questions at it, it can respond exactly like a human 99.9% of the times. The remaining 0.1% of the time is the issue when it responds to you with total gibberish. This is when users have a challenge understanding why it is doing what it’s doing. If you have a huge ML base, you cannot find out what’s going on. What Link11 does differently is that it has different, uniquely targeted Machine Learning instances that do one thing and one thing well. 

That also means there is constant monitoring and a constant feedback mechanism in place. During non-attack times, there is an automated process that runs continuously. The key insight here is that you have to look at traffic normally to be able to evaluate what bad traffic is.

3. What if attackers try to make the bad traffic look like normal traffic?  
Ans: For starters, attackers don’t know what the Link11 model looks like so to reverse engineer their behaviour to such an extent that it looks normal is nearly impossible. The difficult thing is to appear human or ‘normal’. They can reverse engineer their behaviour to an extent but at the end if they can’t prove that they’re human, they can’t get through.

4. How does Link11 ingest, manage and analyse the humongous amount of data?
Ans: Link11 has designed its ML to work on reduced inputs – that’s one of the key features of the product. The idea is to reduce the request to just a few key points to figure out what’s going on. Just feeding the key pieces of information causes the ML to get trained really quickly. Reducing the amount of data to ingest is important, not because of the headache of managing so much data, but from a data protection perspective as well. 

Resources/Attachments available with this webinar

  1. Case Study – Pay Up or We Attack You with Bots
  2. Infographic Q1 2020 Threat Landscape 
  3. Demo & Trial of Link11


Listen to the full Webinar and download the free attachments
Check out CM-Alliance’s BrightTALK Channel

Founded in 2015 and headquartered in London UK, Cyber Management Alliance Ltd. is a recognised independent world leader in Cyber Incident & Crisis Management consultancy and training. The organisation is renowned globally as the creator of the flagship Cyber Incident Planning and Response course certified by the UK Government’s National Cyber Security Centre. 

Cyber Management Alliance has serviced over 300 enterprise clients in multiple verticals including government, banking, finance, IT, consultancies, healthcare, oil & gas and retail across 38 countries. It has carved a niche by assessing, building and improving its clients’ Cyber Incident & Crisis Management capabilities through training, tabletop exercises, health checks and audits. Today, Cyber Management Alliance has a global and diverse network of over 80,000 cyber executives and practitioners worldwide.