NITECH ››› SUPPORTING NATO AND THE NATIONS
Utilizing AI and information sharing to protect against cyber intrusions
“Data today is monetized,” says Jean-François Agneessens, head of incident analysis and response section at the NATO Cyber Security Centre (NCSC). “Ransomware is used to extract payment to unencrypt data, while the exfiltrated information can be sold into the dark web.” As a result, the cyber threat to NATO from criminal gangs is similar to that experienced by any network infrastructure, and as prevalent as the threat from other state or state-sponsored actors.
100
Agneessens says it is important to distinguish between ‘tentative’ and ‘actual’ intrusions. Threats tend to be multilayered and start with a minor intrusion, followed by further breaches if allowed to progress unchecked, until the threat actor can establish persistence in the network. This is the reason why defence in depth is so important. A large part of the NCSC’s daily business involves identifying event
Jenny Beechener asks Jean-François Agneessens, head of incident analysis and response within the NATO Cyber Security Centre (NCSC), how the Alliance is using artificial intelligence (AI) to keep ahead of the cyber threat, while the NCI Agency’s Michaela Simakova highlights the benefits of sharing information to spread cyber resilience
anomalies or inconsistencies in the traffic flow, users and systems behaviour to prevent these tentative intrusions becoming real. NCSC believes artificial intelligence (AI) can help track the everincreasing volume of data and help to identify events undetected by humans. “The complexity of cyber-attacks is steadily increasing – it’s a moving target,” he says. The challenge grows as cloud-based services become more common, blurring lines of responsibility and removing national boundaries. NCSC has started to create a data lake as part of a wider programme to expand cyber-threat detection capability. “We need to have relevant information and be able to extract what we need to use in an AI algorithm, and it relies as much on data gathered on NATO networks as on external sources of information, provided by the private sector,” explains Agneessens. This includes
validating the information to avoid generating false positives. Once there is a record of what is normal, then AI can be used to help identify anomalies in the system – for example, looking for inconsistencies in the Fully Qualified Domain Name (FQDN) within a web address. “A machine can identify an unusual domain name relating to content similar to a legitimate company and alert to a phishing attempt, for example,” says Agneessens. Other activities include collecting and analysing data from Locked Shields cyber-defence exercises, and leveraging this to train detection algorithms to protect the real network. These activities come under the umbrella of the NCI Agency Capability Package 120 (CP120), the 70 million EUR phased upgrade of NATO information security systems through a series of capability enhancements between 2020 and 2024. To identify these capability initiatives, NCSC is working closely with the Agency’s Innovation and
