Malware is a major cause of cyberattacks today, with fraudsters using targeted spear phishing emails and social engineering to distribute malicious files to unsuspecting employees at various organizations. To make matters worse, malware has evolved to avoid detection by traditional security tools and systems.

Take the CozyDuke malware campaign as an example. Attackers used spear phishing to distribute Flash videos that installed the CozyDuke executable when played on a victim’s computer. Due to the viral nature of the content, these videos got passed around between colleagues and helped spread the malware rapidly.

Given the sophistication of such malware, security analysts need to identify infected endpoints by investigating indicators and incidents that are flagged by security information and event management (SIEM) systems that monitor activity and suspicious behavior on the network. Analysts are often overwhelmed with the amount of data they need to consume to accurately investigate whether these incidents are truly malicious and, if so, determine the necessary remediation actions.

Watch the on-demand Webinar: 5 Building Blocks for a SOC That Rocks

A Trusted Sidekick for Security

We’ve all read about the famous fictional detective Sherlock Holmes and his sidekick, Watson. Sherlock has an uncanny ability to get the right information to make connections between evidence he sees and the suspect involved in the crime. Today’s security analysts have the cognitive advantage of IBM Watson for Cyber Security to help them make similar connections while investigating cyberthreats such as the CozyDuke malware.

Let’s take an example of a malware attack. IBM QRadar chains together multiple events, such as a potentially successful exploit containing an informational email message and a suspicious file download. It then compiles an offense and generates an alert in the QRadar offense dashboard.

With traditional tools, an analyst would have to take the observables in the offense and perform further threat research to qualify the incident and identify the root cause of the attack. In the process of investigating the incident, the analyst would have to access multiple threat feeds, perform basic search queries, talk to peers and superiors, and read through security bulletins to gather more information on the incident.

On average, analysts investigate 10 to 20 incidents per day. They need to keep abreast of the latest threat information as well as historical threat data to aid their investigations. This can quickly become overwhelming and cause inaccuracies to creep in.

The Power of Cognitive Security

Instead of manually investigating incidents, analysts can now harness the cognitive security capabilities of IBM QRadar Advisor and Watson for Cyber Security to perform investigations and report findings. Watson goes beyond just understanding types of malware and threat entities. It not only identifies the various threat entities, but also finds the relationship between these entities and how they interact within your environment, backed up by supporting evidence in the form of structured threat feeds and unstructured data such as security blogs, bulletins and research reports. With Watson for Cyber Security, analysts have access to millions of security documents to extract the intelligence needed to accurately identify and understand threats within minutes.

In this example, Watson identifies a known threat actor — CozyDuke — and 13 additional observables that were not part of the original offense. It also provides the complete context of all the threat entities involved in the attack and the relationships between them in the form of a knowledge graph. Analysts can explore this graph to understand the full scope of the attack and take appropriate actions for incident response.

Learn More

Who needs Sherlock Holmes when you can have your very own cognitive security sidekick to aid you in your investigations of cyberthreats? Learn more about IBM QRadar Advisor with Watson and take advantage of a free 30-day trial.

Watch the on-demand Webinar: 5 Building Blocks for a SOC That Rocks

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…