Malware is a major cause of cyberattacks today, with fraudsters using targeted spear phishing emails and social engineering to distribute malicious files to unsuspecting employees at various organizations. To make matters worse, malware has evolved to avoid detection by traditional security tools and systems.

Take the CozyDuke malware campaign as an example. Attackers used spear phishing to distribute Flash videos that installed the CozyDuke executable when played on a victim’s computer. Due to the viral nature of the content, these videos got passed around between colleagues and helped spread the malware rapidly.

Given the sophistication of such malware, security analysts need to identify infected endpoints by investigating indicators and incidents that are flagged by security information and event management (SIEM) systems that monitor activity and suspicious behavior on the network. Analysts are often overwhelmed with the amount of data they need to consume to accurately investigate whether these incidents are truly malicious and, if so, determine the necessary remediation actions.

Watch the on-demand Webinar: 5 Building Blocks for a SOC That Rocks

A Trusted Sidekick for Security

We’ve all read about the famous fictional detective Sherlock Holmes and his sidekick, Watson. Sherlock has an uncanny ability to get the right information to make connections between evidence he sees and the suspect involved in the crime. Today’s security analysts have the cognitive advantage of IBM Watson for Cyber Security to help them make similar connections while investigating cyberthreats such as the CozyDuke malware.

Let’s take an example of a malware attack. IBM QRadar chains together multiple events, such as a potentially successful exploit containing an informational email message and a suspicious file download. It then compiles an offense and generates an alert in the QRadar offense dashboard.

With traditional tools, an analyst would have to take the observables in the offense and perform further threat research to qualify the incident and identify the root cause of the attack. In the process of investigating the incident, the analyst would have to access multiple threat feeds, perform basic search queries, talk to peers and superiors, and read through security bulletins to gather more information on the incident.

On average, analysts investigate 10 to 20 incidents per day. They need to keep abreast of the latest threat information as well as historical threat data to aid their investigations. This can quickly become overwhelming and cause inaccuracies to creep in.

The Power of Cognitive Security

Instead of manually investigating incidents, analysts can now harness the cognitive security capabilities of IBM QRadar Advisor and Watson for Cyber Security to perform investigations and report findings. Watson goes beyond just understanding types of malware and threat entities. It not only identifies the various threat entities, but also finds the relationship between these entities and how they interact within your environment, backed up by supporting evidence in the form of structured threat feeds and unstructured data such as security blogs, bulletins and research reports. With Watson for Cyber Security, analysts have access to millions of security documents to extract the intelligence needed to accurately identify and understand threats within minutes.

In this example, Watson identifies a known threat actor — CozyDuke — and 13 additional observables that were not part of the original offense. It also provides the complete context of all the threat entities involved in the attack and the relationships between them in the form of a knowledge graph. Analysts can explore this graph to understand the full scope of the attack and take appropriate actions for incident response.

Learn More

Who needs Sherlock Holmes when you can have your very own cognitive security sidekick to aid you in your investigations of cyberthreats? Learn more about IBM QRadar Advisor with Watson and take advantage of a free 30-day trial.

Watch the on-demand Webinar: 5 Building Blocks for a SOC That Rocks

More from Artificial Intelligence

Could a threat actor socially engineer ChatGPT?

3 min read - As the one-year anniversary of ChatGPT approaches, cybersecurity analysts are still exploring their options. One primary goal is to understand how generative AI can help solve security problems while also looking out for ways threat actors can use the technology. There is some thought that AI, specifically large language models (LLMs), will be the equalizer that cybersecurity teams have been looking for: the learning curve is similar for analysts and threat actors, and because generative AI relies on the data…

AI vs. human deceit: Unravelling the new age of phishing tactics

7 min read - Attackers seem to innovate nearly as fast as technology develops. Day by day, both technology and threats surge forward. Now, as we enter the AI era, machines not only mimic human behavior but also permeate nearly every facet of our lives. Yet, despite the mounting anxiety about AI’s implications, the full extent of its potential misuse by attackers is largely unknown. To better understand how attackers can capitalize on generative AI, we conducted a research project that sheds light on…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today