Think of cybersecurity like your personal health. In cybersecurity, basic cyber hygiene foils most cyber attacks. With a shortage of cyber experts, just as in medicine, finding faster and better ways to train practitioners using real-world scenarios is key. However, artificial intelligence (AI) for cybersecurity can improve a team’s response by triaging threats on its own.

AI for Cybersecurity Means Finding the Patterns

The medical field is similar to cybersecurity for AI in other ways, too. The medical field’s process of studying and diagnosing the patient is often well-structured, but siloed. Digital defense experts know the playbook of attacks well, just like doctors know the symptoms and signs of most diseases.

What’s different is the rate of fire. In medicine, under most conditions doctors have time to triage, and the number of patients does not overwhelm them. In cybersecurity, data constantly barrages analysts. Effective triage sets up a team for improved defenses.

This is why we are researching new ways of using AI for cybersecurity and deep learning tools, so developers can use both to build effective models for threat triage. Right now, there is a big gap in the AI defense landscape when it comes to true behavior-based threat analysis.

A handful of agent-based AI threat analysis platforms do exist. However, they may be limited to the major operating system platforms. This fails to cover hosts running less used and older, but still crucial, platforms. For example, they may not be able to work with the Unix family (HPUX, AIX and Solaris) or consumer devices that have network access but are not yet considered inside-the-perimeter devices. In contrast, the AI can only cover threat triage well if it scans behavior across all relevant readings regardless of host.

Teaching an AI Threat Disposition System

During threat disposition, an analyst or automated system needs to quickly assign an alert to one of three statuses. The first status involves behavior that is likely to be benign and not worth checking out. The second status refers to behavior that may or may not be dangerous and requires further study to tell whether it’s safe. The third status shows an attack, requiring action right away. Over time, these exercises may lead to policy changes. Those might be changes to security controls and stances.

One major hurdle for AI and cybersecurity in threat triage is the volume and types of training data. Deep learning systems need high volume of data to generate good results. In the case of cyber triage, humans must guide deep learning systems in order to generate smart decisions. That’s because so many of these decisions are still judgment calls by nature. Context and history drive a lot of the decisions made in threat triage. Humans need to train the AI in order to convey how to make these decisions.

How to Teach AI to Triage

Cyber attack simulation systems can help create more teaching data, enabling AI for cybersecurity to work effectively. Here’s how it works:

  • Set up a test production landscape complete with hardware, software and network assets, as well as security controls
  • Queue up a large volume of real-world verified attack playbooks to run against it
  • Export the indicators of compromise (IOC) or contents of system alerts to human experts
  • Triage the alerts and IOCs as either benign, possibly malicious, or confirmed malicious

This system will enable faster training without needing actual live alerts. By creating a higher volume of alerts flagged by humans, the AI can acquire data at 10 to 20 times the rate possible using organic data. Equally important, cyber attacks tend to come in similar waves. For example, there are a lot of ransomware attacks right now. In the past, there were more database breaches or supply chain compromise attempts. Live data does not tell the whole story. So using real-world attacks to train AI models helps create balanced coverage across a wider range of potential attack types.

Detect Multiple Types of Attacks

In addition, AI for cybersecurity models are able to simulate both single and composite attack types. To respond to a single-machine attack, you need to look at telemetry, endpoint detection and response and status on a single machine or a group of similar machines that attackers are hitting in the same way. A composite attack, on the other hand, is when the attacker targets a cloud host, a device or hardware host and/or a network agent. The attackers may exploit one, two or all three of these attack paths. Or they may try to breach one of the hosts and traverse to a network. They might connect hosts over a network and then back out to an external command and control server.

To train the AI model, you need to simulate as many attack path options as possible and do so quickly. Deep learning can study all of the inbound attack path data fed by the human analysts and begin to recognize attack patterns.

From AI Triage to AI Response

A logical end result of AI for cybersecurity would be to move beyond automated triage to automated remediation and response. This would only trigger when confidence that an attack is underway is high. For example, the threat disposition engine could trigger an action if it detects the signature of a known attack type.

It’s key to avoid false positives. Trying to fix them could cause operational issues by abruptly shutting down production systems, stalling service delivery and degrading customer experience. For this reason, moving to automated attack response requires rock-solid belief in the AI model paired with rapid escalation to human analysts. Once you can trust AI for cybersecurity to be accurate, you can change the game by reducing incident response times. This also requires deep integration with SOAR and SIEM systems to ensure a closed-loop response.

This appears to be the future of threat triage, and AI for cybersecurity can make a meaningful difference in improving broad security posture.

Learn why IBM Security is recognized as a leader in managed security services, combining AI, threat intelligence and response to deliver better security outcomes.

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today