Cyber threat intelligence (CTI) is being integrated by 81 percent of enterprises in 2018, according to a February 2018 SANS Institute survey. As organizations invest in the use of real-time event data for detection and response, sophisticated threat intelligence machine learning adoption has the potential to improve visibility into unknown risks and strengthen the stance of the cognitive security operations center (SOC). Achieving data science maturity within the context of cybersecurity means empowering the right person with the right intelligence to take action while minimizing false positives.

The majority of security professionals are already using machine learning-based tools for security operations. A December 2017 Webroot study found 88 percent of cybersecurity programs have some AI-based solutions (most commonly for malware detection), malicious IP detection and website classification. But 69 percent of respondents felt these solutions aren’t fully reliable, and 91 percent expressed intent to increase their investment in AI-based security solutions over the next three years.

“Think like the adversary [and] reserve capacity,” said David Hogue, senior technical director at the National Security Agency in his RSA Conference 2018 session. “Use data science and machine learning to reduce SOC alert fatigue.” Machine learning threat intelligence adoption is on the rise — and with good reason — but not without raising some concerns.

CISOs Worry About Weaponized Machine Learning

Weaponized AI was positioned among the top cybersecurity risks “to really worry about” at the cusp of 2018 by tech futurist Martin Giles in MIT Technology Review. Similarly, 62 percent of chief information security officers (CISOs) surveyed by Cylance at Black Hat 2017 believe AI is a “double-edged sword,” and predicted that hackers would recognize this opportunity within the year.

It takes just three minutes to “brute force” any password with seven characters or fewer. One 2016 Columbia University study demonstrated 98 percent accuracy in “breaking” the latest iteration of the Google reCaptcha service.

Other known nefarious applications of machine learning and analytics include:

  • Automated voice fabrication
  • AI malware creation
  • Neural networks for gathering open-source intelligence
  • Automated botnet creation
  • Swarming threat intelligence systems with false positives
  • Corrupting enterprise machine learning models

Just as importantly, based on last year’s ransomware-as-a-service (RaaS) epidemic, it’s probably only a matter of time before machine learning tools for cybercrime are sold as a service on the darknet. Machine learning has value within the context of mature enterprise CTI, but it also may be crucial for playing defense against highly efficient algorithm-armed attackers.

How to Strengthen Machine Learning Threat Intelligence

The majority of organizations with a formal approach to CTI recognize room for improvement with their data science initiatives. According to the SANS Institute, 55.91 percent are “not satisfied” with the maturity of their machine learning. The same SANS Institute survey found general barriers to CTI maturity that likely prevent mature machine learning adoption, including a “lack of trained and experienced staff, budget, lack of time and lack of technical ability to integrate CTI.”

In addition to these barriers, the requirements for a strengthened machine learning stance can include the need for real-time integration of third-party event intelligence, the need for humans to work closely with models and a need for transparency.

1. Data Intelligence, Identification and Processing

Machine learning can enable the SOC to move beyond blacklisting and automation to threat hunting through the dynamic recognition of threats based on the rich, contextual recognition of factors like maliciousness ratio. While an experienced human analyst can recognize dynamically evolving threats based on gut feeling, machine learning models win the contest of scale in a world where a unique strain of malware is identified every several seconds.

Training the machine learning models with enough data to recognize dynamically evolving threat events in real time carries several requirements, including the use of both internal network data and third-party threat exchange data for total visibility. The SOC’s analytics engine also needs the ability to identify, integrate and adapt to the changing events landscape in real time to provide analysts with actionable recommendations.

2. Human Supervision and Oversight

While AI is, in general, incredibly effective at identifying patterns from unstructured data sets (e.g., an intelligence source event), machine learning models are not infallible. Models must be trained to provide value. Results must be analyzed and researched.

The security analyst’s feedback on whether a model’s positives result in action, further investigation or no response will be necessary to refine machine learning models. Expert feedback on a model’s analysis is also needed to provide collaborative benefit to the threat exchange. Make room for the resulting period of transition.

3. Transparency and Trust in Machine Learning Models

For a machine learning model to provide value to a security program, it can’t operate like a black box. The “black box” is a decades-old computing metaphor for an equation where you can see the inputs and outputs but can’t actually understand how the problem functions.

“AI and humans are best when they work together and can trust each other,” said Rob High, CTO of IBM Watson, in Forbes. This statement applies to threat intelligence machine learning models — regardless of whether they’re developed in-house. Threat analysts need to understand how a model arrived at a decision to trust its recommendations and take the right response.

“Importantly, [machine learning] models are not all created equally, and each may require a different technique to describe decision-making,” wrote data science researcher Hyrum Anderson, while a “nearest-neighbor classifier naturally justifies its decision using case-based reasoning.”

Creating a Culture of Innovative Machine Learning Security

“Cyber activity continues to become more sophisticated,” said Hogue. He refers to the “frequency of aggressive [and] escalatory cyber behavior.”

Hogue called for RSA Conference attendees to develop new, innovative approaches to safeguarding the enterprise SOC:

  • Maintaining stronger, centralized policies
  • Adopting artificial intelligence and machine learning
  • Deepening collaboration and community expertise
  • Engaging in diverse recruitment practices

In 2018, the adoption of machine learning tools and weaponized AI by the hacking community is one of the greatest information security threats facing the enterprise. In the months to come, AI-powered threats could become as pervasive as ransomware.

As organizations strengthen their CTI programs, machine learning adoption should play a significant role in threat identification, threat hunting and response programs. In the cognitive security operations center of the future, smarter algorithms can strengthen defenses against AI-powered threats.

Learn about adversarial AI and the IBM Adversarial Robustness Toolbox (ART)

Machine learning threat intelligence adoption is on the rise — and with good reason — but not without raising some concerns.

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…