Sorry, you need to enable JavaScript to visit this website.

Leveraging Artificial Intelligence for Threat Intelligence

Leveraging Artificial Intelligence for Threat Intelligence
November 12, 2018

Artificial intelligence (AI) is a field of science that has been around for the past five decades. It is only over the last decade or so that businesses have begun to harness the power of AI and developed use cases that enable process automation, business operations robotics, and pattern recognition. It isn’t a surprise that security providers around the world are beginning to leverage the use of artificial intelligence in their security products and bringing them to the market in a large way. The next question which arises is whether there is a demand for artificial intelligence (AI)-based analytics and security services?

According to the ESG Research:

  • 29% of organizations want to use AI-based analytics to accelerate incident detection. This means analyzing large data sets to relate to publicly know IOCs (Indicators of Compromise)
  • 27% want to use AI to accelerate their incident response. This means prioritizing security incidents and automating remediation tasks
  • 24% want to use AI systems to better identify and communicate risks to the business
  • 22% want to use AI-powered technologies to understand their organization’s security posture and the security status across the network

The globalization of businesses means that organizations are establishing more and more infrastructure that leads to larger and unmanageable data sets. Interestingly, 99% of breaches that occur are because of publicly known and disclosed vulnerabilities. This happens because there is usually a lag between the time a vulnerability is disclosed and the security personnel patch the vulnerability. An adversary takes advantage of this situation and attempts to exploit the system before it is patched. He achieves persistence through custom tools which evade signature and behavioral detection of end-point security products. Security information and event management (SIEM) software are rendered ineffective against new threats and in large organizations as these datasets are too large for one security team to handle.

Interestingly, 99% of breaches that occur are because of publicly known and disclosed vulnerabilities.

Owing to the headlines caused by recent breaches, the pressure is piling on senior management to prevent data breaches which, in turn, has led them to look at AI-based systems that enable them to get ahead of the curve. AI is not self-sufficient and needs continual updates. The right hypothetical inputs are needed for AI systems to be effective. The standard approach to using AI in threat hunting nowadays is to use the rules and threshold approach.

The standard approach to using AI in threat hunting nowadays is to use the rules and threshold approach.

Consider this scenario: A mail originated from inside the corporate network and was sent in the past 10 days. The recipient mailbox is outside the corporate domain and the length of the mail is more than the threshold of normal use. In that case, an alert is sent to the security team. This has been one of the standard approaches to sniff out insider threats so far but has a high probability of raising a large number of false positives.

A more recent approach uses a threat intelligence system in conjunction with a SIEM component. The idea here is to segregate security incidents and events into different categories and then classify them as anomalies based on certain predefined rules. Further condensation is carried out to sift through these anomalies and reclassify them into different risk entities based on a risk-scoring process. This approach is summarized into the following phases:

  • Data acquisition
  • Data categorization
  • Detection of anomalies
  • Generating high-quality threat leads

Obviously, the rules to categorize anomalies and risks would differ across organizations and industries but the general approach would remain the same. It takes a coordinated effort among policy makers, executives, and users to be able to fine-tune the threat intelligence system according to their own business operations. Also, creating an environment where latest threat detections are shared instantly with AI systems across the world could help thwart new adversarial tactics. Security services can never be constant because technology never stays constant. There are huge opportunities for MSSPs (Managed Security Service Providers) to innovate and collaborate and, thereby, provide organizations with AI-powered threat intelligence.