Cyber Threat Intelligence (CTI) personnel must deal with an increasing volume of cyber events and incidents, making it difficult to track threats.
For example, in its latest version, Data Breach Investigation Report (2023 DBIR), Verizon found over 16,000 security incidents and nearly 5,200 breaches in the past year. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) estimates that there are about 1,000 known exploited vulnerabilities, and every zero-day vulnerability discovered (or maliciously exploited) Needless to say.
At Centripetal’s Cyber Threat Intelligence Summit on July 18, 2023, Daniel Grant, principal data scientist at GreyNoise Intelligence, argued that CTI practitioners can no longer do their jobs without additional assistance. bottom. It constantly searches for needles in haystacks, but most often its needles are camouflaged to look like hay. ”
Many threat reports lack context
Andy Piazza, global head of threat intelligence at IBM X-Force, highlighted another problem facing CTI practitioners during the summit. The threat reports they produce aren’t always helpful to defenders like detection engineers, incident responders, and security operations center (SOC) analysts.
“Our reports are usually very well written with amazing context at the report level, but they often lack context around indicators of compromise (IoCs),” Piazza regrets. rice field.
read more: Threat Intelligence: Why Determining the Roots of Cyberattacks Matters
He said that most cyberthreat reports end with a static IoC table, with no further explanation, and that there are different IoCs to help defenders find IoCs and get a clear picture of how to prevent or remediate attacks. There are no links between them.
“So for the defenders who spend a lot of time deciphering these reports, it’s really a no-brainer. added.
Templates, STIX and MITER ATT&CK
Piazza’s recommendations for cost-effectively improving threat reports for CTI personnel include using repeatable templates and automation tools.
“We start with tags where necessary, and leverage automation tools to transform tags into human-readable context so that we can provide valuable data and metadata to the IoC.”
He also said that CTI practitioners could use more advanced automation, such as Structured Threat Information Expression (STIX), a standardized XML programming language for communicating data about cybersecurity threats in a common human-security language. He proposed that we should aim for an ideal state in which tools and standard frameworks can be utilized. Technology is easy to understand.
“More and more threat analysts are using the MITER ATT&CK framework, and we have seen significant progress at the tactical, technical, and procedural (TTP) level. Some people say we should stop it altogether and move to behavior-based mapping, and I agree, but the reality is that 99% of organizations aren’t ready for it.”
Enriching threat reports and automating output with LLM
Grant said generative AI could be a useful addition to the CTI toolkit.
“AI algorithms have been used in cybersecurity since at least the 1990s, spam filters using simple Bayesian models, first for malware detection in antivirus products and then for network anomaly detection. “Today, the primary way the cybersecurity industry can use generative AI is to enrich threat reports and save practitioners time while providing more context and metadata,” he said. increase.
talk to Information security, Jack Chapman, vice president of threat intelligence at Egress, agreed. He added that LLM can also be used as a data preprocessing tool that simplifies the detection scan he data, thus “removing the need for practitioners to deal with binary code.”
read more: Are GPT-based models ideal for AI-powered cybersecurity?
It can also generate output in formats such as JSON, which can also help automate tasks and provide the human- and machine-readable context that Piazza mentioned, Grant noted.
For all these reasons, Grant recommended that cybersecurity practitioners start experimenting with generative AI chatbots, experiment with prompts, and build processes for later integration into their workflows.
However, Grant warned that CTI analysts should “never trust the output, always verify it.” Also, always remember the limits of your knowledge of these models. As for GPT-4, it dates back to September 2021 and unless you provide it, anything newer than that will not be considered when giving the output. ”
