One of the favorite tools in the Fortune 1000 CISO’s arsenal for threat protection is the threat intelligence feed. Indeed, the typical enterprise signs up for a wide range of external feeds—some free, some decidedly not, some vertical-specific, others not. Those are then supplemented with extensive data from the enterprise’s own systems, i.e. the internal reports. These feeds can include commercial feeds, open source feeds, internal logs, Information Sharing and Analysis Centers (ISAC) data, government alerts and media reports of other attack attempts.
From the vantage point of giving security analysts lots of relevant information every day, this plethora of feeds is extremely helpful. But, from the practical perspective of “how much time can security analysts justify giving those reports every day?,” these reports deliver less help than desired because it’s difficult to justify much more than a cursory review of each feed—up and until there’s an active attack justifying a deeper look, searching for a pattern match. To add to this frustration, when a large active attack happens, all security teams are defending against the attack and fighting the clock. No time to do a deep dive. That’s where AI comes in.
Artificial Intelligence (AI) can be used to review all internal and external threat feeds, identifying patterns, memorizing all salient details and can constantly apply that to realtime traffic patterns, continuously searching for a match or at least a close match. This would theoretically allow for a near-realtime alert for the security analyst during a messy active attack, something like “The pattern of the current attack looks 92 percent similar to an attack that hit our largest competitor two months ago. In that attack, the company eventually successfully defended itself by taking this action: XXXXX. Shall I launch a similar defense?”
A lot has to align for that AI mechanism to work, including that the attacker hasn’t taken the time to meaningfully alter the attack’s modus operandi to avoid this kind of detection. But it’s a wonderful capability and it can only be done with the speed of software.
AI—along with various forms of Machine Learning (ML), which is only one AI capability—can do what a security analyst doesn’t have the time nor the perfect memory for doing a comprehensive threat intel feed analysis. Consider: When doing the analysis of today’s feeds, the analyst has no way of knowing which details may be useful 3 months from now. The sad truth is that all details must be retained and the human brain is generally bad at such tasks.
There are many other ways to leverage AI for security. Current AI attacker defense shares some of the thinking behind advanced detection techniques used by anti-virus programs, including heuristic static analysis and, one step beyond, dynamic heuristic analysis. Both go beyond the AV Software classic defense of identifying the patterns of known malware and looking for either an identical match or an extremely close match. The heuristic approaches go one big step up by, instead of looking for specific known malware, they watch what the software does and then guess whether it’s likely malware.
Heuristic static analysis looks for elements such as library imports, obscured code and packers. Dynamic heuristic analysis takes it one step further by running the malware in a sandbox where it looks at anything the program does, including concerning behaviors such as trying to hide itself, the libraries it calls and whether it tries to make or revise registry entries.
AI can take a similar approach, but can often perform these tasks faster—almost always starting with isolation such as a sandbox. Where AI goes well beyond anti-virus is it’s access to behavior patterns from lots of different companies as well as detailed internal logs. InfoBlox, for example, leverages curated feeds and weeds out false positives. It then marries the speed and pattern-matching strengths of AI and partners it with security-expert humans, who are able to see the connections that AI can’t. It’s just as important to identify a company that is not a threat—so that it can be greenlighted to allow business communications to proceed—as it is to identify one that is. False positives can be as problematic as false negatives.
Another important way that AI can help enterprise security efforts is to track and, over time, note how accurate and germane various feeds are for your operations. That information can be used to decide which feeds are renewed and which should be either discontinued or at least deprioritized.
A major concern about threat intel feeds today is that many tend to be generic, lacking the relevance for any one specific company. Things like geography (are these attacks currently being used only in specific high-population geographies? Can we map which, if any, of our locations overlap with the malware’s attack pattern?), vertical (Is this attack being used again only financial institutions? Healthcare? Military contractors by nation states?) and even company size are highly useful. The goal is to address the intel signal-to-noise ratio so that analysis can be faster and more on-point.
