We’ve been busy thinking and writing about AI as applied to the four phases of the threat intelligence cycle (see our blogs on direction and collection), and it’s now time for analysis. Can AI be a good match for what is arguably the most glamourous phase?
When the Cyber Threat Intelligence analyst reaches this phase, they’re three quarters of the way home, and exciting insights can really start to shine…about cyber bad guys’ tactics, or which kind of system gaps were exploited in a breach, for example. After gathering these precious gems, the intelligence team can advise an organisation on how to better its security posture.
Surely AI can assist here? It’s got to! Before we cast a vote for or against, let’s examine its potential, and also what made AI what it is today.
Speed and Substance: AI’s Potential
Given that most CTI teams work with a ‘more is better’ philosophy (collecting and analysing maximum intelligence, from open and closed sources), then AI certainly has a role to play here. It could analyse collected information faster. And it could spotlight whatever nuggets are relevant for the intelligence. Both actions would help create a more specific evaluation of a cyber-attack and the ensuing report for a client.
But AI tools in this phase should be handled with care; history has taught us that the latest technology can have finite potential, and limitations. Let’s take a stroll down memory lane. How was intel analysis aided in the digital era before AI?
Intel Research, Before AI
You’re an intel analyst in the beginning of the 2000s, roughly from 2005 onwards – the digital era has established itself. A client comes to your team for some research on the ‘Love Bug’, a computer worm from the 1990s that has reappeared 10 to 15 years later.
Chances are, in your preliminary searches of online sources, you might encounter this Wikipedia page. Remember that there are very few CTI vendors around at this time, and internet searches are much faster than leafing through physical records and books about the worm’s history. Wikipedia serves as the faster and dynamic version of physical records. But although it can offer a cursory understanding of a cyber attack component, it’s not rock solid; Wikipedia content is based on any web user’s contributions and changes continually.
Research in the AI Era
Fast forward to today. What could be considered the dynamic version of Wikipedia? There are now a lot more deeply sophisticated and knowledgeable open-source websites than Wikipedia, when it comes to malware and other components of cyber-attacks. But combing through all the webpages that have spent 18 years accumulating details of an attack’s components would be considered clunky and the opposite of dynamic.
Enter AI and, specifically, what we see as today’s dynamic Wikipedia: large language models (LLMs). Tools powered by LLMs are designed to generate text in a conversational manner. The analyst can ask a question about an attack’s components, and the LLM zips through rafts of webpages before answering within a few seconds, offering an aggregated summary of the components.
Just like the unsung work of superheroes, AI tools provide assistance in the shadows, not as a set process of the analysis phase. They swoop in, as and when an analyst needs to fill a gap in understanding.
What’s the Verdict?
In this examination of how AI (and other technology) tools can help analysis and production, it’s clear to see how their presence is an advantage. They may not be part of any analysis-phase written protocol, but the analyst can certainly find them useful to speed processes and prioritise information.
But AI and its tools should be handled with eyes wide open (including our own READ.), because their knowledge is fundamentally built on open-source databases. There’s a good chance the analyst has more knowledge about certain things than the tools can produce.
As we saw Wikipedia rise in the digital-era dawn – a silent but handy tool that sped up analysis – we’ll also see AI tools become more prominent behind the scenes of analysis efforts over the coming months. And the principle of using tools to fill intelligence gaps will continue to evolve well beyond the rise of AI.
Look for the final instalment of our blog series, about AI in the dissemination phase, coming soon.