We recently blogged about which AI form the CTI analyst should use, sparking a conversation at Elemendar about applying AI to the threat intelligence lifecycle. If we consider each cycle phase to have a beginning, a middle, and an end, at which stage/s would AI be beneficial, or not?
This blog is the first in a series addressing that question, this one covering the first phase – direction.
Direction: AI at the Start?
As the CTI analyst knows, the driving force behind this phase will be intelligence requirements (IRs): a list of objectives or questions influenced by the customer’s profile. The first step is to figure out the customer’s features of business and craft corresponding IRs. For example:
|Feature of Business
|Conducts extensive research and holds intellectual property (IP)
|Which types of cyber-threat actors/groups would target this customer?
|Has a high-net-worth CEO
|Which cyber-threat actors/groups execute whaling attacks against top executives of organisations?
|Depends on a certain version of technology
|Which vulnerabilities in that version of the technology are unpatched?
These IRs are direct and simple enough to solicit a preliminary answer from a generative-AI tool. We fed that first IR into perplexity.ai and got this result:
Fig 1: IR submitted to perplexity.ai
This was a sound answer, listing all the types of threat actors/groups that could engage in stealing IP. But the first item in the list was an extract from an article mentioning threat actors and their campaigns, and at the end of it is a mention of “Winnti” (aka APT41), a threat group that have targeted companies’ IP. Why isn’t this group, with a track record of IP targeting, named in the full AI answer, and instead reduced to a mere footnote?
Direction: AI in the Middle?
Time to examine the next stage. After relevant IRs are constructed, the customer prioritises them for the intelligence team. There’s a chance that the priority IRs (PIRs) would also break down further, into researchable constituent questions and tasks.
At this point, AI is often considered incapable of the critical thinking needed to address each PIR and its constituents. The middle phase involves choosing a suitable source or agency to provide information, and although an AI tool can advise how to use sources and agencies, some wouldn’t be quoted due to their highly confidential nature. Using the company’s own list of sources and agencies that collaborate with them would be more effective and comprehensive.
Direction: AI at the End?
The last stage of this lifecycle phase involves putting together the intelligence program. Since the previous two stages addressed the objectives and scope of gathering intelligence, we now ask the customer how they want the project delivered when it’s done. Reports, alerts, or summaries are common, and very text heavy.
Now, let’s assume a generative AI tool is used in the delivery of the results. There would be two things to consider:
- Is the customer comfortable receiving AI-generated conclusions?
- When using an AI tool, does the intelligence team have ownership and/or authorship over the written material that results from a query, and/or would the ownership be shared with the company providing the tool?
It’s good to step back and think about how any ‘no’ answer could complicate the delivery of the project when a generative tool is used. After all, generative AI assists in content creation, and if it were involved in the vendor’s process, the IP rights become murky. Hopefully, laws around this matter will evolve to provide clarity, but it’s up to the vendor to clarify with the customer any uncertain aspects of the project.
What’s the Verdict?
After all this exploring, let’s sum up the results: dabbling with AI in the middle stage of the direction phase would be the toughest to justify; but there is a chance AI integration can work in the beginning and end stages, if you can account for the caveats mentioned throughout this blog.
As direction is only the first phase of the intel lifecycle, the next blogs in this series will explore how AI could tie into the remaining phases – collection, analysis and dissemination.