59% of companies report being at cybersecurity risk because of staff shortages. This means that cybersecurity departments and cyber analysts are under continual pressure.

So how do we achieve more with what we have?

The short answer is with automation 

By automating regular and repetitive tasks, not only can you free up cyber analysts to be more productive but also protect against burnout and fatigue. Automating tasks can result in increased productivity, as well as free analysts to do more high-level that’s a better fit for humans. 

A good example is the processing of cyber threat intelligence (CTI). 

Reading and processing incoming cyber threat reports and translating them from human-authored prose into useful machine-readable and actionable data is a primary task and time sink for many analysts. It’s crucial that new threats are understood and acted on as quickly as possible to reduce the vulnerability gaps that can occur if they stack up. Often there is too much incoming CTI and not enough time to process it. 

CTI reports contain useful, actionable data required to secure company infrastructure. Extraction of malicious IP addresses, domains, filenames and file hashes, as well as categorisation of these indicators of compromise, can take an analyst several hours per day and the required accuracy needed can be very mentally taxing.

A dedicated CTI analyst could spend an hour or more processing a single detailed CTI report. By employing an automated analyst, powered by machine learning technology, processing the same report could be completed in a few seconds, resulting in massive efficiency increase and achieving higher accuracy.

This can potentially save multiple hours of analyst time, every day, multiplying the workloads that analysts can complete successfully, thus better protecting against threats and fighting back against analysis fatigue. 

For this example, we will use the amazing weekly threat roundup for December 11 to December 18 from Talos. Within this report, nine unique threats are discussed with a large number of IOCs presented for each threat.

There are 568 unique IOCs in the report. At a brisk 15-30 seconds per IOC to manually extract them and assign categories and subcategories, it would take between 2.5 to 5 hours, if someone could work solidly without a break. By using Elemendar’s AI analyst, the entire report is processed, IOCs extracted and correctly categorised, and output as STIX2 format, all in 17.53 seconds. In addition, Elemendar’s AI Analyst outlines relationships between IOCs, threat actors and malware.

You can view the output and visualisation here (will take 17.53 seconds to compile the STIX graph)

The output from the AI analyst is in an industry-standard, structured JSON report known as STIX2 (incorporating MITRE ATT&CK). This can seamlessly integrate with a huge number of both commercial and custom security products to automate the CTI analysis.

If you would like to learn more about how Elemendar’s AI Analyst could help you, please contact us.

Lee Jones – CTI Analyst – Elemendar