Triage Attacks More Efficiently With AI for Cybersecurity

Think of cybersecurity like your personal health. In cybersecurity, basic cyber hygiene foils most cyber attacks. With a shortage of cyber experts, just as in medicine, finding faster and better ways to train practitioners using real-world scenarios is key. However, artificial intelligence (AI) for cybersecurity can improve a team’s response by triaging threats on its own.

AI for Cybersecurity Means Finding the Patterns

The medical field is similar to cybersecurity for AI in other ways, too. The medical field’s process of studying and diagnosing the patient is often well-structured, but siloed. Digital defense experts know the playbook of attacks well, just like doctors know the symptoms and signs of most diseases.

What’s different is the rate of fire. In medicine, under most conditions doctors have time to triage, and the number of patients does not overwhelm them. In cybersecurity, data constantly barrages analysts. Effective triage sets up a team for improved defenses.

This is why we are researching new ways of using AI for cybersecurity and deep learning tools, so developers can use both to build effective models for threat triage. Right now, there is a big gap in the AI defense landscape when it comes to true behavior-based threat analysis.

A handful of agent-based AI threat analysis platforms do exist. However, they may be limited to the major operating system platforms. This fails to cover hosts running less used and older, but still crucial, platforms. For example, they may not be able to work with the Unix family (HPUX, AIX and Solaris) or consumer devices that have network access but are not yet considered inside-the-perimeter devices. In contrast, the AI can only cover threat triage well if it scans behavior across all relevant readings regardless of host.

Teaching an AI Threat Disposition System 

During threat disposition, an analyst or automated system needs to quickly assign an alert to one of three statuses. The first status involves behavior that is likely to be benign and not worth checking out. The second status refers to behavior that may or may not be dangerous and requires further study to tell whether it’s safe. The third status shows an attack, requiring action right away. Over time, these exercises may lead to policy changes. Those might be changes to security controls and stances.

One major hurdle for AI and cybersecurity in threat triage is the volume and types of training data. Deep learning systems need high volume of data to generate good results. In the case of cyber triage, humans must guide deep learning systems in order to generate smart decisions. That’s because so many of these decisions are still judgment calls by nature. Context and history drive a lot of the decisions made in threat triage. Humans need to train the AI in order to convey how to make these decisions.

How to Teach AI to Triage

Cyber attack simulation systems can help create more teaching data, enabling AI for cybersecurity to work effectively. Here’s how it works:

• Set up a test production landscape complete with hardware, software and network assets, as well as security controls
• Queue up a large volume of real-world verified attack playbooks to run against it
• Export the indicators of compromise (IOC) or contents of system alerts to human experts
• Triage the alerts and IOCs as either benign, possibly malicious, or confirmed malicious

This system will enable faster training without needing actual live alerts. By creating a higher volume of alerts flagged by humans, the AI can acquire data at 10 to 20 times the rate possible using organic data. Equally important, cyber attacks tend to come in similar waves. For example, there are a lot of ransomware attacks right now. In the past, there were more database breaches or supply chain compromise attempts. Live data does not tell the whole story. So using real-world attacks to train AI models helps create balanced coverage…