5 ways AI is being used to improve security: Threat detection and intelligence
We've recently wrapped up our series on how threat actors use artificial intelligence (AI) technologies to improve and accelerate their attacks. This post is the first in a companion series on how AI is used in cybersecurity. We'll kick off this series with threat detection and intelligence.
Threat detection and threat intelligence work together closely but have distinct roles. Let's start by looking at what they are and how they work.
Threat detection
Threat detection is an automated process that continuously monitors networks, applications, and other business systems for suspicious or unusual activities that appear to be threats. Here are some examples of the threats and indicators targeted by threat detection:
Threat: Unauthorized access
Indicators:
Unusual login patterns or attempts to log in from an unusual location. This may be recognized as credential stuffing, password spraying, or some other credential-based attack.
Attempts to escalate privileges, access restricted resources, or move laterally through a network to access systems and servers. System intruders often employ Living off the Land (LotL) techniques by using legitimate system tools and utilities to perform these maneuvers.
Threat: Malware, ransomware, and other malicious software
Indicators:
Execution of unfamiliar or unapproved software or sudden changes in network files. Bulk changes in file integrity can be the result of a system failure or a cyberattack, so threat detection systems are likely to alert on this type of activity. Unapproved or unknown software presents an unknown level of risk because it could be anything from a malware binary to a freeware media player. The threat detection system can help you understand what's happening in your network so you can adjust security policies or configurations as needed.
Sudden changes in the security configuration of network endpoints, such as firewalls being disabled and antivirus protection being deleted. Many ransomware variants include mechanisms to disable system security and prevent ransomware removal from the system.
Threat: Suspicious network behavior associated with many types of threats
Indicators:
Unauthorized network scanning and mapping are often precursors to an attack. This is considered network reconnaissance, which usually indicates an effort to find open ports, vulnerabilities, or other potential entry points. Threat detection systems will usually flag any comprehensive network scanning, whether an internal or internet-based scan of the network edge.
Large data transfers or unusual spikes in network traffic usually indicate data exfiltration or theft. Spikes in traffic and resource use can also indicate botnet activity, such as cryptomining or denial-of-service attacks.
Threat detection capabilities are included in endpoint detection and response (EDR), intrusion detection systems (IDS), and similar technologies. Effective use of these systems will help IT teams identify and mitigate security incidents in the early stages.
Threat intelligence
Threat intelligence systems gather and analyze information about threats and output this information in an accessible and actionable format. The information from threat intelligence systems may be proprietary to a vendor or shareable in an open format to all systems and stakeholders. Threat intelligence helps people understand the threat landscape and identify emerging threats, which in turn can inform security budgets, purchasing decisions, staffing plans, business continuity planning, and other strategies affected by cyberthreats.
Intelligence systems gather data from several sources:
Open-source intelligence (OSINT) refers to publicly available information. Sources can be social media platforms, news outlets, public records and government websites, forums, blogs, and anything else defined as open source.
Dark web monitoring: The dark web is a part of the internet that cannot be accessed without specific software like The Onion Router to reach hidden websites. The dark web is specifically known for its anonymity and privacy, and it hosts many criminal websites like ransomware leak sites and crime forums.
Technical Intelligence (TECHINT): This type of intelligence focuses on technical aspects like indicators of compromise (IoC), malicious IP addresses, and tactics, techniques, and procedures (TTPs). Technical intelligence comes from malware analysis, sandboxes, threat feeds and reports, and other technical data sources. IDS, IPS, and other threat detection systems sometimes source this type of threat intelligence.
Human Intelligence (HUMINT): Human sources provide context and insights that might not be accessible through technical sources. This intelligence may come from informants, surveillance, embedded ('undercover') law enforcement, and collaboration with other intelligence sources. Global efforts like Operation Cronos are examples of shared human intelligence between law enforcement groups.
Signal sharing: This refers to the sharing of threat information between security vendors, government agencies, and other industry stakeholders. The 'signal' can be any human or technical intelligence. Incident response reports and publications from researchers and analysts are shared alongside telemetry and vulnerability data. Signal sharing significantly increases threat intelligence's depth, accuracy, and timeliness.
Threat intelligence is about taking raw data and turning it into something we can use to protect ourselves. AI has made this process much more powerful.
The role of AI in threat detection and intelligence
The above details reveal that threat detection and intelligence overlap and feed each other, but they are separate entities with distinct functions. Notice that neither performs incident response (IR), which is a separate function that we'll explore later in this series. Many security solutions will include all these features with a centralized management dashboard that makes them feel like a single security product. This is how Barracuda Cloud Control works, and it's one of the reasons why these advanced technologies are accessible to companies of all sizes and budgets. They're easier to use and they're budget-friendly because there's so much automation and orchestration happening in the background. The vendor can cost-effectively scale these operations and pass the savings on to the customer.
Now, let’s take a look at where the AI is most powerful. You may recall that there are several subsets of artificial intelligence, including machine learning (ML) and generative AI (GenAI). Here's how ML and GenAI map to the functions we identified in threat detection:
Threat |
Machine Learning |
Generative AI |
Unauthorized access |
Anomaly Detection: Recognizes deviations from normal login behavior. Behavioral Analysis: Monitors user and system behavior to detect unusual activities.
|
Simulation and Testing: Generates synthetic attack scenarios to test the security system. Scenario Generation: Creates hypothetical attack scenarios involving LotL techniques. |
Malware, ransomware, and other malicious software |
File Integrity Monitoring: Tracks changes in file integrity and software execution to detect anomalies. Configuration Monitoring: Continuously monitors security configurations for sudden changes indicating ransomware.
|
Malware Simulation: Simulates execution of malware and unapproved software to train systems. Ransomware Attack Simulation: Simulates ransomware attacks to train systems to recognize them. |
Suspicious network behavior associated with many types of threats |
Network Traffic Analysis: Analyzes network traffic to detect unauthorized scanning and mapping activities. Traffic Analysis: Monitors network traffic to identify unusual spikes indicating malicious activities. |
Reconnaissance Simulation: Simulates network scanning and mapping to test detection capabilities. Synthetic Data Generation: Creates scenarios of large data transfers to test detection systems. |
Now, we'll do something similar for intelligence collection and analysis:
Method |
Machine Learning |
Generative AI |
Open-Source Intelligence (OSINT) |
Data Aggregation and Filtering: Processing vast amounts of data to identify relevant threat information. Sentiment Analysis: Analyzing sentiment on social media and forums. Pattern Recognition: Identifying patterns and anomalies in large datasets. |
Content Generation: Simulating potential threat scenarios. Data Augmentation: Generating synthetic data for training. Automated Summarization: Creating concise summaries of reports and articles. |
Dark Web Monitoring |
Anomaly Detection: Identifying unusual activities or trends. Entity Recognition: Extracting and categorizing entities from dark web forums and marketplaces. Behavioral Analysis: Tracking and analyzing threat actor behavior. |
Threat Emulation: Simulating threat actor behavior. Content Synthesis: Producing detailed reports and alerts. Translation and Interpretation: Translating and contextualizing dark web information. |
Technical Intelligence (TECHINT) |
Malware Analysis: Classifying and analyzing malware samples. Threat Detection: Enhancing real-time threat detection and response. Predictive Analytics: Predicting emerging threats. |
Automated Report Generation: Creating detailed technical reports. Simulation of Attacks: Modeling and simulating cyber-attacks. Tool Development: Assisting in developing new analysis tools. |
Human Intelligence (HUMINT) |
Data Correlation: Correlating data from human sources with other intelligence sources. Pattern Recognition: Identifying patterns in human-provided data. Predictive Insights: Using historical HUMINT data to predict future threats. |
Scenario Generation: Creating potential threat scenarios. Language Processing: Interpreting and summarizing intelligence reports. Interactive Assistants: Assisting analysts with processing and analysis. |
Signal Sharing |
Data Integration: Integrating and correlating threat data from multiple sources. Real-time Analytics: Processing shared signals in real-time. Risk Assessment: Evaluating risk levels of shared signals. |
Report Generation: Automating the creation of incident reports and assessments. Collaborative Platforms: Enhancing collaborative platforms with real-time summaries. Communication Enhancement: Improving communication with actionable intelligence briefs. |
Next, let's look at how this all works together.
How AI-powered threat detection and intelligence protects your company
There are four big things going on in your threat detection and intelligence systems:
Predictive analytics: This operation attempts to predict future threats by analyzing historical threat data. This uses ML to learn from large datasets and identify complex patterns. GenAI contributes to predictive analytics by using historical and synthetic (fake) data to simulate future attack scenarios. This is useful for predicting future threat vectors and anticipating attack trends.
Behavioral analytics: This is like predictive analytics but is focused on user behavior. Unusual user behavior may reveal potential threats that standard security protocols miss. Machine learning automates the data analysis and identifies anomalies that might indicate a security threat. These anomalies could be very subtle and easily missed in manual reviews. GenAI models normal and abnormal behaviors to improve the analysis and better distinguish between harmless and malicious activities. Behavioral analytics help detection systems identify insider threats and identify compromised accounts.
Anomaly detection: This component monitors the network for unusual patterns or behaviors that deviate from the norm. ML improves the system by learning from known data and adjusting to new types of anomalies over time. GenAI creates synthetic anomalies to improve detection models and make the system more resilient to new threats. Zero-day attacks and unusual login patterns might be detected here.
Pattern recognition: As you may expect, this identifies regular patterns or structures in data, which helps classify and detect known types of cyberthreats. Machine learning automates this process and improves the accuracy of recognition. GenAI creates new patterns of attack simulations to improve learning. This may be used to classify types of malware, identify threat actor relationships, or recognize spear-phishing campaigns.
A security system that uses automated threat detection and intelligence can greatly improve your company's security. The intelligence makes the system smarter. Threat detection constantly looks for current or potential threats, and automation keeps security processes consistent enterprise-wide. Unfortunately, cybercriminals are already using AI against you, and you need to use AI-powered systems to defend yourself.
Barracuda can help
Barracuda provides a comprehensive cybersecurity platform that uses AI-powered security to defend all major attack vectors that are present in today’s complex threats. Visit www.barracuda.com for more on our award-winning security and data protection products.
Did you know...
Barracuda has published a new e-book titled Securing tomorrow: A CISO’s guide to the role of AI in cybersecurity. This e-book explores security risks and exposes the vulnerabilities that cybercriminals exploit with the aid of AI to scale up their attacks and improve their success rates. Get your free copy of the e-book right now and see all the latest threats, data, analysis, and solutions for yourself.
