Leveraging AI to undertake investigations of suspicious activities could significantly increase security teams’ abilities to protect their organizations from cyber-attacks, according to Andrew Tsonchev, director of technology, Darktrace, speaking during the Infosecurity Magazine Online Summit EMEA 2021.
The development of an ‘AI analyst’ differs from the normal role of threat detection played by this type of technology in cybersecurity. In essence, it looks to “replicate the sort of steps taken by a human analyst in a SOC in a course of an investigation.”
Part of the driver for Darktrace’s work in this area has been the extra pressure placed on security teams as a result of the changing working patterns in the past year. This has led to the growing use of remote endpoints as well as technologies such as SaaS and collaboration tools, expanding the threat landscape.
An additional consideration is the trend of malicious actors utilizing AI from an offensive standpoint, which would allow them to significantly ramp up attacks. Tsonchev noted that “we are in the beginning phases of that at the minute.”
Conversely, giving AI the human traits of investigation can help organizations become aware of, and deal with, threats much more quickly. While typically AI tools are used to detect any unusual patterns and behaviors in an organization’s system by matching it against the usual activities, the next step is enabling it to analyse and interpret any anomalies in the way human security analysts normally would.
“Humans take the initial alert as a jumping-off point to begin an investigative process, which is active and involves discovery, question asking and data gathering and analysis,” explained Tsonchev. He added: “The way this technology works is to train machine learning engines on the way humans do security investigation,” ultimately concluding if that threat poses a risk to the organization.
Such an approach can free up security teams, reducing their initial triage time by up to 92%, according to Tsonchev. The AI analyst can then produce a report which gives the most pertinent information.
He then gave an example of a successful AI investigation relating to attacks from APT41 in March 2020 that exploited a zero-day vulnerability. This led to the threat being quickly identified as the highest priority. Tsonchev commented: “You can detect any and all strange things in the environment but if those alerts are buried amongst a sea of 300 other alerts in a day, then you haven’t really detected it in a meaningful way that really helps your security team.”
He added: “The key value proposition here is not to throw an analyst 50 alerts, but to identify a map to an ongoing threat, to classify the nature of that threat and to understand the type of behavior.”