Introducing AI-powered insights in Threat Intelligence
Head of PM Threat Intelligence, Detections & Analytics Google Cloud Security
Head of Data Science Research, Mandiant
Our new Security AI Workbench, announced today at RSA Conference in San Francisco, uses the recent advancement in Large Language Models (LLMs) to address three of the biggest challenges in cybersecurity: threat overload, toilsome tools, and the talent gap. Threat intelligence is an area that suffers from all three problems, and LLMs have the capability to transform how it is operationalized to help secure businesses.
At Google Cloud, our threat intelligence offerings are grounded in three core principles:
Trusted: Our customers can trust Mandiant Threat Intelligence to have industry-leading breadth, depth, and timeliness to deliver information that matters.
Relevant: We personalize the threat landscape so it’s relevant for each customer, enabling them to prioritize threats that are likely to affect them.
Actionable: Our threat intelligence is more actionable because we automate the end-to-end pipeline from raw data to security controls.
Deliver the most trusted threat intel
AI is as valuable as the data it operates on. Using LLMs to summarize irrelevant, open-source intelligence provides no more value to a customer than a manual review of that data. Doing so can even add more noise to an already-overwhelming flood of information.
That’s why the combination of Mandiant’s frontline intelligence, garnered from a team of expert researchers and over 1,000 breaches each year, and Google’s exceptional visibility on internet-wide threats, provides a powerful foundation for our AI solutions. We have been applying many natural language processing (NLP) and machine learning (ML) approaches to convert raw threat data into actionable intel for years. Recent developments in LLMs allow us to significantly improve our already market-leading intel operations. Some of the areas we are working on include:
Increasing the breadth of our coverage by implementing more effective tracking of digital threats across languages and modalities. Global threat actors use many methods to hide their tracks across forums, messaging services, and the deep/dark web. LLM-based approaches, which are particularly good at handling multiple modalities and languages across discussion forums, messaging services, and websites hidden from traditional search engines, help our analysts peer through this obfuscation at scale.
Providing greater depth to our threat intel by combining visibility across data sources. LLMs can eliminate data silos that previously prevented broad analysis by identifying relevant information across multiple sources. This will allow us to combine threat information encountered during Mandiant incident response engagements, Google’s visibility into Internet-wide threats, public information, and Mandiant research to produce a more complete and contextual picture of our threat intelligence.
Converting raw threat data into finished threat intelligence in machine-readable and human-readable forms. LLMs enable us to take this automation to the next level where every step in the conversion from raw threat data to finished intel to new detection rules can now be automated — with expert human supervision. In many cases, this will allow customers to see late-breaking developments in near-finished form in minutes versus days or weeks, then operationalize those insights instantly.
Personalizing the threat landscape to focus on the most relevant threats
The vast majority of the threat landscape is irrelevant to most organizations. Therefore, it’s vital for every customer to focus on the threat landscape that is relevant for them. Personalizing the threat landscape is made possible in two ways:
Automatically creating a personalized threat profile
Simplifying augmentation of that threat profile by giving analysts AI based natural language search
Imagine automatically deriving a personalized and detailed threat landscape for your organization that evolves as new internal and external information becomes available. With the power of LLMs, this is becoming a reality:
A personalized threat profile for your organization could be automatically created, and quickly queried using a simple conversational interface to ask questions such as “Why is this threat important? What impact did this actor have on my industry counterparts? How recent has this actor’s activity been? What tactics, techniques, and procedures do they use? Why is my environment uniquely at risk? What actions should I take to mitigate the risk due to this campaign, tool, or actor?”
Daily recommendations could be shared on what security actions to take today based on any changes over the last 24 hours. For example, if a threat actor was seen targeting your industry using a new technique that you have exposure to, you would be notified so mitigations can be quickly put in place.
When there’s a significant change in your threat landscape or environment, you would be automatically provided with actionable next steps.
In the past, this kind of personalization was only available to the largest and most sophisticated organizations. LLMs will enable Mandiant to make this level of personalization available to all our customers, at scale.
LLMs can make search significantly more efficient. While there is a plethora of information available about threats, sorting through it and making those insights actionable requires a lot of work. The summarization capabilities of LLMs make obtaining a complete understanding of a threat topic an issue of the past. Figure 1 illustrates LLM-based summarization of various threat intelligence artifacts relevant to a query. Note that the flexibility of LLMs allow us to provide a summary of the finished intel reports alongside structured intelligence, and customize the scope and technical depth of the summary to different audiences.
Figure 1: LLM-based summarization capabilities in action on the Mandiant Threat Intelligence platform.
As we continue to leverage LLMs in search, we will be supporting a conversational interface to reduce the toil and lower the skills bar for exploring the threat landscape. These iterative searches will be stateful and shareable, making it easier to collaborate with other analysts.
Make threat intelligence more actionable
Traditionally, taking action on threat intelligence has been a burdensome manual task, limiting the value of the threat intelligence to any business. A recent global survey on threat intelligence showed that nearly half of respondents cited applying threat intelligence as their greatest challenge. At Mandiant, we have been focused on making it easier for customers to act on personalized threat intelligence in their security products and workflows.
One of the most powerful combinations we offer is our ability to apply our world-class threat intelligence to event data in Chronicle Security Operations, using AI-based models to curate and prioritize indicators of compromise (IOCs) that Mandiant tracks through active breach investigations. Mandiant Breach Analytics for Chronicle provides a prioritized set of undiscovered events that could be indicative of an active breach, as seen in Figure 2.
Breach Analytics for Chronicle allows customers to readily find bad actors using novel techniques and contain them before becoming the next victim. The AI based models curate and prioritize the matches to assign an Indicator Confidence Score (IC-Score), which indicates our confidence in their use in malicious activity.
Recently, we have leveraged the power of LLMs to summarize indicator/actor/malware context pulled from our vast repository of proprietary research to provide trusted threat intel to the security analysts in the SOC. This reduces toil and the reliance on expertise, eliminating the need to scour through hundreds of reports and structured data sources to understand the context of the IOC. Mandiant plans to release this feature soon.
Figure 2: LLMs providing AI summary of malware and threat actors used in a current breach
The road ahead
Taken together, applying LLMs to the trusted, relevant, and actionable pillars will help our customers reduce threat overload, eliminate manual and tiresome toil, and close the talent gap in security. We are at the beginning of a massive transformation of how threat intel delivers value to businesses of all sizes. The examples above span capabilities we will add in the short-, medium-, and long-term, and we will continue to have our product, AI research, and engineering teams collaborate to transform security for our customers.
To learn more about the use of AI in our Threat Intelligence, visit us at RSA Conference, booth N6058 or go to cloud.google.com/security/ai