AI and Cybersecurity: How Mandiant Consultants and Analysts are Leveraging AI Today
Mandiant
Written by: Trisha Alexander, Liam Smith, Ron Craft, Joseph Dobson, James Hovious, Luke McNamara
With the increasing focus on the potential for generative AI, there are many use cases envisioned in how this technology will impact enterprises. The impact to cybersecurity—to the benefit of both defenders and adversaries—will likely reshape the landscape for organizations. Google Cloud’s recent announcement on bringing this technology to the security stack is only the beginning. Today, Mandiant is leveraging generative AI in bottom-up use cases to help identify threats faster, eliminate toil, and better scale talent and expertise that increase the speed and skill we bring to serving our customers.
This blog post highlights just a few of the recent examples across Mandiant’s consulting and analysis teams that have used Bard within their workflow. Note: no client data is entered into Bard and the output is reviewed before any implementation.
Analyzing an Alert for a PowerShell Script
Recently, a Mandiant consultant had an instance of successfully using Bard to be able to interpret a long PowerShell script. The consultant was supporting a Fortune 500 client as a SOC analyst, when one of the alerts triggered on the following PowerShell script. As a highly targeted client, alerts that are received by Mandiant consultants need to be thoroughly investigated for malicious activity in the environment. At times, multiple alerts can come into the ticket queue at the same time, which requires Mandiant consultants to prioritize while working efficiently. When large scripts are presented in an alert, it can be time consuming to get a general understanding of what the script is doing to the system. Since time spent during analysis can be precious when working alerts, using AI can instantly shorten this process, and allow the analyst to jump into the fight sooner. Bard was able to give a general understanding of what the script performed on the system, reducing the investigation time significantly.
creating scriptblock text (1 of 1): if([intptr]::size-eq4){exit 0};try{$r='\d+\.\d+(\.\d+)?(\.\d+)?';$t='silentlycontinue';$o='applicable';$d='5.13.7';function l {param($h,$f,$s)$v=[bool]((whoami /user)-match's-1-5-18');$l="$(ni $env:programdata\patchmypcintunelogs -it di -fo -ea $t)\$(($q='patchmypc-softwareupdatedetectionscript.log'))";$p=switch($v){$true{$l}default{"$env:temp\$q"}}if((($i=gi $p -ea $t)).length-ge5mb){ri ($w=$i.fullname.replace('.log','.lo_')) -fo -ea $t;ren $i $w}"$(get-date)~[$s]~~~~"|out-file $p -a -fo}function c{param($s)try{switch($s.tochararray().where{$_-eq'.'}.count){0{$s+='.0'*3}1{$s+='.0.0'}2{$s+='.0'}}[version]$s}catch{$a=foreach($c in $s.split('.')){try{[int]$c}catch{[int]::maxvalue}}try{c ([string]::join('.',$a))}catch{[version]('0.0.0.0')}}}foreach($h in 'hkcu'){foreach($x in 'software'){foreach($s in(gp ($g="$h`:\$x\microsoft\windows\currentversion\uninstall\*") ($k='displayname'),displayversion -ea $t|select @{l='a';e={$_.$k}},@{l='b';e={[regex]::match($_.displayversion,$r)[0].value}},pschildname,@{l='c';e={[regex]::match($_.$k,$r)[0].value}})|?{if($_.pschildname-eq($m='')){($f=$true)}elseif($e=''){$_.a-notlike$e-and$_.a-like$z}else{$_.a-like$z}}){if($f){l $g $true "$($s.a) $m";return $o}if((c $s.b)-lt(c $d)-or(!$s.b-and$s.c-ne''-and(c $s.c)-lt(c $d))){if(($s.b-like($v='*')-or$s.c-like$v)){l $g $true "$($s.a) $d";return $o}}}l $g $false "$z $m $d"}}}catch{l '' '' $_.exception.message} scriptblock id: 000b0430-19c1-4e01-9b5c-9480166d41ce path: c:\program files (x86)\microsoft intune management extension\content\detectionscripts\7d1bed49-ac51-4db9-9844-58574b22b7f8_1.ps1
After reviewing to make sure there was no client specific content in the code block, the consultant asked the chatbot to explain what this code does. This was the response:
he script is used to detect software updates that are applicable to devices managed by Microsoft Intune. It does this by querying the Windows registry for installed software and comparing the versions of the software to the latest version available. If a software update is found, the script will log the update and return the status "applicable". If no software updates are found, the script will log the status "not applicable".
The script is written in PowerShell and can be run on any Windows device that is managed by Intune. It is included in the Intune Management Extension, which is a software component that is installed on all Intune-managed devices.
The script is divided into several functions:
- The l function logs the results of the script to a file.
- The c function converts a string version number to a version object.
- The foreach loop iterates over the installed software and checks for updates.
The script works by first querying the Windows registry for installed software. The query returns a list of software programs, their display names, and their versions. The script then compares the versions of the software to the latest version available. If a software update is found, the script will log the update and return the status "applicable". If no software updates are found, the script will log the status "not applicable".
The script is a powerful tool that can be used to keep your devices up to date with the latest software updates. It is easy to use and can be run on any Windows device that is managed by Intune.
While not flawless in the interpretation, the AI-generated explanation gave a significant head start in understanding general functionality for various segments of the script. Overall, this made it significantly easier to understand the script after getting it interpreted by Bard. Perhaps the most powerful part of the response was the first sentence—this “script is used to detect software updates that are applicable to devices managed by Microsoft Intune.” This statement allowed the Mandiant consultants to quickly confirm the context and resolve the alert as benign. By getting a quick analysis, alerts can be closed out quickly, allowing for more time to be spent on other activites, while simultaneously reducing the risk of burning out from alert fatigue. (It should be noted that similar functionality is now publicly available within VirusTotal’s Code Insight feature.)
Analyzing an Adversary’s Smart Contracts
Smart contracts are effectively computer programs stored on blockchains such as Ethereum. While there are many legitimate roles for smart contracts, threat actors have utilized them to serve as the foundation of malicious non-fungible token (NFT) projects, for theft of cryptocurrency assets, and to obfuscate movement of funds. Mandiant analysts tracking threat actors in Web3 are faced with a daunting task: tracking and understanding thousands of smart contracts with varying levels of complexity and functionality. Unlike most legitimate smart contracts, threat actors do not publish the source code of their projects, leaving analysts with only a contract’s bytecode that was generated through compilation.
Analysis of a threat actor’s smart contract involves decompiling bytecode and analyzing oft-obscurely named functions. This can quickly become a tiresome, complicated task—particularly if an analyst is not well versed in Solidity, a programming language used to develop smart contracts. In recent analytic efforts, Mandiant analysts have used AI to assist with analyzing threat actors’ smart contracts. Similar to the above example of the PowerShell script, not only can Bard describe a function’s purpose, it can also provide an easy to understand line-by-line commentary of the decompiled bytecode, helping analysts prioritize their analysis according to each function’s role.
A practical application of where this is particularly useful is when investigating adversaries such as DPRK-nexus UNC4469, which has used thousands of smart contracts to steal funds.
Writing YARA Rules
Mandiant Consulting responded to an engagement involving China-nexus UNC3886. The challenge in this case was in analyzing a large amount of forensic images, which can take a significant amount of time to analyze while also doing it as efficiently as possible in the interest of saving time and money for the client. Going into the case, the consultant had used YARA, but had never written rules and was not overly familiar with the syntax. While they were able to obtain a lot of indicators, even going so far as to recover them from unallocated space (files deleted by the attacker), they had no easy way to scan the images for them. The consultant started asking Bard questions in relation to the YARA syntax and how to do specific things—for example, writing a query to search for a specific string or creating a rule that included a regex to search for an IP range. Based on the inputs, Bard didn't always get it right and would sometimes mix YARA 3 and 4 syntax, but as the consultant's own understanding of YARA grew, they were able to ask more specific questions that resulted in better answers.
As the consultant who implemented this solution put it: “This ultimately gave me enough understanding of the YARA syntax so that I could build on what Bard gave me, and create my own signature file to scan for attacker-related files in each image. Usually this process would take about five to ten minutes per image to run the rules against it, and in the end it ultimately cut actual hours out of the analysis time. This allowed the Incident Response team to quickly build the story of what the attacker had done in the environment, thus freeing up resources to pivot to other aspects of the investigation, saving the client both time and money in the end. The best part is that since the YARA syntax is fairly static, this is now a skill that I can take with me to additional cases in the future, to add further efficiency to my analysis. As an analyst, every conclusion that I reach needs to have a comprehensive and repeatable process indicating how I reached that conclusion. While we need to be cautious about having LLMs [large language models] generate conclusions about data, I have leveraged it to generate scripts and algorithms, which I can then understand and verify. Often testing to determine if an answer is right is faster than attempting to solve it yourself, and in an IR, speed is often a deciding factor.”
Building Python Scripts to Detect Attacker Activity, and Notifying the IR Team via Chat
During a recent incident response engagement, Mandiant consultants responded to an active attacker connecting to a client environment multiple times per day. The attacker had a sophisticated understanding of the client environment, including connecting to the corporate VPN mimicking legitimate users, their expected hostname, and connecting from the expected geographic location of the user. Additionally, the attacker rotated their infrastructure constantly, making it difficult to maintain a consistent signal on their activity.
Mandiant recommended, and the client agreed, that implementing MFA on their VPN would be critical to keep the attacker out of the network; however, it would be several weeks before the client could roll this out to the entire company. During this incident response, Mandiant consultants had to maintain a high tempo of response efforts to keep up with the attacker’s constantly changing tactics, techniques and procedures (TTPs) in order to buy the client valuable time. At one point, the attacker made a configuration error, allowing Mandiant to resolve a fully qualified domain name (FQDN) and have it leak the attacker’s infrastructure. Using Bard, an analyst on the engagement was able to create a Python script to monitor the FQDN for resolutions to new IP addresses, filter out known false positives, and set up an integration to notify the IR team via instant messaging, within under ten minutes. While this script was not technically remarkable in any way, the speed and flexibility of Bard allowed the analysts to build custom solutions dynamically, and keep pace with the attacker. This allowed the analysts to keep tabs on the current attacker’s infrastructure, be alerted automatically for changes, and relay changes to the client for blocking and monitoring.
Using Bard to Build Out SIEM Queries
During another recent incident response engagement, Mandiant consultants responded to an intrusion where the attacker accessed internal applications that spanned multiple different internal environments. These environments were in the process of being integrated into one data lake, but that had not been completed before the incident. At the time of the intrusion, the client had logs for vital applications scattered across multiple different SIEM solutions, each with their own custom query language, data sources, indexes, and fields. Instead of pulling in subject matter experts for each independent solution, a Mandiant consultant was able to use their in-depth understanding of one solution to create a set of base queries needed to be run across all of the data sources. The analyst then leveraged Bard to generate a set of basic queries in the various SIEM languages that covered their needs. Using Bard’s generated queries as a template, the analyst was then able to convert the base queries into each of the various query languages, in a “mad-lib'' style. This allowed Mandiant to conduct consistent analysis across all of the customer data sources, without the need for additional resources to build variations on the same queries.
Increasing the Speed of Malware Analysis
Finally, Mandiant threat intelligence analysts recently leveraged Bard as a method to improve the speed by which they can script automations in Python to facilitate malware analysis. In a recent case, Mandiant needed to automate reverting a malware analysis virtual machine, starting this virtual machine, downloading malware samples from a database, sending the sample to the desktop of the virtual machine, and then removing the network interface card from the virtual machine. Once the work of unpacking the malware was completed, an automation was also needed to download an unpacked sample and reupload them to the malware database. During this process, prompts such as “make an SMB or WMI connection in python” or “create a password protected zip from an existing file in python” helped generate usable code to complete the full automation. Mandiant Threat Intelligence analysts recently leveraged Bard to quickly provide necessary WinDbg commands and context on those commands to significantly speed up the manual malware analysis process for analysts who do not perform this task full time.
Conclusion
These stories illustrate the potential for generative AI to assist the defender across a range of use cases. Within the “threat, toil, and talent” framing, a consistent stand-out theme across these stories is how generative AI is helping reduce the “toil and talent” problems in particular. When speed matters in an incident response, being able to quickly automate certain functions, and without deep technical specialties in certain niche areas, defenders are able to better detect and respond to attackers.
Though AI may increase the capabilities of the adversary in certain ways, it will also afford advantages for defenders to the benefit of entrepreneuring organizations. We hope that this blog post has spurred some ideas about how to start incorporating AI into the security practices of your organization. For more on security best practices and responsible AI model implementation, be sure to check out Google’s Secure AI Framework.