Friend & Foe: AI’s Position in Threat Intelligence

With the cyber landscape being more volatile now than at any other time in the past five years, enterprises face an onslaught of issues they must contend with. 

Yet with the ever-larger attack surfaces with which many organisations now operate, resources of security teams can no longer secure the perimeter. 

“The cybersecurity threat landscape is characterised by increasing sophistication and diversity,” Matt Aldridge, Principal Solutions Consultant at OpenText Cybersecurity explains.

Therefore, security teams should work smarter, not harder. Working smarter involves intelligence, and in cyber that means threat intelligence.

Threat intelligence reveals attack motives and targets

Threat intelligence, often referred to as cyber threat intelligence (CTI), involves the collection, processing, and analysis of data to understand the motives, targets, and behaviours of threat actors. 

This intelligence is crucial for enabling security teams to make informed, proactive decisions to defend against cyber threats. Categorised into different types: tactical, operational, and strategic, the information provided that makes up the intelligence is evidence-based knowledge, including context, mechanisms, indicators, and implications of threats, which helps organisations anticipate and prevent cyberattacks before they occur. 

This prevention is proving increasingly important due to the types of attacks now being levelled at enterprises.

“Cyberattacks that target operational technologies have surged: in the past year, 76% of industrial companies have detected malicious activity in their operational technology, and one in four had to shut down their operations because of an OT cyberattack,” Edgardo Moreno, Executive Industry Consultant at Hexagon Asset Life Intelligence explains.

The cost of shutting down operational technology (OT) following a cyberattack can be substantial. 

When IT systems get hit, the damage is typically focused on data breaches or financial theft, which although significant, does not necessarily impact operations. When OT systems are hit, a whole company’s operations can go down. 

This can lead to massive financial loss due to downtime. Additional expenses may include replacing specialised equipment that have been damaged beyond repair, plus the increased labour costs needed to expedite the process of getting systems back online and an incident response recorded. 

Such a ransomware attack disrupted A.P. Moller Maersk operations for two weeks in 2017, blocking access to systems the company relied on to operate shipping terminals. The incident temporarily shut down the Port of Los Angeles’ largest cargo terminal and lost US$300m in business disruption and equipment damage. 

“Ransomware remains the most impactful cyber threat, with RansomHub emerging as the biggest ransomware group as of June 2024,” Graeme Stewart, Head of Public Sector at Check Point explains.

Even companies who have taken more modern approaches by adopting clouds, both hybrid and on-premise, are being hit hard. Although the form of attacks om on the type of are becoming increasingly bespoke for each type.

This is because the threat landscape is seeing an increasing sophistication from attackers. Behind this? AI.

“Without doubt, the most significant emerging threats are those associated with the use of AI,” explains Darren Thomson, Field CTO EMEAI at Commvault. “Attack methods have become increasingly targeted and bespoke, and this is a trend that will only continue to accelerate, driven in large part by the capabilities offered by AI."

AI attacks as emerging threats

AI-powered attacks can significantly enhance the capabilities of hackers by automating and refining their malicious activities. 

One of the primary ways AI can be utilised is through automated vulnerability identification, where machine learning algorithms scan extensive networks to find weaknesses and potential entry points.

“Concerns are also growing that AI-driven analysis and predictive modelling will be used to target vulnerable assets or identify new attack vectors that can be exploited with minimal effort,” Darren explains.

These methods will not only translate to attacks that are harder to detect and fight, but also a drastic rise in the sheer volume of attacks. According to the UK’s National Cyber Security Centre (NCSC), AI will almost certainly increase the volume and heighten the impact of cyberattacks over the next two years.

This rising tide will bring up all vessels of attack too. “Generative AI has also made certain types of attack vectors, such as phishing and social engineering, somewhat easier to use,” says Matt.

AI algorithms enhance phishing attacks by analysing vast amounts of personal data from various sources, such as social media, allowing hackers to craft highly personalised and convincing phishing emails that are difficult to detect.

It can also be used to create sophisticated malware that can mimic human behaviour, evade traditional detection mechanisms, spur more living-off-the-land (LOL) attacks, exploit zero-day vulnerabilities, and make the malware more resilient and challenging to eradicate. 

Preparing for the future

With threat intelligence warning of an AI-fuelled attack sphere on the horizon, action is needed. Just like how intelligence sharing helps build a better picture of threats, collaboration on AI can build better defences.

“Continuous improvement of AI models and collaboration with industry peers to share insights and best practices are crucial,” Matt explains.

In a fight fire with fire scenario, AI is increasingly being implemented in defensive cyber capability.

Already, we are seeing partnerships between cybersecurity platforms like Blackberry roll out their AWS Bedrock-powered Gen AI assistant Cylance to speed up decision-making and stop more threats faster with fewer resources.

“Gen AI can also be used to speedily parse through the huge volumes of security logs across multiple systems and devices to identify attacks more quickly,” Darren explains. “This can act as a good starting point for preventive actions designed to block or limit the scope for damage and protect key resources and data.”

This process of automation can help secure a future of better threat intelligence. These logs, often vast and unstructured, have traditionally posed a significant challenge for manual analysis. However, with the advent of Gen AI, organisations can now automate this process.

This capability not only enhances response times but also serves as a critical foundation for preventive measures. By being able to analyse and profile more patterns and indicators of potential threats, organisations can implement strategies to block or limit the scope of these threats, putting preventive measures in place before an attack occurs.

“Threat intelligence should be the precursor to preventative cybersecurity,” says Graeme. “This means that the knowledge acquired from threat intelligence should be utilised to predict cybercriminal activity before it happens, taking protection to the next level.”

Along with the implementation of AI, maintaining a robust data governance framework is imperative for ensuring the integrity and reliability of threat intelligence, with Matt advocating a continuous employee education and adaptation to spot new adversarial tactics.

While the threat intelligence indicates that AI poses an emerging threat, it also offers a powerful tool for enhancing threat intelligence capabilities. By harnessing AI's potential, enterprises can not only build more robust defences, but improve their ability to anticipate and therefore mitigate cyber threats.

To read the full story in the magazine click HERE

​​​​​​​**************

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

**************

Cyber Magazine is a BizClik brand