AI as a Cyber Threat Intel Research Partner
I’ve mentioned before that I’m an AI Optimist; a believer in the idea that for at least the next 5 years AI will be a highly capable copilot - rather than a replacement for - many of us who are in knowledge worker roles. Along with that, I believe that for cybersecurity professionals the idea that Human + AI is superior to a human or an AI model on their own rings true.
This morning I’ve had a typical experience that supports that idea. Over the last week or so I’ve spent a lot of time thinking about and trying to figure out a better approach for dealing with the fire hose of cyber threat alerts; looking to surface just the ones that are most useful, based on the level of detail they provide on threat actors’ specific tactics, techniques, and procedures (TTPs), and indicators of compromise. It ended up requiring a lot of back and forth with AI chatbots.
I started with this basic prompt just to test the waters:
Can you list 5 articles about cyber attacks and threat alerts published in the last 48 hours that provide details of threat actors' techniques and/or indicators of compromise
None of the AI apps I used provided very good responses; they were not immediately useful to me and definitely would not make my efforts more efficient. The main reasons why they fell short were:
1) Responses were too high level, covering generic, common cyber attack methods - missing the point that I wanted articles with specific details on TTPs and indicators of compromise - the things that are most useful to think about detection capabilities and countermeasures against attacks, and …
2) Most of the source links they provided were not valid - most pointing to a site rather than an individual article (leaving me with more work to do, others seemed like they were possibly just invented/false links.
I plan to spend more time working with AI apps to see if I can get better results, more help on that sort of query. For today, I pivoted a little on the subject within cyber threat intel to query the AI apps on and changed my prompt, assigning the models a role. This got much better and more useful responses. My new prompt was:
You are a cybersecurity threat intelligence analyst at a large petro chemical organization. Please research and list the Top 3 cyber attack techniques used in cyber attacks in your industry sector, and list one to two best methods to defend against these
Microsoft’s Copilot and Google’s Gemini Pro had the best responses. Copilot listed Denial of Service, Man-in-the-middle, and Advanced Persistent Threat (APT) attacks as among the most likely to be targeting the petro chemical industry and provided an excellent list of source links from both cybersecurity and industry sources.
Gemini had a similar list of attack methods but also included Supply Chain attacks, and offered a very strong list of defensive strategies.
Reviewing the results of both my prompts, and thinking on the copilot mode in play here, leaves me thinking that the AI apps need to improve in some ways but even more so I need to work on stepping up my prompts in order to make the end results better.