Security is Only as Good as Your Threat Intelligence
Blog Article Published: 04/25/2023
Now even stronger with AI
Originally published by Microsoft Security.
Written by John Lambert, Corporate Vice President, Distinguished Engineer, Microsoft Security Research.
Longtime cybersecurity observers know how frustrating the fight for progress can be. Our profession demands constant vigilance, and the assurance of a job well done can be nothing if not elusive. Bad news dominates the headlines, and reports of doom and gloom abound, yet we do see cybersecurity success stories every day.
Every day our defenders quietly share information. Every day they raise the cost of crime for attackers and their vast criminal syndicates. Every day they leverage their considerable skill and talent to find the criminals faster and evict them sooner.
Threat intelligence (TI) works, and median adversary dwell times continue to drop. The current 20-day level represents a marked change from when attackers could lurk undetected for months.
We can thank better intelligence for this difference. We can thank better tools. We can thank better resources. And when we bring these forces together—specifically, TI, data at scale, and artificial intelligence (AI)—our impact as defenders will accelerate and amplify.
Data is how defenders see, and our vision has never been better. Cloud competition has dramatically driven down the cost of holding and querying data, allowing huge leaps in innovation. Lower costs have made it possible to deploy higher resolution sensors across the digital estate. The rise of XDR+SIEM has expanded data and signal from endpoint, to app, to identity, to cloud.
More signal provides more surface area for TI. This TI then feeds AI. TI acts as labels and training data for AI models to predict the next attack.
What TI can find, AI can help scale.
That intuition and experience behind an intelligence win can be modeled digitally with millions of parameters against our 65 trillion signals.
An adversary-centric approach to threat intelligence demands creativity and innovation and the contributions of many, multidisciplinary contributors. Good threat intelligence puts people together—cybersecurity experts and applied scientists working together alongside authorities in geopolitics and disinformation to consider the whole of their adversaries so they can understand the what of an attack when it’s happening and intuit the why and where of what might happen next.
Artificial intelligence (AI) helps scale defense at the rate of attack. With AI, human-operated ransomware attacks can be disrupted even sooner, turning low confidence signals into an early warning system.
Human investigators piece together individual clues to realize an attack is happening. That takes time. But in situations where time is scarce, the process for determining malicious intent can be done at AI speed. Artificial intelligence makes it possible to link context together.
Just like how human investigators think on multiple levels, we can combine three kinds of AI-informed inputs to find ransomware attacks at the beginning of escalation.
- At the organization level, AI employs a time-series and statistical analysis of anomalies
- At the network level, it constructs a graph view to identify malicious activity across devices
- At the device level, it uses monitoring across behavior and TI to identify high confidence activity
Spotlight on ransomware: A conversation with Jessica Payne
The best news about ransomware is that it is largely a preventable threat. A lot of reporting on ransomware focuses on the ransomware payloads, which can make it seem like an endlessly scaling threat of dozens of attackers, but what it really is, is a subset of attackers who use the same techniques but switch between available ransomware as a service payloads.
By focusing on the actors behind the attacks versus the payloads, we can show that most attackers who deploy ransomware aren’t using magical skills or developing bespoke zero-day exploits; they are taking advantage of common security weaknesses.
A lot of the attackers use the same techniques, so you can see where the threats overlap and apply mitigations for them. Almost every ransomware attack involves attackers gaining access to a highly privileged credential like a domain admin or a software deployment account – and this is something you can solve with built in tools like Group Policies, Event Logs, and Attack Surface Reduction (ASR) Rules.
In some orgs that have enabled ASR rules they saw a 70% reduction in incidents, meaning less SOC fatigue and less chances for attackers to gain initial access to chip away at their defenses. The organizations that are successful against ransomware are the ones who focus on this type of hardening.
Prevention work is essential.
One of the things I like to say is that prevention and detection are not peers. Prevention is detection’s guardian because it quiets the network and gives you the whitespace to find the most important things.
All-in-all, threat intelligence in the right hands makes the difference in preventing an attack or interrupting it automatically.
Learn more about how to protect your organization from ransomware, and read the full report.
TI feeds AI and AI scales in real-time at machine speed
Today we’re entering a new era in AI improving security. Machine learning is commonplace in defensive technology today. But to date, AI has primarily been deep inside the tech. Customers benefited from its role in protection, but could not interact with it directly, and that’s changed.
We are moving from a world of task-based AI where it’s good at detecting phishing or password spray to a world of generative AI built on foundation models that upskill defenders everywhere.
TI and AI combine to help defenders go faster than ever before. I’m excited to see what you’ll do with it. Whatever it is, I know that together, we’ll better protect the planet.
Trending This Week
#1 Cloud Network Virtualization Benefits of SDN over VLAN
#2 Simple but Effective Tactics to Protect Your Website Against DDoS Attacks in 2021
#3 Understanding the OWASP API Security Top 10
#4 How to Choose a Zero Trust Architecture: SDP or Reverse Proxy
#5 3 Big Amazon S3 Vulnerabilities You May be Missing
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.