The relentless evolution of cyber threats calls for innovative and proactive measures to shield sensitive systems and data. Artificial Intelligence (AI) has emerged as a transformative ally in this fight, equipping organisations with the tools to outpace cybercriminals, Advanced Persistent Threats (APTs), and ransomware groups. Organisations can build a formidable defence by harnessing AI to detect Indicators of Compromise (IOCs), understand Tactics, Techniques, and Procedures (TTPs), and neutralise adversaries.
How AI Identifies Indicators of Compromise (IOCs)
Indicators of Compromise (IOCs) are like breadcrumbs left behind by malicious actors during their operations. These could be unusual file hashes, suspicious IP addresses, or anomalous domain activities. With AI, these indicators are identified with greater precision and speed.
With open-source AI systems like LLAMA, Claude, and Mistral, businesses can get instant insights through massive data streams from networks, endpoints, and logs to detect real-time anomalies. For example, unusual login attempts from unknown geographies are flagged immediately, enabling a swift response.
Another key use case is for Anomaly Detection Models whereby learning what constitutes “normal” system behaviour, AI tools like Co-pilot, Llama, Mistral, and Claude can spot deviations, such as sudden file modifications or spikes in resource usage, which often precede an attack.
Co-pilot-like tools can also be used for comprehensive Threat Linking where AI does not stop at detecting one-off anomalies; it further connects these IOCs to form a broader picture of the threat, enabling teams to understand the attack’s scope clearly. Therefore, large data sets could be used to leverage AI to decode tactics, techniques, and procedures (TTPs).
Today, uncovering TTPs using AI once can map attacker behaviour across different stages of an attack—from reconnaissance to data exfiltration. This would enable the detection of tactics like lateral movement or privilege escalation before they cause significant harm.
AI can integrate multiple threat intelligence sources to harness Intelligence Fusion centres, ensuring the latest TTPs from active adversaries are recognised and mitigated.
Another technique called Adversary Emulation allows Advanced AI-driven simulators to mimic real-world attacks, allowing organisations to identify vulnerabilities in their systems preemptively.
When combined, all of this can be used super-intelligently to detect IOCs and TTP of threat actors.
Hence, when a CISO or head of Cyber Security is looking to Strengthen its Defenses Against Advanced Persistent Threats (APTs), Ransomware AI could offer a robust defence mechanism. AI scrutinises encrypted and plain traffic to spot irregular patterns indicative of APT command-and-control communications through a technique called Deep Packet Inspection. AI could also be used for augmented threat hunting, where analysts leverage AI tools to filter through enormous datasets and uncover subtle but critical signs of APT activity.
Traditional risk management techniques, which are Excel or model-based, can be replaced with AI-enabled Preemptive Risk Assessment tools. Historical threat data processed by AI helps prioritise patching vulnerabilities that attackers might exploit, reducing the likelihood of a successful breach.
The more significant challenge for large organisations and governments is that APTs are highly sophisticated and stealthy, often undetected for extended periods and Countering Ransomware Threat Actors.
In both APT and Ransomware detection, AI can be a game-changer with AI, starting with using AI to detect unusual file encryption or modifications; AI halts ransomware processes before they can spread. Traditionally done in a virtualised environment or simulated on VMs using the cloud, the active Monitoring File Activities, if built up using AI-enabled Retrieval Augmented Generation (RAG), is a technique that grants generative artificial intelligence models information retrieval capabilities. It could be a game changer for ransomware and APT detection, particularly in detecting how command and control networks are deployed.
Historically, such monitoring was conducted in virtualised environments or cloud-based VMs, offering scalability but lacking the predictive power of AI-driven approaches; hence, predicting outcomes was a key concern. However, integrating techniques like Retrieval-Augmented Generation (RAG), which combines generative AI with information retrieval capabilities, can further enhance threat intelligence systems. RAG can access and utilise external knowledge, which makes it valuable for identifying Command-and-Control (C2) networks and contextualising advanced threats.
By detecting unusual file encryption or modifications, AI halts ransomware processes before they can spread. Hence, AI identifies common communication channels ransomware groups use, such as external servers for command and control, and disrupts these pathways. Through a technique called Automated Isolation, AI-enabled systems instantly quarantine infected machines, preventing the attack from escalating within the network.
The key question remains: Where should we start to make AI Sense in Cybersecurity?
One could start this by downloading open-source AI tools, building a library to use Cyber Security playbooks for Cyber Defence, and building custom use cases using AI Tools.
One can also build a Retrieval-Augmented Generation (RAG) model that combines generative AI with robust information retrieval capabilities. This can enhance cybersecurity by enabling dynamic access to large datasets, such as threat intelligence feeds or historical attack data, making it easier to contextualise and counteract evolving threats.
*The writer is Mr. Kanishk Gaur, CEO of Athenian Tech, a leading Digital Risk Management Company.