Threat intelligence has come a long way in the last 20 years, mainly because of necessity. Threat actors are increasingly sophisticated, and no one institution can anticipate all threats at all times. Over the last few years, the quality of threat data has also matured. This has been possible due to the technological advances that allow for analysis of machine intelligence as well as extraction and analysis of human intelligence from sources such as the dark web. However, despite these advances, organizations are still finding it challenging to operationalize threat intelligence in predicting attacks.
Predictive intelligence is intelligence that is both actionable and relevant to the overall business and can be used to anticipate attacks. Predicting attacks before they occur is the first step to prevention, not necessarily of the attack itself, but of the damage the attack could wreak. If you know what is coming, you can put up defenses to either block the attack, or to dissuade the adversary from carrying out the attack in the first place. It is far more efficient to do that than to pick up the pieces after one has occurred. As Benjamin Franklin said, “an ounce of prevention is worth a pound of cure.”
When cybersecurity teams hear the term predictive intelligence, they often assume it refers to complex machine learning or sophisticated artificial intelligence. Most teams believe that if they can secure a big budget and pick the right vendor, the machines will magically figure out the future, and protect them from all cyber attacks.
The reality is far more nuanced. Prediction is hard; just ask a meteorologist. While automation has come a long way and there are opportunities for AI and machine learning to be more integrated into cybersecurity workflows than they currently are, the reality is that at least as of now, they are not a replacement for human thinking. For example, artificial intelligence has been used in the capital markets for years, often with great success. But if machines were able to reliably predict stock prices, everyone (or no one) would be a millionaire. Events that have extremely low probability but extremely high impact, like the 2008 financial crisis or today’s pandemic, still consistently stump machines.
There are several factors limiting AI’s effectiveness specific to cybersecurity. First, AI needs large data sets to train on, which must come from many institutions. The more data they have, the more accurate the machines will be. Intelligence sharing organizations like FS-ISAC are logical hubs to generate these data sets. However, the volumes of threat intelligence being shared are still not enough to meet the requisite training that AI would need to start generating real predictive capabilities. Moreover, threat intel is not always shared in standard formats, complicating the job of the machines to analyze the data they do get.
The key to operationalizing predictive intelligence is building the right mix of automation and human intelligence capabilities to optimize your cybersecurity program and gradually build capacity to predict and prevent attacks before they hit.
The place to start is with internal intelligence – understanding your threat profile and what attack patterns your firm faces. People often underestimate how much they can learn just from gathering and analyzing their own internal data, but without it, it is virtually impossible to contextualize and therefore act on intelligence coming in from outside. However, when you can correlate your own intel with external sources, you can start to make connections you may not have seen otherwise. For example, perhaps you notice an actor doing reconnaissance on your internal systems. If you can gauge that actor’s activity with other firms through intelligence sharing networks, and even get insight into the techniques they are currently using, you may be able to block them from your system before they attack, or successfully defend against them if they do.
Automation is a double-edged sword. Automating processes that do not already exist or leveraging technologies that do not integrate with the rest of your systems are wastes of time and money. Targets for automation should be the inefficient manual processes in your workflows that slow the team down.
Some aspects of security workflows lend themselves well to automation. Ingestion of intelligence can be fully automated, while enrichment, decision-making and response have aspects that can be automated and aspects that best remain in the realm of the human. Further, different types of intelligence call for different levels of automation. Tactical intelligence (threat actor tools, techniques and procedures or TTPs) and technical level intelligence (indicators of compromise or IOCs) can be mapped and shared from machine to machine without human intervention.
While machines can do much of the grunt work, they have real limitations that cannot be ignored for a cyber program to be effective. First, machines cannot predict what they have not seen before, but threat actors are developing new TTPs all the time. Just as it requires humans to change their trading algorithms if the regulator changes the rules, if an adversary changes their tactics, humans can analyze and adapt much more quickly than machines.
People are still crucial to analyzing the patterns the machines pick up on. High-level strategic intelligence on changing risks and operational intel such as threat research, vulnerability reports and malware advisories will always need to have a combination of human and machine interaction.
Further, while certain aspects of decision-making can be automated, like automatically blocking an IP address based on a high confidence score that it is malicious, others cannot be. Few firms would trust anything that requires shutting large systems down only to machines. Nor would they let a machine decide what to do if the CEO’s laptop gets stolen.
Finally, the capabilities of AI will not advance without humans. Intelligence sharing is required to build the data sets needed to train machine learning models to be more successful at predicting attacks. In coming years, with the development of natural language processing (NLP), we may see machines start to be able to pick out patterns in chats and manual submissions that will further help enrich intelligence automatically. But even though machines may increasingly be able to tease out new insights, they will still always depend to some extent on human collaboration.
Increasingly, robust cybersecurity is not just a compliance issue; it is a competitive advantage. How each institution implements predictive intelligence will vary according to its business needs and legacy systems, but there will be an increasing pull towards adding predictive capabilities to the mix. It is one thing to be able to react and fix a breach quickly, but it is of course far better to not have any at all. That is the promise of predictive intelligence. And while zero breaches may be an unattainable goal, it is still one worth pursuing and investing in.
Predictive intelligence is the next frontier in threat intelligence. Contrary to popular belief, predictive intelligence is not about replacing human analysts with machines; it is about finding the right balance between automating processes to speed up workflows and applying human intelligence to the more strategic aspects of cybersecurity. Predictive capabilities enable firms to prevent attacks before they happen, which is far cheaper from a cost perspective and can even be an advantage in an increasingly competitive digital financial landscape.
© 2020 FS-ISAC, Inc. All rights reserved.
Cyware offers the technology organizations need to build a virtual cyber fusion center. With separate but integrated solutions including an advanced threat intel platform (TIP), vendor-agnostic security automation (SOAR), and security case...Read More
management, organizations are able to increase speed and accuracy while reducing costs and analyst burn out. Cyware’s virtual cyber fusion solutions make secure collaboration, information sharing, and enhanced threat visibility a reality for enterprises, sharing communities (ISAC/ISAO), MSSPs, and government agencies of all sizes and needs. To learn more about Cyware, visit cyware.com.