The Rise of Generative AI is Transforming Threat Intelligence – Five Trends to Watch
2023 was the year of generative artificial intelligence (GenAI). From the rise of ChatGPT to the many tools that followed in its wake, companies of all sizes have joined the race to cultivate GenAI technology and applications. GenAI will continue to evolve in 2024 as its use accelerates, with important implications for cybersecurity – attackers and defenders alike.
Threat intelligence was among the first domains to welcome and integrate the new GenAI technology. Threat intelligence is fundamentally all about data and the ability to process, contextualize and enrich data points, with the final goal of understanding threats so we can proactively work to mitigate them. GenAI promises to be a great asset to this end. However, we are still in the early stages of this adoption, and the marriage between GenAI applications and threat intelligence will be one of the most intriguing to watch. Here are five important trends that I believe we will see in 2024 in the field of threat intelligence:
Data Analysis
Since GenAI is data-driven, it’s no wonder that the first trend is the application of its capabilities to data analytics tasks. Hours-long processes can shrink to minutes with GenAI, freeing analysts’ time and creating a near real-time response to cyberthreats.
A good example of this is ransomware data leak analysis. When a third-party vendor of a company is attacked and its data is leaked, it is the threat intelligence analyst’s job to learn what company data is in the third-party vendor leak. Analyzing 500GB of someone else’s data is no easy task, especially when the data includes many data points spread across various file formats (such as PDF reports, photographs of receipts and huge Excel sheets), all stored in different folders and with naming conventions sometimes understood only by the creators themselves. Sifting through such a trove of data can be time-consuming and ineffective. GenAI technology, which can understand natural language and analyze data in various formats, is a perfect solution to perform such activities.
Contextualizing
Imagine you’re contending with the following threat assessments:
- The CEO’s name was mentioned in an incendiary tweet
- A sale ad for VPN access written in Russian has been offered in an underground cybercrime forum
- A researcher discovered a new vulnerability in a software tool the company uses
- A data leak containing the email and password of a former employee was published on Telegram
These are examples of the day-to-day data points a threat analyst needs to quickly filter through, separating and prioritizing the real and/or imminent threats from the more benign everyday events. GenAI solutions capable of understanding the context while overcoming the language barrier will become an obvious choice to classify and explain the possible threat, focusing the analyst on the important threats that must be dealt with urgently.
Report Creation
Every intelligence analyst will tell you that having the intelligence itself is not enough. Once the intelligence is acquired, the next stage is to disseminate it to the relevant parties to take action.
However, this isn’t always as simple as it sounds. Surprisingly, there is not a 100% match between the ability to understand cyber-related content and threats and the ability to explain these threats to a non-tech-savvy person. Furthermore, the language can sometimes be a barrier as we move toward using remote workforces. On top of that, a threat intelligence industry undergoing a shift from service-based to software-based solutions is discovering that a high-quality and meaningful report is not as simple a task to automate as we might have thought. For these reasons, using GenAI capabilities on top of “old-fashioned” automation will expand widely and become a vital part of every threat intelligence solution.
Attack Detection
GenAI is a power multiplier not only for security teams but also for attackers. In 2023, we saw several illicit usages of this technology with prominent examples of WormGPT and FraudGPT. Both are offshoots of OpenGPT with the intent of fostering GenAI applications without any ethics or limitations, and both can be used for hacking activities that will only grow in sophistication.
That being said, GenAI capabilities can also be used to detect these attacks. The flexibility of GenAI tools can help to analyze different aspects of an event to quickly understand if it is a threat. For example, looking into both the header and content of an email while simultaneously comparing it to past email conversations can help detect scam and business email compromise (BEC) attacks. GenAI could also be deployed to analyze the code, the content, the look and feel of a website and the Whois details to determine if a website is a phishing website, almost in real-time.
Content Creation
One of the untold secrets in the threat intelligence field is that human interaction skills are sometimes as important as technical analysis skills. The ability to understand the different stages of attacks, analyze malware and make sense of network traffic is important in its own right.
But no threat intelligence program is complete without the ability to access the data at its source: the attackers. This requires human interaction. Underground hacking forums, Telegram groups and Discord channels have proven to be valuable again and again for interfacing with threat actors. While this data is usually shared for free, mostly it requires human interaction to extract. The level of human interaction needed can vary from source to source, from answering questions to gaining access to forums – or even sustaining conversations with an attacker over several days. Many of these tasks, if not all, can be operated by GenAI technology. At the very least, GenAI could take some of the load off the researcher.
Expect GenAI to continue to be a hot topic across threat intelligence applications. As threats grow increasingly sophisticated – powered by GenAI themselves, in many cases – GenAI will play a growing role in combatting them.