In an era where cyber threats are evolving at an unprecedented pace, the need for emerging threat intelligence and response mechanisms has never been more critical. At AiStrike, we've pioneered a custom Large Language Model (LLM) designed to stay ahead of the curve by identifying and analyzing the latest emerging threats, indicators of compromise (IOCs), and tactics, techniques, and procedures (TTPs) used by malicious actors. The AI automations also include the ability to simulate an attack pattern and understand business context to improve risk-based prioritization. Below is a sneak-peak at how we have developed this differentiated approach to cloud exposure management and how it’s supercharging cloud security operations.

Harnessing the Power of AI for Emerging Threat Intelligence

Our custom LLM is built to scrape the web continuously, gathering data on the latest threats, vulnerabilities, threat actors, and their campaigns. This information is curated and stored locally, ensuring that our database is always up-to-date and comprehensive. This also ensures privacy and security and keeps the LLM responses grounded.

Key Capabilities of Our Custom LLM

• Web Scraping for Real-time Updates: The LLM continuously scans thousands of sources to identify new threats, vulnerabilities, and threat actor campaigns. This includes blog posts, threat reports, and security bulletins. Security teams can automatically stay updated on emerging cyber threats, freeing up time and resources for more strategic work.
  
  
• Linking TTPs to the MITRE ATT&CK Framework: Each identified threat is mapped to the relevant TTPs within the MITRE ATT&CK framework. This allows for comprehensive searches across alerts and data related to specific threat actor campaigns and clear connections to how an organization may be affected by each threat.
  
  
• Converting IOCs and TTPs into SIGMA Rules: The LLM converts IOCs and TTPs into SIGMA rules, which can be consumed by any Security Information and Event Management (SIEM) platform. This ensures that the intelligence gathered can be operationalized swiftly and effectively within existing security infrastructure.
  
  
• TTP-Based Hunting: Since the LLM has been trained in threat hunting, it goes beyond static IOCs to enable proactive monitoring based on threat actor and attack campaign behavior. This allows for dynamic threat detection and more accurate identification of evolving attack patterns, leading to faster response times.
  
  
• Historical and Industry-Specific Analysis: By analyzing past threat campaigns, the LLM determines which threat actors target specific sectors, the IOCs and TTPs they employ, and the typical motives and origins of these groups. Security teams can use this information to assess risk and further inform their threat hunting teams with specific information to look for as they investigate.
  
  
• Assess Specific Exposure in Environments: The LLM assesses a customer’s specific exposure by understanding their target environment, sector, and country. This capability allows for tailored threat intelligence that is directly relevant to the client’s unique context.
  
  
• The culmination of the above features helps in proactive risk prioritization and exposure management in the cloud.

Scope of AiStrike’s Emerging Threat Intelligence

Here are some key metrics from our database, reflecting the extensive scope of our threat intelligence efforts over the past year:

• Total Threat Groups: 962
• Total Campaigns: 2120
• Unique Threat Actors Source Countries: 29
• Unique Tools: 5371

Additionally, all known vulnerabilities, along with their exploit codes and EPSS scores, are ingested to provide detailed insights into zero-day exploits and the existence of exploit codes.

Key Metrics for 2024

In the first half of 2024 alone, our LLM scanned thousands of sources, generating over 309 unique advisories. This translated to identifying more than 3368 IOCs and over 253 TTPs related to attacks or vulnerabilities exploited during this period. This continuous flow of up-to-date intelligence enables all our customers to stay ahead of potential threats and provide timely alerts to our clients.

Building Relationships for In-depth Threat Impact Analysis

The strength of our LLM lies in its ability to build complex relationships between various elements of threat intelligence:

• MITRE Campaigns and Data Sources
  Understanding the full scope of a threat requires insight into MITRE Campaigns and Data sources. Our LLM correlates data from numerous MITRE Campaigns, identifying patterns and linking these campaigns to the relevant data sources. This connection is crucial for comprehensive threat analysis and enables security teams to understand the breadth and depth of threat actor activities.
• MITRE Groups and Mitigations
  Threat actors and their behaviors are categorized under MITRE Groups, and our LLM has been trained to recognize and analyze these groups. Each group's tactics and techniques are paired with relevant MITRE Mitigations, providing a roadmap for defensive measures. This allows organizations to preemptively counteract potential threats as well as automate and track remediation quickly.
  
• NVD Vulnerabilities
  Integrating data from the National Vulnerability Database (NVD), our LLM keeps track of vulnerabilities, their exploit codes, and EPSS scores. This information is critical for understanding zero-day exploits and assessing the risk associated with specific vulnerabilities. By connecting NVD data with threat actor campaigns and malware families, we provide a detailed threat landscape.
  
• Attacker Groups, Operations, and Malware Families
  Our LLM excels in mapping out the intricate relationships between attacker groups, their operations, and the malware families they utilize.
  
• Ensuring Accuracy with Expert Review
  To maintain the highest levels of accuracy and relevance, our team of AI and Threat Researchers continuously reviews the information processed by the LLM. This human oversight enhances the precision of the outputs generated, ensuring that our threat intelligence remains actionable and reliable.
  
• Guiding Analysts Through Active Investigations
  When relevant threats are identified, the LLM provides prompts to guide analysts through active investigations. This feature is invaluable in high-pressure situations, allowing for quick, informed decision-making based on the latest threat intelligence.

AI-Powered Cloud Exposure Management

Our LLM not only identifies threats but also plays a crucial role in proactive exposure management by understanding historical attack patterns and threat actor behaviors. This enables us to simulate attack patterns, predict potential threats, and recommend preventive measures:

Components of Proactive Cloud Exposure Management

Below is our view of Gartner’s framework around cloud exposure management and how AiStrike supports security operations teams with proactive threat hunting and defense capabilities.

Attack Surface Management

• Internal: Understanding business context to determine critical assets and assets hosting sensitive data.
• External: Identifying and mitigating risks associated with external-facing assets and monitoring external threat actor campaigns relevant to a specific industry/sector.
• Digital Risk: Managing digital threats focused on identity or users as a risk factor susceptible to phishing, credential compromise, etc

Vulnerabilities and Alerts

• Prioritization: Ranking threats and vulnerabilities to focus on critical issues based on business context, permissions, and behavior anomalies.
• Classification: Categorizing vulnerabilities and alerts based on severity and impact, focused on the MITRE framework and customer assets.
• Awareness: Guiding analysts through active investigations to assess exposure, prioritize threats, and suggest remediation actions.

Validation

• Targeted: Evaluating current and historical events to understand organizational exposure, identify exploit codes, simulate attack patterns, and identify exploitable resources and risks.
• Comprehensive: Ensuring accuracy and relevance through continuous expert review of the LLM’s outputs.
• Compliance: Provide out-of-the-box and custom reports for compliance monitoring

Ensuring Accuracy with Expert Review

Beyond the automation of work by our LLM, AiStrike’s expert team of AI and Threat Researchers continuously reviews the information processed by the LLM to maintain the highest levels of accuracy and relevance, minimizing recall errors, and enhancing output precision.

Conclusion

At AiStrike, we are committed to revolutionizing cloud security through innovative AI-driven solutions. Our custom LLM is a testament to this commitment, offering unparalleled insights into emerging threats and enabling proactive cloud exposure management. By continuously evolving and refining our models, we ensure that our customers are equipped with the most accurate and relevant threat intelligence, empowering them to protect their assets in an increasingly hostile cyber landscape.

With the integration of datasets from MITRE, advisories from the best researchers across the globe, as well as vulnerabilities from the NVD, and insights into attacker groups, operations, and malware families, our LLM offers a comprehensive and nuanced understanding of the threat landscape. And by analyzing historical data and recent activities, we can predict potential future threats and provide insights into how these threats operate, their preferred tools, their likely targets, and how to mitigate. This allows organizations to not only react to threats but to anticipate and mitigate them with unprecedented precision.