1. 主要应用
1.1 建立更全面、准确的资产库
IT Asset Inventory - Gaining a complete, accurate inventory of all devices, users, and applications with any access to information systems. Categorization and measurement of business criticality also play big rolcatees in inventory.
1.2 快速了解新出现漏洞或攻击方法,预测可能应用于本系统的攻击手段和路径
Threat Exposure - Hackers follow trends just like everyone else, so what’s fashionable with hackers changes regularly. AI-based cybersecurity systems can provide up to date knowledge of global and industry specific threats to help make critical prioritization decisions based not only on what could be used to attack your enterprise, but based on what is likely to be used to attack your enterprise.
ChatGPT can be used to analyze large amounts of data from various sources, such as the dark web and social media, to identify potential APTs and track the activities of cyber criminal groups and state-sponsored hackers.
1.3 评估系统安全控制有效性
Controls Effectiveness - It is important to understand the impact of the various security tools and security processes that you have employed to maintain a strong security posture. AI can help understand where your infosec program has strengths, and where it has gaps.
1.4 基于以上三项预测风险
Breach Risk Prediction - Accounting for IT asset inventory, threat exposure, and controls effectiveness, AI-based systems can predict how and where you are most likely to be breached, so that you can plan for resource and tool allocation towards areas of weakness. Prescriptive insights derived from AI analysis can help you configure and enhance controls and processes to most effectively improve your organization’s cyber resilience.
1.5 快且准的监测与响应,提供降低脆弱性建议
Detecting actual attacks more accurately than humans, creating fewer false-positive results, and prioritizing responses based on their real-world risks;
AI powered systems can provide improved context for prioritization and response to security alerts, for fast response to incidents, and to surface root causes in order to mitigate vulnerabilities and avoid future issues.
比如发现APT攻击,利用NLP分析其他监测工具API语义,综合日志信息等
ChatGPT can be used to detect and analyze advanced persistent threats (APTs) by leveraging its natural language processing (NLP) capabilities to analyze large amounts of text data such as network logs, intrusion detection system (IDS) alerts and other security-related information.
TTP analysis: ChatGPT can also be trained to analyze the tactics, techniques, and procedures (TTPs) used by APTs. By analyzing the methods used by an attacker to infiltrate a network and move laterally, it can help security teams identify the origin and intent of the attack.
1.6 告警分级分类、关联处理(预处理)
AI helps analysts triage alerts effectively by focusing on the most critical ones first, helping distinguish between false negatives and false positives and greatly reducing the chances of missing critical incidents. It also classifies and prioritizes threats to trigger alerts based on attack signatures, indicators of compromise (IOC) and indicators of behavior (IOBs).
Security case management functionality allows a security team to gather information on suspicious activity and escalate investigations with detailed, case-related information and logs. Applying AI can increase the speed and volume of data processed and integrate data science techniques, allowing for automated identification and classification of data in documents. Because AI can understand context, it can group data by topic without prior classification, helping security teams use data recognized as related to make inferences and find similarities that are not readily apparent.
1.7 根据不同受众提供解释与行动建议
Explainability – Key to harnessing AI to augment human infosec teams is explainability of recommendations and analysis. This is important in getting buy-in from stakeholders across the organization, for understanding the impact of various infosec programs, and for reporting relevant information to all involved stakeholders, including end users, security operations, CISO, auditors, CIO, CEO and board of directors.
也可以自动生成报告:
ChatGPT can be used to generate detailed reports on APT activity, including information on the scope and severity of the attack, the systems and data affected, and recommendations for containing and mitigating the threat.
1.8 桌面演练等
Creating Table-Top Exercise (TTX) Scenarios - help us generate specific, or self-proposed scenarios for incident response table-top exercises, helping the business to plan for real-world incidents by conducting fictional incident response with key stakeholders from across the business.
1.9 分析人的行为模式,寻找可能被恶意利用的signs
Behavioral analysis: ChatGPT can be trained to analyze network logs and other data to identify patterns of behavior that may indicate an APT. For example, it can be trained to look for signs of lateral movement, data exfiltration, or other indicators of malicious activity. Our disclaimer: Again, it’s worth bearing in mind how much of your own data you want to feed into ChatGPT, and whether the benefits outweigh any potential risks.
2.主要优势
根据IBM报告 AI and automation for cybersecurity | IBM,AI Adopters improve performance by using AI for critical capabilities:
Tier1 威胁分类、检测零日攻击、预测威胁 ,减少误报和噪声,将用户行为和威胁关联起来
3.生命周期模型
结合了AI的P2DR有以下特点[4]...
3.1 Protect and Prevent 部分
3.1.1 Endpoint discovery and asset management.(1.1) Unauthorized devices operate under the radar of organizations’ traditional security policies, making them difficult to detect. AI can learn the context, environment,and behaviors associated with specific asset types, network services, and endpoints, and companies can then limit access to authorized devices and prevent access for unauthorized and unmanaged devices.
3.1.2 AI for vulnerability management. (漏洞管理和评估,渗透相关) AI-powered vulnerability assessments can help identify improperly configured devices so adminis-trators can remove or re-configure them. While active vulnerability scanning in operational technology (OT) environments can destabilize systems,organizations can use AI plus automation to perform passive monitoring. AI can also help prioritize vulnerability patching by providing information about weaponized exploits so clients can take a risk-based approach to vulnerability management.
3.1.3 AI for access management. (访问控制和审计,1.3)Companies can use AI to audit access to data and services by users and applications. Once entitlements to sensitive resources are established, AI can coordinate activities across the control plane—monitoring behaviors, flagging anomalies, generating contextual insights, sending alerts, and initiating remedial actions.
3.1.4 AI for threat simulation. (类1.8)CThreat simulators can connect to software endpoints across an organization’s network to emulate the lifecycle of a cybersecurity incident. This tests live security defenses without interacting with production servers or endpoints, allowing companies to identify and address gaps in their defenses without impacting their operations.
3.1.5 AI for identity management.(身份管理,1.3)Zero trust security operations place greater demands on IT infrastructure and security authentication capabilities, notably the need to resolve identity in near real time. While zero trust can represent a significant enhancement in operational capabilities, it also presents new challenges in operations capacity and coordination (for example, supporting remote workers using multiple devices from multiple locations). AI can enhance authentication services by creating a unique user profile based on a combination of historical behaviors, contextual data, and role-based policies.
3.2 Detect and Respond 部分
3.2.1 Automated detection and response.1.5)Security AI plus automation automates the collection, integration, and analysis of data from hundreds and even thousands of control points, synthesizing system logs, network flows,endpoint data, cloud API calls, and user behaviors. Together with threat management and alert prioritization, organizations can complement existing telemetry solutions with endpoint detection and response (EDR) and cross-layer detection and response (XDR) capabilities. These allow security operations teams to fully understand the context of security exceptions, establish priorities, and devote sufficient resources to investigating high-impact threats.
3.2.2 Threat intelligence. (1.2+1.5)AI-enabled security intelligence enables organizations to analyze live data streams to detect abnormal behavior in real time. Combining security information across domains—by integrating internal telemetry signals with external intelligence sources—provides actionable intelligence in an actionable window, improving the effectiveness of security policies, especially those associated with emergent threats. In addition, log capture capabilities can be extended by applying the same procedures across cloud environments— scanning for irregular configurations that may point to more elusive attack signatures like zero days and advanced persistent threats (APTs).
8.2.3 Case management. (1.6)Security case management functionality allows a security team to gather information on suspicious activity and escalate investigations with detailed, case-related information and logs. Applying AI can increase the speed and volume of data processed and integrate data science techniques, allowing for automated identification and classification of data in documents. Because AI can understand context, it can group data by topic without prior classification, helping security teams use data recognized as related to make inferences and find similarities that are not readily apparent.
8.2.4 Threat management. (1.6)AI helps analysts triage alerts effectively by focusing on the most critical ones first, helping distinguish between false negatives and false positives and greatly reducing the chances of missing critical incidents. It also classifies and prioritizes threats to trigger alerts based on attack signatures, indicators of compromise (IOC) and indicators of behavior (IOBs).
Behavior modeling and anomaly detection. Automated AI security
models can recognize abnormal behaviors, assess vulnerabilities dynamically,and flag anomalous activity—all potential indicators of compromise. Then, machine learning can suggest remediation options based on a broad spectrum of factors like situational variables, historical precedents, or threat intelligence sources—followed by updates to policy administration at specific control points.
4. 应用模式
4.1 订制还是购买现成产品?
主要参考资料:
【1】Artificial Intelligence in Cybersecurity Market Size, Share, CAGR and Forecast 2030
【2】https://securityblueteam.medium.com/chatgpt-for-offensive-and-defensive-cyber-f954f51aa79f
扫一扫
305
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
