When I see discussion about AI in security (especially AI agents) - it’s often about how it will replace Tier 1 SOC analysts. It might…but I think the biggest area of opportunity in cyber security is for AI to analyze all the un-triaged alerts from an org’s security products
Most companies can only triage a tiny fraction of their overall alert volume with a human. It’s part of reason why companies put so much emphasis on vendors getting severity ratings “right”
The severity rating is often a major factor in deciding whether a human reviews an alert
This drives 2 behaviors from security vendors
1) Alert severity is often driven by TP/FP ratio 2) Those that don’t have high enough signal to noise ratio (even if they can meaningfully detect severe impact) get dropped altogether if they can’t be improved - which leads to FN’s
AI coupled with agents has the potential to change this
The AI agent can reason over a detection
& take some initial investigative steps. Scale this up for all alerts coming into the SOC - then the ones with most likelihood of being TP can be forwarded for human review/action
I think the first iterations of AI agents in the SOC we’ll see are for very simple repetitive tasks (e.g user reports a malicious email attachment)
The second iteration of AI agents will be for performing mini-investigations into all alerts coming into the SOC
In parallel we’ll see security vendors (those that are still innovating at least) start to build AI & mini-investigations into their detection engines. This should help with TP/FP tradeoff that occurs w/detection logic as it exists today & improve quality of detections/severity
The challenge that will develop for security vendors will be. Their detection engines will turn into a COGs discussion (or at least each net new detection has the potential to massively drive up COGs)
How much can I detect at what price?
Most enterprise intrusions that I’ve analyzed in my career have had alerts generated by some security product along the way. The issue/blocker has been figuring out which ones to get in front of a human to realize importance/significance to mobilize action by an org to mitigate
In theory MDR vendors are best positioned to drive progress. Combination of alerts + follow on investigative data to evaluate effectiveness of AI agents side by side w/human’s currently performing tasks
I’m dubious. Is COGs reduction enough to justify cost? Will it reduce COGs?
• • •
Missing some Tweet in this thread? You can try to
force a refresh
🧵on the ongoing outage caused by Crowdstrike content update. Insights here mostly based on my time working on/helping build a competitor product Mandiant Intelligent Response\HX
First & foremost this sucks for both Crowdstrike & their customers - no one wants to see this happen
What happened? A security content update was released that caused the issue
Note: every security company pushes out content updates routinely. Depending on the architecture of software and type of update - each software vendor usually has unique processes for rolling these out
Most security software on Windows has two components a driver/kernel part and a userland part.
At Mandiant we used a driver to generate the realtime events (e.g create file, create process…etc) & for very specific actions like raw disk/memory access for forensic collection.
One (potentially overlooked) aspect from today’s latest breach news is the recent trend of password stealer malware as the initial vector to gain access to orgs
See those “LOGID-“ files in screenshot? They are output files from password stealers (e.g RedLine, raccoon stealer)
We discussed how DEV-0537/LAPSUS$ used this technique to gain initial access to a low privileged identity at targeted orgs in our ransomware ecosystem compendium microsoft.com/security/blog/…
Infostealer malware has been around for a long time. What’s changed is focus has shifted consumers (and their bank accounts) to threats to enterprises
An interesting business “innovation” is selling all/most credentials/secrets obtained in bulk for a low monthly fee ($100-$250)
The LAPSUS$ Group/DEV-0537 was not on my 2022 bingo card - given impact of their activities @MsftSecIntel wanted to detail unique blend of tradecraft. I've personally given dozens of threat briefings in the last few weeks
They monetize intrusions (some of them) through extorting orgs to prevent public data release. Nowadays we associate that with ransomware gangs but this isn't a new trend
Reminds me of investigation I led at South Carolina Department of Revenue in 2012 oag.ca.gov/system/files/M…
There are multiple DEV-0537 tactics that I haven't observed (outside of red teams):
-Phone based social engineering
-SIM swapping
-Coercing (through 💵) employees at target organizations to divulge creds
Each of these are hard for most orgs to defend against -especially the last
There’s a lot to unpack in @MsftSecIntel’s latest blog on the CVE-2021-40444 vulnerability. Here’s a thread of some of the details that I think are notable
The volume of initial exploitation was limited. Most security orgs I talked to didn’t observe it directly in their telemetry
“In August…MSTIC identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML”
The attribution behind the various components involved in the campaigns is a little more complicated than I typically see (we’ll unpack that more shortly).
But the end motivation was human-operated ransomware by cyber criminals
This shouldn’t be news to anyone,but human operated ransomware is a problem that has gotten completely out of control
The reasons are relatively straightforward:
The cost to pay is often significantly less than cost to business impact from downtime
The “supply” of possible targets is significantly higher than traditional financial crime which have to target payment/gift cards, banks (or related orgs)
Monetization is also wayyyyy easier
I don’t think you will see a material change in % of orgs who pay ransom unless governments make payment of ransoms illegal (which will have a lot of other unintended consequences).
Do you think governments should outlaw payment of cyber ransoms?
One of most undervalued aspects of incident response is incident documentation
In my experience as a consultant step 1 is interviewing client & reviewing whatever scattered notes 🔖📝they have about an incident & organizing it in a logical manner b/c most orgs do this poorly 🙈
Challenge is analysts (due to crisis) move fast to respond quickly & most orgs don’t experience impactful breaches often
This leads to scattered knowledge/understanding & each analyst documenting things in their own way that is efficient for them but not overall investigation
In my experience - here are the most important things to track (a spreadsheet is my preferred tool)
One table for each of the following:
-Timeline of forensic artifacts
-Systems
-Indicators (I prefer separate table for host and network)
-Compromised accounts