In 2019, Rudy Guyonnaud and Arnaud Le Des captured a shared fear in a piece of work. Cyber Defense Review Article titled “Artificial Intelligence in Digital Warfare”. “AI problems currently tend to manifest themselves in the guise of mythologized omniscience and even mythologized omnipotence,” they write. “This can lead to paralysis of people who fear having to fight a super enemy with such intelligence that they lose their solutions.” With the release of his ChatGPT in 2022, that fear became a reality. It looked like it had become. But the reality is that the use of AI as an attack tool is evolving in stages, and such a super enemy has yet to be created. Much of the real value of AI today is in defense.
As Microsoft and OpenAI recently explained, we're seeing threat actors use AI in interesting but not invincible ways today. They discovered five hacker groups from four countries using AI. Initially, the group used large-scale language models for research, translation, building tools, and creating phishing emails. Microsoft then confirmed a tool that suggests actions after a system has been hacked. Some claim that the latest model could have even more features, but that seems premature. In stark contrast to fears that AI would unleash a wave of robot hackers around the world, these attackers utilized AI for mundane tasks. Meanwhile, cyber defense forces are using currently existing AI technologies to accelerate the pace of analysis, improve warning intelligence, develop training programs more efficiently, and provide more realistic training scenarios. methods can meaningfully improve your cyber defenses.
First, endpoints and network sensors create billions of events a day across the Department of Defense's information network. Today, “data overload” is not just a theoretical danger. That's natural. However, as Guyonneau and Le Dez pointed out, quantity is only half the battle.Cyber analysts must also work on “technology and strategy” [that] The former is driven by the urgency imposed by early experience in the field and the speed of technological development, while the latter evolves at a breakneck pace as our understanding of risk deepens. ” It is not only the amount of data in the fifth domain that confuses understanding, but also its complexity. This ocean of uncertainty is the main target of the two most common forms of AI: machine learning and large-scale language models.
Machine learning cannot turn data into knowledge by itself, but it can speed up analysis.You may not know these models why The endpoint works normally, but you can spot some strange activity. At scale, the burden of sifting through millions of logs is shifted to computers. As a result, people spend less time searching for the digital needle in the cyber haystack and more time on complex investigations. However, the challenges of training, tuning, evaluating, using, and analyzing the output of these algorithms mean that few are taking advantage of them. Large language models can help. For example, ChatGPT and his open source Llama 3 can handle these difficult steps. Instead of coding a support vector machine, you can ask ChatGPT to “build a support vector machine using this sample data.” Instead of flipping through pages of documentation to adjust hyperparameters, you can ask Llama 3 to adjust the parameters for you. Tasks that once took data scientists hours can now be completed in just minutes for avid analysts.
Large language models also have the potential to accelerate the pace of analysis as the backbone of analyst support tools. Cyber analysts initiate many investigations based on opaque alarms. For example, an alert that an endpoint may have been infected with “Trojan:Win32” malware can require hours of work just to gather basic information. Instead, a large language model can be used to create short reports that describe the alert, evaluate suspicious files, gather facts about the host that triggered the alarm, and provide next steps in the investigation. Red Canary, a prominent threat hunting and incident response company, is already doing this using what it calls a “GenAI agent.” Externalizing such mundane tasks greatly accelerates the pace of analysis.
As a stepping stone between manual and semi-autonomous investigations, one of my projects used large-scale language models to build analyst playbooks. These handbooks guide junior analysts to approach complex investigations in the same way as experienced analysts. They promote analytical rigor. However, the process of researching, understanding, and developing detection and investigation strategies for such a huge number of malicious activities takes months. Over the years, I have seen many people pursue this noble goal and inevitably fail. However, using a large language model and a little bit of Python, he created a library of over 600 playbooks (one for each technique in MITER's ATT&CK matrix, which is a classification of malicious actions in the cyber domain). ) was built in a few hours.
Second, machine learning can also help derive meaning from scanning data across the internet and improve alert intelligence. The intelligence cycle is struggling to keep up in the cyber realm. For example, many reports about servers used to launch attacks or control malware implants arrive too late to be useful. These provide interesting information, but little practical information. By finding characteristics of these servers from scans across the internet and training machine learning models to find them, cyber analysts can use these tools on live data feeds to quickly identify new malicious servers. can be found in. This approach allows you to operationalize intelligence at machine speed, rather than acting on similar insights over days or weeks before a report leaves the intelligence cycle.
Third, AI could better prepare analysts for defensive cyber missions. For example, training takes a lot of time and is difficult to do well. I worked on this issue just last year with the new 3rd Multi-Domain Task Force. The force's large cyber formation, assigned to the Army Service Component Command rather than being part of the Cyber Mission Force, was forced to do so without having access to the training to accomplish its mission or the plans to obtain it. I stood up. We found ourselves reinventing the wheel again by building our own training program. We planned on spending more than a year on this project. But after some experimentation, we discovered how to use large-scale language models to create entire curricula, including lesson plans, training materials, and even hands-on exercises and assessments in just a few hours. did.
Finally, AI could also improve practical training. Realistic scenarios are extremely difficult to build, run, and maintain. So much so, in fact, that they don't exist. Michael Schwill, Scott Fischer, and Eli Albright recently spoke about the challenges they faced when trying to implement data-driven operations using real-world data into Army exercises. However, as Guyonneau and Le Dez pointed out in their 2019 article, “Cyber teammates can navigate any type of environment, be it friendly, neutral, or hostile, if the corresponding data exists and can be obtained.” ” AI agents can handle almost everything. If your entire team manually sets a cyber scope, your agent can generate code that describes that cyber scope and implement it into common industry practices. Infrastructure as code. Agents can also run realistic scenarios using synthetic actors that respond to trainee actions in real time. Analysts no longer have to worry about small, unnatural events based on canned scripts run by under-resourced training cells.
AI has a valuable role to play in cyber operations. As Jenny Jun so beautifully and succinctly explained it recently, the impact of AI in the cyber realm will be “a sharper sword, a stronger shield.” However, on the offensive side, as Microsoft and OpenAI have observed, their role currently remains small and may eventually render offensive cyber operations irrelevant at the tactical level. Much of the value of AI today is in defensive cyber operations. As a cyber analyst, I access hundreds of billions of new records in his day. This is a prime target for machine learning. This technology, combined with improved warning intelligence powered by machine learning, significantly reduces the time threat actors go undetected, and even provides an opportunity to neutralize them before a campaign begins. Analyst support tools built on large language models have the potential to further accelerate the pace of analysis. Prior to these operations, AI can help alleviate the enormous burden of building and running training. Unlike many lofty ideas that are over-promised and under-delivered, these goals are realistic and achievable with the resources that line departments currently have. We say we want innovation. There's an opportunity here. we have to grab it. This is how AI can be meaningfully leveraged at the tactical cyber edge.
Capt. Zachary Shevczyk was appointed to the Cyber Command in 2018 after earning a bachelor's degree in computer science and information systems from Youngstown State University. He has supported or led defensive cyberspace operations from tactical to strategic levels, including several high-level incident responses. He currently serves on the 3rd Multi-Domain Task Force.
The views expressed are those of the authors and do not necessarily reflect the official views of the U.S. Military Academy, Department of the Army, or Department of Defense.
Image credit: NORAD/NORTHCOM Public Relations
