1. Home
    2. »
  2. Blog
    3. »
  3. Incident Response
    4. » Hunting for Threats in the Dark: Leverage AI Technology to Support Your Investigation

Hunting for Threats in the Dark: Leverage AI Technology to Support Your Investigation

- Posted in Incident Response by - Permalink
Hunting for Threats in the Dark: Leverage AI Technology to Support Your Investigation

Background:

Threat actors have been leveraging AI in their attacks for some time now. Through searching for answers on how we as IR specialists can stand against this threat, I have come to a simple solution: how we can leverage AI on a contained system to identify threats left behind by threat actors. To gain to that result we have 2 ways , but we shall on the last one method 1. Feed all logs to AI and try to find anomalies on the system. 2. Use a bash script to get commands from AI and execute them on the machine.

Feed all logs to AI and try to find anomalies on the system.

This method will be more effective for finding anomalies; however, the challenge is that it requires a well-trained model. Based on this model, the system will be able to learn, train, and make predictions related to suspicious activity. While this is a resource-consuming scenario to implement, it will ultimately be one of the most effective methods available.

Use a bash script to retrieve commands from an AI model and execute them on the machine.

This method is one of the most cost-effective approaches to implement because it requires fewer resources. To achieve this solution, you need to obtain an API key from huggingface.co and then develop a script that provides the AI model with a prompt such as: 'You are a bash expert on SOMEDISTRO. The user needs a bash command to: YOUR COMMAND. Provide ONLY the exact bash command, with no explanation, no markdown, no extra text. Just the command.' After the AI responds, the script will display the generated command that needs to run on the machine. Only after your confirmation will the command execute on the machine. User confirmation is a critical part of this scenario because it prevents the execution of harmful commands.

enter image description here

One of the supportive factors of this approach is to have a playbooks related to your current incident response plan, especially for analysis purposes. Based on this playbook, the system will be able to provide the correct commands for execution.

Conclusion

AI technologies are becoming part of our daily lives, and to save time, we should use them as a supportive tool to make our lives easier. However, relying on such technology and forgetting to review its output is a risky practice.

Tags:

Related posts

« »