By Andrew Loschmann, Co-Founder and Chief Operating Officer at Field Effect
Out of all cyberattack techniques, 90% fit into only 15 categories. This is according to a MITRE ENGENUITY study that analyzed millions of data points and categorized them to understand attacker movement.
Key takeaway? As security practitioners, we often know what is being attacked, what technologies are being targeted, and how threat actors are doing it. As complex as cyberattacks may be, there’s usually little mystery.
Yet, although we know attacks are relatively predictable, they’re still happening at record speed. There’s simply not enough time in the day for a human-only solution to catch everything. AI certainly handles far more data than humans, but there’s a high cost of implementation. Just look at all the time and work that went into ChatGPT, which (while impressive) still has imperfections.
In cybersecurity, that’s not a risk we should take. This is why great cybersecurity combines artificial and human intelligence—putting either or both to work where each makes sense.
Take techniques from the MITRE study, for example. “Scheduled task or job” is the most-identified category, probably because all malware relies on being started, and is a great example of when AI and ML are not needed.
Cybersecurity experts can count on two hands the number of ways that malware can schedule or start a task. It's also relatively easy to identify legitimately installed software. By weeding out the good, we can quickly find the bad. If you can describe a problem to be solved in simple language, it's highly effective to use technology you can program using traditional means.
The second-most common technique, “command and scripting interpreter,” is where AI shines. Attackers use command lines to start remote processes on other systems, download password databases, and for other malicious activities. But administrators use command lines too—in different ways and on different systems and networks.
In the mix of all this data, how do you decipher whether one command line with PowerShell is different or malicious from another? Using sophisticated AI and ML analysis of the command lines and other types of script interpreter usage, we can identify suspicious or confirmed malicious activity.
Now, here’s how we bring artificial and human intelligence together.
Our powerful cybersecurity solution, Covalence, has deep sensor telemetry. It’s end-to-end, with full-packet capture network sensor, kernel and low-level integration endpoint agents on Mac OS, Linux, and Windows, and cloud-native integrations. The result? Extreme visibility, but too much data for humans alone to process.
This is why Covalence uses AI and ML to take that vast volume of data and distill it down—a lot. We turn billions of events happening on customer networks every hour into tangible information for Field Effect analysts. AI helps us determine what matters and when to act.
By combining AI/ML techniques on the back end and expert human analysis where it makes sense, we reduce the risk of an attack and respond more effectively if they occur.
Want to meet the Field Effect team or learn more about Covalence? Drop by booth P306.