IT training modernizing cybersecurity operations with machine intelligence khotailieu

Advanced Threat Detection, Hunting, and Analysis Modernizing Cybersecurity Operations with Machine Intelligence Peter Guerra & Paul Tamburello Compliments of... Peter Guerra and Paul T

Advanced Threat Detection,

Hunting, and Analysis

Modernizing

Cybersecurity Operations with Machine Intelligence

Peter Guerra & Paul Tamburello

Compliments of

Peter Guerra and Paul Tamburello

Modernizing Cybersecurity Operations with Machine

Intelligence

Advanced Threat Detection,

Hunting, and Analysis

Boston Farnham Sebastopol TokyoBeijing Boston Farnham Sebastopol Tokyo

Beijing

[LSI]

Modernizing Cybersecurity Operations with Machine Intelligence

by Peter Guerra and Paul Tamburello

Copyright © 2018 O’Reilly Media, Inc All rights reserved.

Printed in the United States of America.

Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.

O’Reilly books may be purchased for educational, business, or sales promotional use Online editions are also available for most titles (http://oreilly.com/safari) For more information, contact our corporate/institutional sales department: 800-998-9938 or

corporate@oreilly.com.

Editor: Courtney Allen

Production Editor: Colleen Cole

Copyeditor: Octal Publishing, Inc.

Interior Designer: David Futato

Cover Designer: Randy Comer

Illustrator: Rebecca Demarest

Technical Contributors: Aaron Sant-Miller and Brian Behe

March 2018: First Edition

Revision History for the First Edition

2018-03-08: First Release

The O’Reilly logo is a registered trademark of O’Reilly Media, Inc Modernizing

Cybersecurity Operations with Machine Intelligence, the cover image, and related

trade dress are trademarks of O’Reilly Media, Inc.

While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work Use of the information and instructions contained in this work is at your own risk If any code samples or other technology this work contains or describes is sub‐ ject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

This work is part of a collaboration between O’Reilly and Booz Allen Hamilton See our statement of editorial independence.

Table of Contents

1 Introduction 1

2 The Benefits of Applying Machine Intelligence to Cybersecurity 5

Machine Intelligence Defined 5

The Current Threat Landscape 6

Common Challenges 7

Why Machine Intelligence Offers a Better Solution than Current Approaches 11

3 The Capabilities of Machine Intelligence Today 13

Current Capabilities of Machine Intelligence 13

Current Limitations of Machine Intelligence 15

Recommendations for Successful Machine Intelligence Implementations 17

4 Real-World Security Applications for Machine Intelligence 19

Hunting for Advanced Threats 19

Detecting and Classifying Malware 24

Scoring Risk in a Network 30

5 Addressing Readiness and Maturity for Machine Intelligence in an Organization 37

First Steps to Applying Machine Intelligence to Security 37

Overcoming Common Challenges 39

6 Conclusion 43

iii

1 Selena Larson, “The hacks that left us exposed in 2017” , CNN, Dec 18, 2017.

2 Damien Gayle et al, “NHS seeks to recover from global cyber-attack as security con‐ cerns resurface”, The Guardian, 13 May 2017.

CHAPTER 1

Introduction

It’s no secret that adversaries and hackers have gained significantand distinct advantages over the good guys in modern cyber war‐fare The good guys in this case include government organizationsand businesses of all sizes who are constantly under a barrage ofcyber-attacks from a growing set of adversaries Their cyber defen‐sive tools have also become less effective as attack campaigns haveevolved to circumvent the current signature and behavior-basedparadigm

In 2017 alone, cyber criminals breached major credit bureaus, tele‐com providers, government entities, mobile applications, shippingcompanies, U.S voting institutions, and countless individuals.1 Datastolen from these groups contains personally identifiable informa‐tion, financial records, and even classified intelligence; each ofwhich attackers can use toward harmful means

One such major breach occurred in May 2017, in which the Wanna‐Cry ransomware attacked tens of thousands of PCs, forcing 16 hos‐

pitals in the United Kingdom to close According to The Guardian,

the attack “resulted in operations being canceled, ambulances beingdiverted, and documents such as patient records made unavailable

in England and Scotland.”2 Unfortunately, the barrier to entry for

1

3 Anthony Cuthbertson, “Ransomware Attacks Rise 250 Percent in 2017, Hitting U.S Hardest”, Newsweek, 5/23/17.

4 Beverly Mowery Cooper, “Resiliency and Recovery Offset Cybersecurity Detection Limits”, SIGNAL Magazine, May 27, 2014.

5 “Worldwide Revenue for Security Technology Forecast to Surpass $100 Billion in 2020, According to the New IDC Worldwide Semiannual Security Spending Guide”, Interna‐

tional Data Corporation, October 12, 2016.

6 Trish Rimo and Monica Walth, “McAfee and CSIS: Stopping Cybercrime Can Posi‐ tively Impact World Economies” , McAfee, June 9, 2014.

7 “2017 Global Information Security Workforce Study” , Frost & Sullivan, May 2017.

cyber criminals is shrinking and the capabilities are no longer exclu‐sive to sophisticated spy agencies In many cases, the technologiesutilized to execute these massive-scale attacks are available throughopen source means and exploit pervasive vulnerabilities, such asthose in common software libraries or within the operating system.The realities of the impacts on cybercrime on organizations include

a number of worrisome facts:

• Ransomware such as WannaCry, NotPetya, CryptoWall, andothers now earn attackers more than $1 billion in annual reve‐nue.3

• On average, it can take 240 days to detect an intrusion.4

• By 2020, organizations worldwide will spend more than $100billion annually on cybersecurity software, hardware, and serv‐ices.5

• In recent years, the global cost of cybercrime exceeded $400 bil‐lion in funds stolen and costs to clean up the damage.6

• By 2022, there will be a shortfall of 1.8 million cybersecurityworkers globally.7

The ecosystem of advanced persistent threats is growing in scale andcomplexity, evolving more rapidly than our capabilities to respond.New attack surfaces and threat vectors emerge daily, creating vulner‐abilities in even the most hardened and secure environments.Through our experience developing governance and complianceprograms, we have seen typical organizations more than doubletheir information system records when they have been instructed to

start including assessments of Industrial Control Systems and otherOperational Technologies.

Attackers are creative, fast, and opportunistic, and new cyber threatstake many forms that can evade sophisticated defenses To keep pacewith the exponential escalation of these threats, organizations need

to modernize their security operations by integrating machine intel‐ligence into their technology systems, business practices, and mis‐sion operations

Introduction | 3

1 J.D Dulny, Emma Kinnucan, Josh Elliot, Steve Mills, Drew Farris, and Joshua Sullivan,

“The Machine Intelligence Primer” , Booz Allen Hamilton, October 2, 2017.

CHAPTER 2

The Benefits of Applying Machine

Intelligence to Cybersecurity

Machine Intelligence Defined

Improving cybersecurity operations over the short term will dependlargely on new applications of existing techniques, technologies, andskills Some approaches will seem more traditional and familiar thanothers For example, continuous monitoring and detection willremain part of the cybersecurity operations process for the foreseea‐ble future Over the long term, however, cybersecurity operationswill become more reliant on automation and machine intelligence.Although many people today are familiar with the basic notion ofautomation, it’s fair to say that most of us still find the concept ofmachine intelligence new in the context of cyberspace operations.Here is a brief definition of machine intelligence:

Machine intelligence is a field concerned with producing machines able to autonomously perform tasks that would normally require human intelligence by giving them the ability to perceive, learn from, abstract, and act using data 1

Machine intelligence works by enabling machines to assimilate dis‐parate information and produce predictions and recommendations(i.e., through machine learning) Machine intelligence and machine

5

learning are often conflated, but machine learning is a technique forachieving machine intelligence—not the entire field.

Because machine intelligence is a relatively new term, it isn’t weigh‐ted down by the negative connotations of artificial intelligence,which could suggest evil omniscient computers such as HAL in

2001: A Space Odyssey Unlike fictional computational systems,

modern machine intelligence systems can presently perform only alimited number of narrowly defined tasks We will explore specificrealistic tasks for which machine intelligence can broadly affectcybersecurity applications in subsequent sections

The Current Threat Landscape

The harsh reality is that attackers have likely already penetrated ourdefenses and could be moving more or less freely within our sys‐tems The recent explosion of these attacks is largely due to the con‐fluence of an increased attack surface, a diverse set of adversaries,and an expansion of motivations

Consider, for example, the tens of billions of devices that are part ofthe Internet of Things (IoT) Each of which present even more vul‐nerabilities than traditional IT as a result of security largely beingapplied as an afterthought Through edge devices, communicationschannels, and complex interconnections, adversaries have access tonumerous new injection points In addition to disrupting IoT net‐works, adversaries can aggregate infrastructure to conduct maliciouscampaigns or move laterally into protected segments of computernetworks

Adversaries can avoid most modern prevention controls by probingfor months to avoid triggers of threshold-based alerts These actorstypically attempt to identify soft spots in the traditional securityoperations model and the weakest links in security perimeter defen‐ses Unsurprisingly, target intelligence flows from public data sour‐ces posted on social media and content hosting sites, or easilydiscoverable through popular search engines

Traditional rules-based and behavior-based cybersecurity operationsthat are configured to detect known attack signatures are no longerthe only solution to countering cyber threats For example, mostorganizations employ a traditional blacklist to block specific webdomains or IP space as a means to protect internal network devices

from contacting potentially malicious systems Although this can beeffective to some extent, adversaries have developed mechanismssuch as domain generation algorithms (DGA) that malicious soft‐ware can use to subvert a blacklist technique.

These seemingly simple adversary tactics keep them one step ahead

of detection technologies, and security operators are playing

catch-up rather than pursuing more proactive measures A myriad ofcomplicating factors in cyber operations compound this situation;here are just a few:

Compliance

Regulatory bodies are becoming increasingly prescriptive oncyber defense requirements, and the consequences of noncom‐pliance are becoming more severe As compliance shifts to risk,this will become even more important because it can prioritizecyber operational activities

Threat landscape

Adversaries are diversifying their methods and intents—goingbeyond traditional theft of intellectual property and focusing ondisrupting business operations and destroying key digital andphysical assets

Operational focus

Most organizations are not able to effectively scale their cyberdefenses to the growing attack surface, which leaves exploitablegaps for threat actors to pursue

Despite this seemingly grim outlook, the current state of cybersecur‐ity presents an opportunity for security operations to evolve tobecome more efficient and effective by thinking differently

Common Challenges

Most organizations spanning government and commercial enter‐prise face a range of challenges that compound the situation Thereality is that keeping a strong cybersecurity posture requires taking

a modern approach and continual care and feeding across severaldimensions Some of these challenges include:

Common Challenges | 7

2 Frost & Sullivan, “2017 Global Information Security Workforce Study.”

Cyber workforce

Challenges

Cybersecurity professionals must contend with an increas‐ing set of threats hitting their networks at a relentless pace,and there is a shortage of qualified cyber talent

In the 2017 Global Information Security Workforce Study

by Booz Allen Hamilton and Center for Cyber Safety andEducation, threats of most concern were software vulnera‐bilities (e.g., broken authentication and session manage‐ment, buffer overflows, data exposure, injectionvulnerabilities, security misconfiguration), exploits (e.g.,back doors, botnets, DDoS, malware, ransomware), andactors/tactics (e.g., cyber terrorism, data exfiltration, insiderthreat, organized crime, social engineering, proliferation ofIoT)

Keeping up with all of these threats is an impossible task; as

a result, there will be a forecasted 1.8 million worker short‐age by 2022 In North America, 68% of professionalsbelieve there are too few cybersecurity workers in theirdepartments, and a majority believes that it is a result of alack of qualified personnel.2

Opportunities for machine intelligence

Apply automation, the application of machines to tasksonce performed by human beings or, increasingly, to tasksthat would otherwise be impossible Automation can beconfigured to detect anomalies better and faster thanhumans, supplant operators in monitoring tasks, anddecrease false positives to free up analyst time

Machine intelligence offers an opportunity to evolve certaincyber roles (e.g., testing and evaluation, tier 1 SecurityOperation Center (SOC) operators, systems administration,and infrastructure support) while introducing emergingroles into the enterprise (e.g., cyber data scientist, machinelearning model maintainer, machine intelligence opera‐tional training/outreach/integration)

3 “Cisco 2017 Annual Cyber Security Report” , Cisco, January 31, 2017.

Technology capabilities

Challenges

Despite the growth of threat and attack surfaces, manyorganizations are still using the same cybersecurity technol‐ogy from 5 to 10 years ago An average large organizationuses 20 to 40 cyber software tools,3 many of which are out‐dated, do not interoperate, and require expensive and rigidlicenses to retain As a result, many organizations couldspend many wasted hours investigating false positives orweak indicators from cyber software

Old school approaches are being employed to detect mal‐ware (i.e., antivirus signature approaches that cover onlyknown vulnerabilities), detect Distributed Denial of Serv‐ices (DDOS) (i.e., use a security information and eventmanagement [SIEM] to aggregate data and manually moni‐tor network traffic; reactive and resource intensive), applygovernance (i.e., ad-hoc device patching), and detectingaberrant behaviors (i.e., police detective case-style approach

to build evidence, which is very prone to human error)

Opportunities for machine intelligence

Modern approaches using machine intelligence can elevatemission-critical tools and capabilities by introducing work‐flow automation, behavior analytics, streaming analytics,active monitoring, intelligent prediction, and advanced net‐work threat detection through machine learning

These capabilities create an impact to improved missioncontext, data collection, orchestration, data fusion, andsensing and warning functions within Security Operations.They are enabled through an exponential increase in availa‐bility of digital data, better availability of hardware/high-performance computing (e.g., Graphics Processing Units),and breakthroughs in machine learning research (e.g., deeplearning)

Common Challenges | 9

Adversary sophistication

Challenges

The speed to detect has not grown proportional to theincrease in threat actors and complexity of the attack sur‐face Typical rules-driven security has proven ineffective atstopping modern threats

Today’s adversaries specifically target weaknesses in the tra‐ditional SOC model Most Advanced Persistent Threats(APTs) can seamlessly circumvent perimeter defenses andcan avoid most prevention controls Typically, the adversarycan probe undetected for months, avoiding triggers ofthreshold-based alerts and then target the weakest link Theadversaries can develop amazing levels of intelligencethrough social engineering, public data sources, and fromunpatched/unsecured web systems

Opportunities for machine intelligence

Machine intelligence gears efforts toward detecting andhunting for threats and enabling prevention of tactics andattack methods rather than prevention of discrete indica‐tors This consumes and produces threat intelligence toenrich case work, directs investigations, gains context onsuspicious activity and develops a sophisticated under‐standing, and tracks specific threats

Machine intelligence integrates traditional IT and newsecurity functions into an agile, consolidated, cohesiveorganization empowered to rapidly respond to and containthreats Threat defenders and red-team attackers continu‐ously hunting for exploitable weaknesses, and immediatelydeploy mitigating controls or process improvements toclose gaps

By making some simple investments now, organizations can getahead of threats that are arrayed against their systems and establishstable footing in which to modernize their cybersecurity operations

Why Machine Intelligence Offers a Better

Solution than Current Approaches

There are a great deal of opportunities for machine intelligence toaffect cybersecurity operations and address complexity in defendingcomputer networks The following are just a subset of mechanisms

to employ machine intelligence, and we discuss several promisingconcepts in greater detail later in this book including threat hunting,malware detection, and risk analysis

Table 2-1 Common cybersecurity use cases for machine intelligence

Network

anomalies High volumes of traffic traverse typical networks (internally and externally) eachday and it is difficult to distinguish benign traffic from malicious or risky activities.

By employing machine intelligence, deviations from normal network traffic can

be extracted in real time and evaluated by algorithms, saving massive amounts of time manually sifting through logs.

Intrusion

detection

Sophisticated threat actors are capable of intruding into networks and covering their tracks to look like a typical user, which makes detection and remediation very difficult.

By modeling patterns seen in malicious traffic, machine intelligence can learn over time, so intrusion detection can get ahead of the threat, rather than requiring frequent rule updates.

Rank

aggregation

Many organizations are successfully able to implement first-order analytics (queries, statistics, patterns), but in isolation these datasets miss the big picture threat landscape.

Advanced machine intelligence analytical techniques can learn how to integrate multiple analytic data products to tell a more cohesive story regarding the aggregate threat.

Deep packet

inspection Network threats are continually evolving, and organizations must move pastsignature matching to uncover malicious content contained within network

packets at network speed.

Modern computing architectures, such as GPUs, are being designed specifically for machine intelligence workloads at an attainable price-point using open source software.

Why Machine Intelligence Offers a Better Solution than Current Approaches | 11

These use cases are by no means exhaustive; this is just a snapshot ofopportunities that organizations can quickly address By and large,

we can assemble open source tools and a number of well-knowntechniques to build these machine intelligence capabilities with rela‐tively low effort However, to build a scalable capability that willgrow more sophisticated over time will certainly require substantialcyber analyst feedback, model parameter tuning, and incorporation

of potentially multiple algorithms or technologies

CHAPTER 3

The Capabilities of Machine

Intelligence Today

Current Capabilities of Machine Intelligence

As with all technologies, it is important to understand limitations,risks, and benefits when assessing the utilization of such technolo‐gies and better informing the resourcing decisions required to make

to implement such solutions What follows is a primer on importantcritical considerations when applying machine intelligence solutions

to cyber challenges

Automating simple, rules-based tasks

Early machine intelligence provided developed techniques forenabling machines to perform rules-based tasking by codifyingsubject matter expertise as sets of logic-based rules executable

by computers Machines can answer questions with precisionand at scale by formalizing human knowledge Expert systemsare one such example that are challenged by the need to updaterules as knowledge evolves but can still be effective Examplesinclude many network-based intrusion detection systems wheresignatures are captured and evaluated for threats

Finding and acting on patterns in data

The biggest excitement around the promise of machine intelli‐gence is the result in its ability to uncover and act on potentiallyhidden patterns in data In recent times, enabling technologytrends have made available massive amounts of data and acces‐

13

sible computing power that are crucial to train machine learn‐ing algorithms The development of sophisticated deep learningalgorithms inspired by the circuitry of the human brain has fur‐ther boosted the ability of machine intelligence to find structure

in data This structure leads to signals that can be extractedfrom the data serving as indicators of compromise or highlight‐ing anomalous activities in large volumes of network or end‐point datasets

Creating predictions given labeled data

The best and effective tools in the machine intelligence toolboxexcel when provided lots of labeled training data Labeled dataenables machine learning algorithms to extract key features andlearn from that data to detect content of interest For example,

by providing thousands of examples of known malicious andnonmalicious URLs, a machine intelligence practitioner canextract key features (structure) from these URLs to build mod‐els that can discern potential malicious versus nonmaliciousURLs

Automating Human Processes

Applying machine intelligence to automate cybersecurity processeswill make them more effective against a wider range of potentialthreats in a continually changing landscape Machine intelligencewill enable cybersecurity personnel to not only more accuratelyidentify threats, but anticipate and respond effectively to new kinds

of attacks

Developing capabilities for collecting and analyzing greater volumesand varieties of data will transform cybersecurity operation centersfrom alarm stations into active monitoring posts Combining auto‐mation and machine intelligence will enable increased use of predic‐tive analytics to anticipate and mitigate threats earlier and moreeffectively

Detecting Cyber Threats

By now, you understand that cyber attacks are affecting daily life formany individuals and attackers are becoming more creative In arapidly transforming cyber threat landscape, network defense solu‐tions must be innovative and flexible to protect against new attacktactics Static signature-based detection mechanisms will find only

“known-knowns” and will always be reactive to the threat Thesechallenges are compounded by the individualized nature of the net‐work—each demands a system that understands its unique threats.Cybersecurity experts must now build an adaptable solution thatlearns the norms of a network while rapidly evolving in defense ofnew attack structures.

With recent advancements in GPU technology, threat detection andnetwork defense can move from reactive techniques to machineintelligence approaches Building from a foundation of moredetailed data, machine learning models can detect distributionaltraffic shifts, anomalous patterns of network behavior, and creativeattacks as they originate By using diverse techniques, includingneural networks (computer systems based on neurons in the brain)and Bayesian statistical models, organizations can create a machine-intelligent feedback loop to discover new network threats

Capturing Attacker Tradecraft

Machine intelligence will allow organizations to explore and exploitcomplexity of network and multidomain data across multiple plat‐forms Machine intelligence will enable an improved understanding

of the tradecraft of sophisticated attackers by mining historical pat‐terns to predict future activities Further, machine intelligence willmature over time to build large-scale profiles and data aroundattacker profiles in aggregate These profiles can be applied to net‐work data in real time and shared among organizations to delivermore holistic threat detection and attribution to attacker groups

Current Limitations of Machine Intelligence

Although machine intelligence brings big promise to solving today’scyber challenges, there are some limitations worth considering first.Generally speaking, machine intelligence cannot perform any entirejob better than humans can or perform tasks that require creativity,empathy, or complex judgment Even though research has brokenground in some of these areas, the maturity of machine intelligence

in those dimensions is certainly limited and not yet reliable enough

to employ in cybersecurity operations Following are two significantlimitations of machine intelligence:

Current Limitations of Machine Intelligence | 15

Understanding context

Intelligent machines suffer from a fundamental inability to per‐ceive or make use of context—the circumstances or informationthat surround and give meaning to the tasks they perform.Humans rely on prior knowledge and situational awarenessgleaned from multiple sources of information to take the rightactions at the right times, but machines see only the taskdirectly in front of them Today’s machine intelligence is gener‐ated using machine learning algorithms designed to addressspecific problem spaces These algorithms are trained to recog‐nize patterns in those problem spaces with large volumes ofcarefully labeled example data relevant to that specific problem

space (known as supervised machine learning) A given machine

learning algorithm’s understanding of the world is thereforelimited to whatever use case it was designed to address andwhatever data was used to train it

From the cybersecurity perspective, machine intelligenceremains a work in progress For example, we often programsoftware to detect malware beaconing by searching for anoma‐lies, but not all anomalies are malicious When utilizing tabswithin a certain browsers, your computer communicates with aweb host every 30 seconds An automated system for spottingmalware beaconing might flag that as suspicious behavior, eventhough it’s perfectly normal network traffic On the other hand,adversaries can exploit those types of common situations to

“hide in plain sight” and thus evade detection Essentially, thereare a lot of nuances Although it’s true that adversaries canexploit some of those nuances, we need better ways of deter‐mining which anomalies are malicious and which are innocu‐ous

Explaining itself

The complexity of the mathematics that underlies machinelearning algorithms can make them enigmatic—even to theresearchers or developers who create them This is particularlytrue of deep learning, one of the most popular and ubiquitousforms of machine learning While deep learning approaches can

be highly accurate, the underlying rationale for why an algo‐rithm created an output can be a “black box” to those attempt‐ing to interpret the predictions The inability to understandmodel output can lead to issues of susceptibility to human bias

It could also introduce challenges related to concept drift, where

predictions from a model can change unexplainably over time.Ultimately, these paradigms have led many cybersecurity ana‐lysts to lack trust or confidence in machine intelligence predic‐tions or recommendations Typically, a cyber operator will not

“pull the trigger” on blocking certain behaviors on their net‐work or take a response action without independent manualverification Over time this can improve, but it will take greatefforts to reduce the human bias in explicitly trusting machinesrather than their own knowledge and intuition

Recommendations for Successful Machine Intelligence Implementations

We’ve learned a lot of hard lessons when it comes to machine intelli‐gence; the following are recommendations for successfully imple‐menting machine intelligence capabilities in your organization:

• Training data is key; machines cannot learn from small amounts

of unorganized, unlabeled, or disparate data Invest the time tocollect and curate high-quality training data with the experts

• An organization must have the ability to monitor model perfor‐mance over time to capture and measure efficacy to combatissues such as concept drift No model is perfect the first time it

is deployed, and they will almost always degrade over time, somodel maintenance is crucial

• It is imperative to work with subject matter experts (SMEs) toidentify meaningful piles of data and have processes to incorpo‐rate analyst feedback into models as needed The experts alwaysknow the data better than most and can key in on nuances andfeatures that will improve machine intelligence capabilities

• Modeling for the cyber domain requires well-defined specificquestions with available supporting training data Anomalydetection, for example, although effective at finding outlier ornovel content with network data, often leads to nonmaliciouscontent of concern for analysts

We recognize that there is not a “one size fits all” model for buildingsuccessful machine intelligence implementations Every organiza‐tion is different across many dimensions, including available data,

Recommendations for Successful Machine Intelligence Implementations | 17

cyber mission objectives, and technology platforms As we discuss

in later sections, it’s important to customize an approach based onyour specific circumstances and start small with machine intelli‐gence, then mature over time

CHAPTER 4

Real-World Security Applications

for Machine Intelligence

In many ways, machine intelligence can empower, advance, andtransform cybersecurity Across various cyber domains and mis‐sions, machine intelligence has established a foothold and helpedenable a more analytically advanced defensive posture for organiza‐tions In the following section, we discuss, highlight, and pull apartthe practical and real-world application of machine intelligence forcyber threat hunting, malware detection, and risk scoring

Hunting for Advanced Threats

Cyber threat hunting is the practice of reviewing security events toidentify and prioritize potential threats to a network When a net‐work has been compromised, cyber threat hunters are frequentlybrought in to evaluate alerts, explore network devices, and remedi‐ate any breaches by applying changes in the network or cleaning upcompromised systems In this role, threat hunters are frequentlyburied by alerts or are unable to move beyond simple hunting tech‐niques to find advanced adversaries due to the scale of data and thecomplexity of the threats

Why Threat Hunting Poses a Challenge for Cyber

Operations

Advanced persistent threats are making their way through networkdefense structures and cybersecurity tools, which look for signatures

19