• United States



Contributing Writer

How generative AI can help organizations overcome threat intelligence program challenges

Jul 10, 20235 mins
Generative AIThreat and Vulnerability Management

Used as an analyst assist application, generative AI can help threat intelligence programs in areas like data collection, analysis, and dissemination.

chatbot generative ai by the kong via shutterstock
Credit: The KonG / Shutterstock

Generative AI is everywhere these days - in the media, at the RSA conference, in vendor announcements. It seems like everyone associated with the supply side of cybersecurity is talking about generative AI, but not the demand side. Cybersecurity pros remain skeptical and most CISOs I speak to have no immediate plans for implementation.

What's going on here? Cynical cybersecurity professionals have heard similar "silver bullet" stories before. Remember the "IDS is dead, IPS is the new standard," prediction in the early 2000s? How about the big push for network access control (NAC) around 2006 or the buzz around user and entity behavior analysis (UEBA) in the 2015-2016 timeframe? Heck, even recent XDR gaga has created more end-user confusion than a new robust market.

To be fair, generative AI is in its infancy and a lot of announcements referred to products that remain in beta. Given this, it's understandable that many CISOs are taking a wait-and-see approach, but I do notice some CISOs sorting through the rhetoric and thinking about use cases where generative AI can lead to real improvement.

Generative AI's threat intelligence potential

Allow me to add my two cents to this thought process. Generative AI has real potential to help organizations improve the efficacy and efficiency of their threat intelligence programs.

Why focus on cyber-threat intelligence (CTI)? Because more and more organizations realize they need a threat intelligence program, but establishing, managing, and gaining benefits from threat intelligence can be difficult. For example, ESG research reveals that 72% of enterprise organizations (i.e., more than 1,000 employees) find it hard to sort through CTI noise to find relevant information while 63% of firms admit they don't have the right staff size or skills to develop an appropriate CTI program. Little wonder then that 82% of organizations assert that their CTI program is often treated as an academic exercise where intel reports don't provide value or help guide risk mitigation decisions.

Can generative AI help here? Yes. In another research question, ESG asked 380 cybersecurity professionals to identify their top threat intelligence program challenges. Here are some of the top challenges identified along with some analysis on how generative AI could help:

  • Thirty-three percent of cybersecurity professionals say that threat intelligence reports feature too much technical detail, making them difficult for business managers to consume. This isn't surprising since threat intelligence analysts are buried in technical details about indicators of compromise (IoCs), malware, adversary tactics, techniques, and processes (TTPs), the MITRE ATT&CK framework, etc. Generative AI could help the threat intelligence teams create summary reports tailored to different technical and business consumers. This combined with CTI consumer feedback can help organizations continuously improve the quality, relevancy, and timeliness of these reports over time.
  • Twenty-eight percent of cybersecurity professionals say that threat intelligence generates a lot of noise, making it harder to identify truly valuable information. Many CTI teams operate under a "more is better" philosophy, collecting and processing as much open-source and commercial threat intelligence as they can. Consequently, they become buried in data, hindering impactful analysis. Generative AI can help them pinpoint the CTI data most relevant to their company, industry, and region as a baseline, and then help target additional threat intelligence nuggets incrementally. This will not only improve CTI program value but also lower costs as firms select and pay for the most relevant threat intelligence feeds and discard the marginal ones.
  • Twenty-seven percent of cybersecurity professionals say that a focus on identifying and blocking IoCs stops them from achieving strategic value. Generative AI can help in three ways here. First, it can help accelerate IoC discovery and remediation as it is included in security operations workflows. Furthermore, it provides another tool to help threat analysts work with business executives to define priority intelligence requirements (PIRs) for all aspects of the business. Finally, it can tailor CTI reports to different consumers as previously mentioned.
  • Twenty-five percent of cybersecurity professionals say that they have few if any personnel with threat intelligence skills. Generative AI can't alleviate the need for advanced intelligence skills, but it can help train junior personnel while helping them bolster contributions by creating detection rules, assessing whether files/scripts are malicious or not, and comparing vulnerabilities with known exploits in the wild.
  • Twenty-two percent of cybersecurity professionals say that they are not doing enough analysis to better understand cyber-adversaries. This requirement aligns with a model known as the pyramid of pain, which basically states that the more you know about an adversary (i.e., TTPs, tools, network/host artifacts, etc.), the more you can prepare your defenses and make attacks more costly and difficult for the bad guys. Generative AI is no substitute for a seasoned NSA analyst, but it can help bridge the skills gap.

Several threat intelligence providers including Cybersixgill, Mandiant, Microsoft, and Recorded Future have announced generative AI support for their CTI products and services. Many, many others will follow soon.

Generative AI myths

In closing, let me sort through some myths about generative AI. It won't replace threat analysts or make automation decisions on its own, but it can act as a helper app for understaffed and overworked threat intelligence analysts or those lacking advanced skills. This should be welcome news to CISOs. ESG research indicates that 98% of enterprises plan to increase spending on threat intelligence in 2024, so clearly, they need help. Therefore, CISOs should figure out how generative AI fits into their CTI program investments as a means toward helping them gain tactical, operational, and strategic CTI benefits.

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author