The Use of Artificial Intelligence in Cybersecurity Incident Response Processes — Part 1: The Preparation Phase
In an organization, all of the plans, policies, and procedures for Cybersecurity Incident Response Processes can instill a sense of security — at least until an actual incident occurs. When an incident happens, all of those preparations, measures, and efforts will be tested on the battlefield, so to speak. Moreover, in a constantly evolving world where threats are always changing, attackers may still find ways to outpace us, or there may be something we’ve overlooked while preparing.
This situation, reminiscent of a cat-and-mouse game, could transform drastically with the inclusion of a virtual worker — one that operates 24/7 without interruption, whose performance and perception remain consistent, and that can run at a high threshold with multiple copies. Let’s try to shed some light on the future.
I covered Incident Response processes quite extensively in the following article series.
Now I need to revisit that series, because the players in this game have changed significantly — both sides are highly interested in AI technology and are amazed by its capabilities. In this new series, based on what I’ve learned in the AI and AI Agent fields, I’ll first try to enhance the SP 800–61 Rev. 3 Incident Response module with potential AI power on the defensive side. Next, I plan to approach Lockheed Martin’s Cyber Kill Chain model from the attacker’s perspective and see how it could be augmented with AI.
You’ll recall NIST’s classic IR diagram. The four-phase process begins with the Preparation phase and creates a self-sustaining cycle where information flows continuously back into the earlier steps, with each phase informing the next.
In the first step, the Preparation phase, there’s a continuous cycle of development and updates. This makes it necessary for analysts to constantly monitor and review the prepared Plan and Procedure document.
- AI Touch: Within the scope of the incident response plans, our LLM model — trained with inventory and topology-focused data from within the organization — will remain up to date by performing document-specific actions and analyses through RAG, regardless of how often the document is revised. In addition, with RLHF, the responses given during incident response can be scored, thereby supporting the model’s self-training as well.
In this phase, measures are determined to prevent potential incident scenarios from occurring. Additionally, it’s the first step where the responsibilities of the team that will intervene during an IR event, the tools this team will use, and the policies and procedures to be followed throughout the process are established.
- AI Touch: Here, by integrating AI Agent tools like LangChain into our trained model, the LLM can interact (via Slack, Teams, email, etc.) with the relevant team members based on the progression of the incident, gathering information and making decisions about actions, and even executing them. This gives us a significant advantage in terms of speed. After a certain period, the model can analyze the decisions made in response to the incidents and, in future steps, may only need a yes/no confirmation — or eventually just send a notification to inform stakeholders while taking action on its own.
The outputs of the lessons learned from incidents and from tabletop exercises conducted with the team should continuously inform the Preparation phase, and analysts should update the plan, procedure, and policy documents.
- AI Touch: Our LLM model can thoroughly analyze the lessons learned and the outputs from tabletop exercises by incorporating all developments from previous incidents. Furthermore, it can enhance its analysis by accessing relevant alarms and logs, enabling it to highlight any points we might have overlooked in these exercises.
Incident process tracking is actually just as important as addressing the incidents themselves. It’s a process that involves not only providing information about how things are proceeding, but also assigning tasks to the teams involved, tracking those tasks, fixing and monitoring necessary vulnerabilities, and more.
- AI Touch: Here, our model can be integrated into the process and operate using short-term and long-term data stores. By doing so, it can compile and track its actions in real time when an incident occurs. Additionally, it can manage tasks in tools like Notion or Trello, send reminders to the relevant task owners, and notify them of deadlines.
One of the biggest questions throughout the process is how an incident will evolve and progress. Beyond analyzing the attacker’s path using the existing logs and alerts, predicting the actions they might take in the next few minutes — along with the resources at their disposal — is a whole different challenge.
- AI Touch: Here, our LLM can analyze real-time data from the incident tracking screen, IoCs, inventory information, logs, and alerts. It can convert these inputs into meaningful insights referencing both the Cyber Kill Chain and MITRE ATT&CK, enabling it to predict how the attack might develop and keep us informed about its progression.
En önemli konulardan bir diğeri sürecin diğer aşamalarda ele alınması çok hızlı ve başarılı olacaktır. Çünkü ilk adımdan ilerleyen yapılandırılmış ve zenginleştirilmiş veri diğer katmanlarda çok iyi analiz edileblecektir. Diğer aşamanında Analiz ve Tespit aşaması olduğu göz önüne alınınca çok işimize yarayan bir veri akışı oluşacaktır.
