Top 5 Ways AI Is Automating Cybersecurity Incident Response

Many blog posts discuss the potential of AI in incident response, but they often lack concrete, practical examples. This article aims to bridge that gap by presenting five specific use cases that showcase the current capabilities of AI in this domain. Each example illustrates how AI can improve various aspects of incident response, offering security professionals valuable insights into integrating AI into their daily operations.

‍

1. Automated Threat Detection

‍

One of the most time-consuming aspects of incident response is log analysis. AI can significantly streamline this process, as demonstrated in this use case where we feed an Apache2 access log file into ChatGPT to identify malicious IP addresses and the types of attacks they've engaged in.

‍

‍

To begin, we provide ChatGPT with a prompt requesting it to analyze the log file and identify potential threats. While the prompt could be more specific for better results, it serves our purpose for this demonstration.

‍

‍

After processing, ChatGPT returns a comprehensive table containing:

‍

1. Malicious IP addresses
2. Types of attacks detected
3. Timestamps of suspicious activities
4. Indicators of compromise

‍

Upon manual verification of this relatively small log file, all findings prove to be accurate. ChatGPT hasn't hallucinated any information, and the descriptions of the vulnerabilities are correct. 

The only area for improvement is the "indicators of compromise" column, which could be more specific. However, this limitation is partly due to the restricted information available in the original file.

This type of analysis can significantly aid incident response scenarios by quickly identifying potential threats. While there may be some hesitation in fully trusting AI not to miss any entries, it provides a valuable starting point for further investigation.

‍

2. AI-Assisted Script Creation

This use case showcases AI's ability to assist in quick script creation, a valuable skill for security professionals who often need to develop custom tools quickly.

Building upon the analysis from the first use case, we instruct ChatGPT to create a Bash script that adds the identified malicious IP addresses to Apache2's Uncomplicated Firewall (UFW) and blocks them from making SSH requests on default port 22.

‍

‍

ChatGPT promptly generates a complete Bash script that accomplishes this task. Upon execution, the script runs successfully, adding the malicious IP addresses to UFW and blocking them on port 22, preventing SSH access. This entire process, from providing the instruction to script execution, takes less than a minute.

‍

‍

This demonstration highlights AI's potential to significantly reduce the time and effort required for creating custom security scripts, allowing security professionals to respond more quickly to threats.

3. Malicious Code Analysis

While AI's capabilities in malicious code analysis can be inconsistent, it still offers valuable assistance in this area. This use case demonstrates how AI can aid in analyzing potentially malicious code snippets and identifying potential security risks.

For this example, we examine a suspicious command found in the previously analyzed access logs. The command attempts to run wget on an external server's IP address, a common indicator of malware activity.

‍

After downloading the suspicious binary and running the 'strings' command to extract all printable characters, we pass the output to ChatGPT for analysis. 

‍

‍

The AI provides a detailed breakdown of the binary's contents, including:

1. Identification of potential malware type
2. Predictions about the malware's behavior and capabilities
3. Additional IP addresses for further investigation
   ‍

‍

This analysis, which would typically be time-consuming for a human analyst, is completed quickly by AI. While not infallible, this approach allows security professionals to quickly gain insights into potential threats and prioritize their response efforts accordingly.

4. Log Analysis and Timeline Creation

This example demonstrates AI's ability to analyze extensive log files and create event timelines. We use an auth.log file containing over 178,000 lines of data collected over 246 days as our test case.

‍

‍

‍

Traditionally, analyzing such a large file would require specialized software or complex command-line utilities like grep, sed, and awk. However, by passing the entire file to ChatGPT, we can quickly extract relevant information through natural language queries.

For instance, we can ask ChatGPT to provide:

1. A summary of successful and failed login attempts
2. Identification of unusual login patterns or potential brute-force attacks
3. Lists of IP addresses with the most failed login attempts
   ‍

‍

ChatGPT accurately processes this information, providing an overview of the system's security events. This approach allows security professionals to quickly identify patterns and anomalies that might indicate a security incident, significantly reducing the time required for initial triage and analysis.

5. Security Workflow Automation

The final use case demonstrates Blink Ops' security copilot product, which integrates multiple tools and automates complex security workflows. This AI-powered solution allows security teams to:

1. Create human-in-the-loop incident response workflows
2. Set rules for automatic incident response processes
3. Generate mean time to resolve (MTTR) reports for incidents
4. Query Security Information and Event Management (SIEM) systems using natural language prompts

To give you an example, the system can automate a workflow that retrieves incident details from BigPanda, enriches a JIRA ticket if the incident is critical, and notifies the DevOps team through Slack. 

This type of automation, which previously would have required hours of coding and implementation, can now be set up quickly and easily through the AI-powered interface.

‍

‍

This use case demonstrates how AI can not only assist with individual tasks but also orchestrate complex, multi-step security processes, significantly enhancing the efficiency and effectiveness of security operations.

Get Started With Blink Ops

As we look at the rapid advancements in large language models (LLMs) and the significant investments being made in AI, particularly in cybersecurity, it's clear that we're only scratching the surface of this technology's capabilities.

Blink is an ROI force multiplier for security teams and business leaders who want to quickly and easily secure a wide range of use cases, such as SOC and incident response, vulnerability management, cloud security, identity and access management, and governance, risk, and compliance.

With thousands of automations in the Blink library and the ability to customize workflows to fit your specific use case, Blink Ops can significantly improve your security operations. Click the link to get started now.

‍