In the fast-evolving world of cybersecurity, keeping up with adversaries is an ongoing challenge. For security teams, staying ahead of threats requires more than just cutting-edge tools—it demands a collaborative approach to defense. However, in many organizations, this collaboration is easier said than done. Silos between threat intelligence (CTI), red, and blue teams often lead to fragmented insights, inefficiencies, and slower responses to emerging threats. But what if there was a way to break down those silos and foster seamless teamwork?
At this year’s ATT&CKCon 2024, my colleague Shravan Ravi, AttackIQ’s lead Security Data Scientist, and I, Rajesh Sharma, co-founder of AttackIQ, will present a session titled “Next-Gen Threat-Informed Defense: Human-Assisted Intelligent Agents.” We’ll explore how AI-driven agents are transforming the way organizations defend against cyberattacks. We’ll dive deep into how these agents enable collaboration, automate workflows, and make defenses smarter and faster.
The Challenge of Silos in Security
Before we dive into intelligent agents, let’s acknowledge the elephant in the room: siloed teams. In many organizations, CTI, red, and blue teams work in isolation, each with its own goals, tools, and data sources. This fragmentation leads to critical information being lost in translation, and decisions being made without a full understanding of the threat landscape. Even worse, the work done by one team—like threat reports generated by CTI—might go underutilized by other teams because the information isn’t shared effectively. This creates inefficiencies, delays, and missed opportunities to defend against adversaries effectively.
In a Threat-Informed Defense (TID) strategy, these silos can be particularly harmful. TID requires teams to continuously adapt based on real-world adversary tactics, techniques, and procedures (TTPs), yet many organizations struggle to implement it cohesively. As defenders, we know that adversaries don’t stop learning and evolving—neither can we.
Enter Human-Assisted Intelligent Agents
Imagine a world where these silos are broken down —a world where teams can share insights seamlessly, automating mundane tasks and focusing on strategic decisions. This is where Human-Assisted Intelligent Agents come into play.
Think of these agents as digital skilled workers: they automate complex tasks, understand your environment, make decisions based on real-time data, and take action to improve defenses—all while facilitating collaboration across teams. They grasp the intricacies of your security landscape, analyze data to suggest actionable steps, and help carry out tasks that would otherwise consume valuable human time.
Thanks to recent advancements like Retrieval-Augmented Generation (RAG) and large language models, building these agents has become more feasible than ever. RAG allows for extracting relevant insights from massive volumes of unstructured data, such as threat reports, log files, and incident summaries, feeding them into decision-making processes. This work, which previously required hours of manual effort, can now be done in seconds by these agents.
But what makes these agents truly game-changing is their ability to break down silos and ensure seamless information sharing across CTI, red, and blue teams. They don’t just automate tasks—they transform the way teams collaborate.
Meet the Agents
During our session, we’ll showcase several key agents that can revolutionize how security teams work together. Here’s a preview of what each agent brings to the table:
- Threat-Informed Defense Advisor Agent: This agent scans and analyzes threat reports in real-time, providing CTI, red, and blue teams with actionable intelligence about active threats. It’s like having an assistant that consolidates critical information and shares it across teams instantly.
- ASM Graph Agent: Focused on asset visibility, this agent assesses the environment and answers questions like, “Do we have any vulnerable assets tied to these threats?” Traditionally, this process would take hours of manual effort. Now, it’s done in minutes.
- Assessment Planning Agent: This agent automates the setup of realistic attack scenarios, helping red and blue teams simulate how an organization’s defenses would hold up against specific attacks. The result? Faster validation of security controls and more targeted mitigations.
- Scenario Modeler Agent: When a simulation scenario isn’t readily available, this agent builds the missing package, enabling teams to test against specific adversary techniques. For example, it can model the process injection techniques used by the BlackBasta ransomware group.
- Security Gap Analyzer Agent: After running simulations, this agent evaluates which defenses held strong and which ones need improvement, offering insights that are immediately actionable across teams.
- Defense Enhancement Agents: These agents turn insights into actions, suggesting specific mitigations and generating new detection rules, ensuring that the defense posture is updated in real-time.
A Real-World Example: MedSecure Case Study
To illustrate the impact, let’s consider a fictitious case study of MedSecure, a mid-sized healthcare provider under attack by the BlackBasta ransomware group. Traditionally, their siloed teams would have struggled to coordinate a timely and effective response. However, with Human-Assisted Intelligent Agents:
- Centralized Threat Intel: Agents aggregated threat reports, providing a unified view of BlackBasta’s TTPs.
- Vulnerability Mapping: They identified vulnerable assets within MedSecure’s environment linked to the ransomware’s known exploits.
- Automated Simulations: Agents facilitated simulations of potential attack scenarios, allowing the Red and Blue Teams to prepare accordingly.
- Targeted Mitigations: Based on the simulations, agents suggested specific defense enhancements, streamlining the implementation process.
The result? MedSecure responded faster and more effectively than ever before, turning a potential crisis into a managed event.
Why Should You Care?
If you’re a security professional grappling with the challenge of siloed teams and underutilized threat intelligence, our session at ATT&CKCon 2024 will show you a better way. By moving to human-assisted intelligent agents, you’ll not only break down organizational silos but also accelerate your response to threats, improve collaboration, and make Threat-Informed Defense more accessible—even for organizations with lower maturity.
Continued Engagement Beyond ATT&CKCon
For those of you reading this after the conference, we hope these concepts have sparked new ideas for your own organization. While our session offered an in-depth look at the technical underpinnings and use cases, the potential of these agents extends far beyond a single event. Whether you attended or not, the principles of better collaboration, faster decision-making, and stronger defenses through intelligent agents can help transform your organization’s approach to cybersecurity.
If you missed the session or want to dive deeper into these ideas, feel free to reach out for follow-up materials or further discussions. We’re always eager to continue the conversation and explore how these innovations can benefit the broader security community.
Let’s Push the Boundaries Together
The integration of Human-Assisted Intelligent Agents isn’t just a fancy upgrade—it’s a necessity for modern cybersecurity. By automating routine tasks and enhancing inter-team collaboration, organizations can:
- Reduce Inefficiencies: Free up human experts to focus on strategic initiatives.
- Enhance Decision-Making: Rely on data-driven insights that are timely and relevant.
- Democratize TID: Make advanced defense strategies accessible, even to organizations with less mature security infrastructures.
We’re excited to share these advancements with the cybersecurity community and hope this post continues to inspire long after ATT&CKCon. Whether you’re deep into TID or just starting, there’s something for everyone in this evolving field.
Date & Time:
October 23, 2024, at ATT&CKCon 5.0, McLean, VA.
Let’s push the boundaries of Threat-Informed Defense together.
Looking forward to connecting with you all!