In the second part of our series, we will draw ourselves into evaluating AI enablement for Cyber Defense. Through this process we will come to appreciate the Tactics, Techniques, and Procedures (TTPs), universally unique to AI for development and execution of cyber-attacks. So, yes – we take up our defensive position by immersing ourselves in the offensive. For your convenience, here’s a link to the first part of the series AI for Cyber Defense: Part 1.

On February 20, 2024, the U.S. Department of Justice (Office of Public Affairs, U.S. Department of Justice), announced a joint effort with the UK National Crime Agency (National Crime Agency), causing disruption of the LockBit cybercrime group. Most of the publicity since announcing, has been focused on the outcome, with the international task force assuming ownership of the LockBit infrastructure. However, what is only now starting to be revealed is the approach in nonrepudiation, the methods taken in identifying tradecraft exclusive to LockBit. The underground is abuzz, with belief the fatal flaw was LockBit’s use of AI in augmenting their attacks, while unknowingly revealing themselves, by use and community sharing of these novel techniques, to government intelligence agencies who were actively monitoring.

As early as 2016, a research group from ZeroFox (Seymour, John & Tully, Philip) presented the application of AI (well, ML was more in fashion at that time), in creating personalized phishing emails through analysis of social media posts. For instance, we are all familiar with the FaceBook quizzes to gather personal information. Research and Reconnaissance becomes our most notable application in the use of AI by Threat Groups for the purpose of creating personalized attacks. Furthering this approach, we evaluate for Methods of Luring where generative AI seeks to establish more authentic decoys, to gain confidence with the high-value target, in providing prized information.

AI-enhanced, Research and Reconnaissance along with Methods of Luring are foundational in crafting threat vectors for delivering malicious payloads. The means may seem familiar, but it’s the level of authenticity that improves the likelihood of compromise. So – how to defend?

Context, Content, Correlation

Cyber Defense pre-millennium was all about speed to detection, where static, identifying signatures for malware, coupled with limited points of entry to fixed network architectures, gave rise to Threat Detection Operations (TDO) aka Alert, Identify, Notify. Post-millennium brings with it a softening of the edges to our network. Endpoint. Detection and Response is born of Mobile networking and Handhelds requiring flexibility in detection and a means of containment and isolation. Enter Managed Detection and Response (MDR).

The dilemma is for Conventional Security Operations Centers and legacy MSSPs the TDO Black Box was replaced with an MDR Black Box, only now realizing the answer isn’t more content, it’s the requirement for Context and Correlation.

Back to our telling of the LockBit Threat Group takedown. The mode of Defense was first tied to Contextual understanding of Ransomware as the arena for combat. AI-Correlation (Defense) to AI-Enabled Attack Vectors (Offense), with identifying characteristics of LockBit revealing vulnerabilities in the threat group’s infrastructure. At that point it was simply a matter of the international coalition to execute on the age-old adage that best Defense is a strong Offense.

In Part III of our series, we will build on the necessity to move out of the MDR Black Box to an AI Defensive 3c model (Context, Content and Correlation) where we think like an adversary and defend like a guardian, as the new standard in Defensive Cyber Security Operations.

Works Cited

Office of Public Affairs, U.S. Department of Justice, “U.S. Department of Justice U.S. and U.K. Disrupt LockBit Ransomware Variant.”, 20 February, 2024.

National Crime Agency, “International investigation disrupts the world’s most harmful cyber crime group”, 20 February, 2024.

Seymour, John & Tully, Philip, “Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter,”, 3 July, 2016 to 4 August 2016.