Welcome to Part III of our series on AI for Cyber Defense. In this segment we will present the necessity to move out of the MDR Black Box to an AI Defensive 3c model (Context, Content and Correlation). By this approach we think like an adversary and defend like a guardian as the Modern MDR standard in Defensive Cyber Security Operations.

In contemporary warfare a cyber-attack is the first strike of offensive operations. On January 13, 2022, the government of the Ukraine experienced wide-scale defacement of its public websites (UK Government). This attack was later identified as a reconnaissance mission, soon to be followed by a massive campaign on February 24, 2022 – approximately 2hrs before the Russian military crossed into the Ukraine (1). Denial of Service and Wiper attacks, intended to eliminate access, and destroy critical data, were launched against Ukrainian government and commercial agencies, disrupting satellite communications, restricting access to financial institutions, and disabling public communications.

We must consider where AI could have aided in defense of this cyber-frontal assault.

Doing so requires we evaluate for Large Language Modules (LLMs) inherent to advanced AI systems, which by their nature are designed to produce logical responses when queried. LLMs consume massive data sets (think petabytes), for their training, primarily sourced within the public domain in the form of books, articles and websites. Therein lies the challenge, where AI, (particularly generative AI), attempts to provide precise response to modern-day queries, utilizing historical data. In our 3c Model, Correlation is risked by the potential for bias, whether societal or cognitive (Echterhoff, J., Liu Y., et al). For purposes of our discussion, Conformity Bias is the greatest inhibitor to establishing a defensive posture in cybersecurity, utilizing AI.

As we discussed in Part II, many of today’s MDR providers, have their roots in Threat Detection Operations (TDO). They function as established MSSPs leveraging proprietary platforms, creating an MDR Black Box from their TDO Black Box legacy. Solely through inclusion of endpoint telemetry they rebrand as MDR. All the while, the operating standards are based on MSSP workflows. Alert investigations follow a conventional MSSP path of:

(1) signature and profile mapping to identify the alert

(2) historical records search for the identified alert

(3) evaluation of prior incident handling procedures

(4) third-party validation (Ex then: VirusTotal, Ex now: AI)

These 4 steps of incident handling are the legacy of MSSPs, ultimately influencing many MDR providers in determining the likelihood of a cyber-threat. The fatal flaw is we exclude broader context of the alert, as it is evaluated in isolation. We restrict the second of our 3c Model, Context. Years of conventional MSSP analysis creates a conformity bias in Step3 (evaluate for prior incident handling). The Incident Handler will examine for what someone did before them and be inclined to take the same steps. Even with Step4, as augmented through AI, the attributes of bias within the LLMs will lean toward conventional MSSP event handling, producing the same results. Take Away: Many of today’s MDR providers are operating by convention, in an echo chamber, with AI bringing the addition of a Confirmation Bias to the pre-established Conformity Bias of the LLM.

Modern MDR breaks us out of the Black Box, and reduces the influence of bias, in the investigation of cyber threats.

With the final part to our series, we will explore the application of human ingenuity to Modern MDR operations as we fulfill on our mission to Think Like an Adversary and Defend Like a Guardian. In preparation, I invite you to obtain a copy of the U.S Marine Corps manual, MCDP1, titled Warfighting (U.S. Marine Corp). You will want to read Chapter 1, The Nature of War and Chapter 4, the Conduct of War. The manual is available at no cost, through the PDF linked in the ‘Works Cited’ Section. Until next time, as Cyber Defenders, we move Forward with Courage.

Works Cited

UK Government, “Press Release: Russia behind cyber attack with Europe-wide impact an hour before Ukraine Invasion”, 10 May, 2022, https://www.gov.uk/government/news/russia-behind-cyber-attack-with-europe-wide-impact-an-hour-before-ukraine-invasion

Echterhoff, Jessica, Liu, Yao, Alessa, Abeer, McAuley, Julian, Zexue He, “Cognitive Bias in High-Stakes Decision-Making with LLMs”, 25 February, 2024, https://arxiv.org/pdf/2403.00811.pdf

U.S. Marine Corps, “Warfighting, MCDP1”, 1989, https://www.marines.mil/Portals/1/Publications/MCDP%201%20Warfighting.pdf