AI for Cyber Defense: Part IV – Human Ingenuity for Modern MDR Operations

In this final part to our series, we will explore the application of human ingenuity to Modern MDR operations as we fulfill on our mission to Think Like an Adversary and Defend Like a Guardian. Let’s pick up with our homework from Part III, referring to Chapter 1, The Nature of War, and Chapter 4, the Conduct of War from the U.S. Marine Corps manual, MCDP1, titled Warfighting (U.S. Marine Corps).

Universal Principles of War

Cyberwarfare as with Conventional warfare is a clash of opposing wills, compounded with multi-variables, referred to as Friction. We consider the boundless landscape of Cyberwarfare, impending obstacles, or random chaos. Friction can be self-induced through lack of clearly defined goals or overly complicated protocols. All of these are amplified with Uncertainty, Fluidity, Disorder, and Complexity as facets of war (Chapter 1, U.S. Marine Corp).

Augmented Intelligence

Artificial Intelligence can aid our cause, respective to the Nature of War, if we pay mind to 2 critical factors, beginning with, Waging war takes a moral, mental, and physical toll on the combatants (Chapter 4, U.S. Marine Corp). Principles of integrity particularly come into play, during incident handling. I recall an episode in my career when encountering the transmission of illicit materials, where the standards of operations restricted notification through the ticketing system to the named client contacts, as appearing in the contract. There were indicators that one of the client practitioners may have been involved in this criminal act. Therefore, sending a ticket to this individual would only reveal the findings and not address the crime. Applying a moral code to our standards of operations, a notification was sent to ‘all’ those identified as client contacts, from which the organization was able to isolate the perpetrator, bringing this person to justice. From this, we acknowledge AI was able to deliver the data, while human morality dictated the response.

The second critical factor is avoidance of the fallacy, Appeal to Authority. Anyone experimenting with AI for Cyber Defense is quick to realize there is a wealth of false positives generated as LLMs bring both foundational and private learnings to response, not often orchestrated and quite often non-correlated. The result is Alert Apathy or Alert Fatigue, which speaks to the mental and physical exhaustion, suffered by security operators, from handling excessive and duplicative false positives. Consequences from exhaustion lead to a tendency to default to a third party for decision-making, at risk of Appealing to Authority.

When VirusTotal launched in 2004 it became the default authority for many MSSPs. However, with cases of rare malware, it becomes a less reliable source. We must consider that we don’t position AI similarly; where it is the guru, the authority, the tiebreaker. As we’ve already learned, AI’s dependency on prior learnings to make future predictions doesn’t account for all conditions. Therefore, we need to evaluate AI for use as augmented intelligence with human oversight, for security investigations, but not the final authority. The test AI must pass is whether we are confident our clients are better protected through its application, and that we don’t subject ourselves to Appeal of Authority, as a fallacy in our decision making.

Balancing AI and Human Ingenuity

Let’s take the MDR workflow of Detect, Investigate Respond. AI we discussed in the form of augmented intelligence suits us well, in the detection and investigation stage. However Human Ingenuity wins when it comes to Response, the Big R. Here’s what I mean – In the Detect stage there is this path of research, development, deployment, tuning, and affirmation. What’s all too common with many MDR providers is the exclusive use of platform response (Little r), where the same exact sequence of research, development, deployment, tuning, and affirmation, occurs…repeatedly in attempts to automate response.

This is the reason we must put our attention on Response as the primary element of Modern MDR, leveraging Human Ingenuity for the scope of compromise evaluation, when conducting threat response. By this approach, we gain the benefit of 3 separate but interconnected human characteristics:

1. Questioning assumptions – The ability to step back and recursively evaluate, particularly for motive, fits squarely in the realm of Human Ingenuity. We are challenging convention (the domain of AI) and seeking alternatives to what’s in front of us.
2. Scope of Compromise Evaluation – This is both a Depth and Breadth exercise, conducted recursively and simultaneously, well suited to Human Ingenuity. Root Cause Analysis (Depth) of the attack and Environmental Spread (Breadth) of the attack.
3. Consequences of Determination – Formulating outcomes of the chosen path, in the long term particularly, is well suited to Human Ingenuity. This includes the ability to balance for aspects of urgency with other responsibilities to the business, such as the ethics of the choices that are made.

One of the best examples of Big R, and the application of Human Ingenuity, is the decision to contain a threat actor to non-critical business systems for observation while evaluating and learning novel techniques over a period. Compare this approach to the AI-driven little-r technique of instant isolation and containment, requiring continual repeats of the incident to establish a behavioral algorithm. I’ll take the former of contain and evaluate, with human observation; over multiple attacks, eventually correlated through machine learning.

Final Words

In Part I of this multi-part series, we introduced the application of AI to the aid of Cyber Defense. With this, we set the stage for the evaluation of AI along an Intelligence Amplification continuum. A structure for prescriptive use, with clear expectations for results, as a complement to human ingenuity.

With Part II we presented the importance of Context, Content, and Correlation moving past the legacy Black-Box of MSSPs and pseudo-MDR providers where superficial speed-to-detect is the standard. Instead, we champion Modern MDR with a Contextual understanding of the attack, federated Content, (beyond what is being ingested as client security-control telemetry) and Correlation of all Telemetry with federated-threat-intelligence, as blended Content, is the surest means of Cyber Defense.

Take-Away: Establish a Modern MDR Strategy, where Offense Fuels Defense by utilizing Federated Threat Intelligence and content, supplemental to the telemetry provided by your security controls. This approach will fulfill the 3 C’s of Context, Content and Correlation

For Part III we came to appreciate that conventional MSSP analysis; typical to pseudo-MDR providers, creates conformity bias either by groupthink or application of LLMs with historical learning by historical MSSP incident handling. The result is convention can restrict those searching for a Modern MDR solution, which emphasizes Response as primary.

Take Away: Many of today’s MDR providers are operating by convention, in an echo chamber, with AI bringing the addition of a Confirmation Bias to the pre-established Conformity Bias of the LLM. Apply Critical Thinking, avoiding the pitfalls of bias during incident investigation.

Here, in Part IV we emphasize the role of Human Ingenuity in conjunction with Artificial Intelligence, sharing the complementary aspects of both while reducing the limitations of each.

Take Away: Human Ingenuity wins when it comes to Response (Big R), as the new standard for Modern MDR operations. Shifting the Detect Black Box of legacy MSSPs to the response (little-r) Black Box of platform-tuned isolation and containment foregoes Human Oversight and requires duplication in research, development, deployment, tuning, and affirmation. Skill up and seek out those who apply Human Ingenuity to threat research, response, and hunting.

CyberMaxx’s Position on the Use of Artificial Intelligence

Lastly, we conclude our series as we began, stating CyberMaxx’s position on the use of Artificial Intelligence begins with consideration for its benefits in protecting the estate of our clients and ends when no longer capable in serving this purpose. Said differently, CyberMaxx is not in pursuit of AI as a technology for pure novelty. It must serve the common purpose of shielding our clients from cyber threats, to which we are jointly committed. With this, we share our CyberMaxx statement on the application of AI.

CyberMaxx will apply Artificial Intelligence for Cyber Defense for the exclusive purpose of fulfilling our mission, of protecting clients’ business assets and guarding against those committed to wide-scale societal disruption through cyberattacks.

Works Cited

U.S. Marine Corps, “Warfighting, MCDP1”, 1989, https://www.marines.mil/Portals/1/Publications/MCDP%201%20Warfighting.pdf