AI-powered threat intelligence: How LLMs can predict and prevent cyberattacks

Imagine your organisation's cybersecurity framework as a sprawling castle with myriad entrances and secret passageways. The challenge is not just in fortifying the castle walls but in understanding every nook and cranny that an adversary might exploit.

As cyberthreats become more sophisticated and attack surfaces expand, traditional threat detection and management methods are coming up short. This is when AI-powered continuous attack surface management comes into play, where Small and Large Language Models (SLMs and LLMs) contribute to predicting, detecting, and preventing cyberattacks.

Understanding your attack surface and threat exposure is the starting point. Essentially, this means analysing the various assets an organisation possesses. These can range from external and internal-facing assets to human and identity components, as well as applications and third-party or supply chain software. Each of these elements contributes to what we call continuous attack surface management. In this landscape, AI-based threat detection and management have become invaluable tools.

Breaking down the AI challenge, it can be viewed in four distinct areas. The first area involves AI for pure threat detection. Here, a preference for smaller, more specific language models is evident. These models are particularly effective for real-time threat detection and are tailored to specific attack surfaces. In contrast, large language models lend themselves better to threat prediction and analytics, especially when dealing with extensive datasets or executing time series analysis.

Dividing small language models further, one can categorise them by asset type and exposure elements such as internal or external factors, and human interactions. Effective threat models often target network threat detections, capturing both internal and external attack surfaces. This includes lateral movements as part of network threats or web attacks. Network threat detection and response (NTDR) and web attacks are areas where two distinct models apply. Web attacks encompass brute force attempts, phishing, data infiltration and exfiltration, and lateral movements. Here, small language models offer precise solutions.

When considering the identity and user elements of the attack surface, models focused on identity threat detection and response (ITDR) use cases come into play. These may cover scenarios involving multi-geographical logins, privilege access, and user discrepancies such as logging in from unusual locations, times, or devices. Misconfigurations leading to user access challenges, including privilege access management, are also areas these small language models can address effectively.

The second area where AI models make a significant impact is in threat analytics. Large language models particularly excel in this domain. Within security cases, natural language processing is deployed across vast datasets residing in data lakes. This application facilitates the creation of threat-hunting models, threat prediction, and detailed search and analytics. Such usage can result in a comprehensive attack surface, asset management, or vulnerability management view for all assets. Thus, both small and large language models have vital roles in detection and analysis.

As we shift to response and remediation, a combination of Security Orchestration, Automation, and Response (SOAR) or machine learning (ML) often takes precedence over small language models. Automation in remediation and response is an expansive area where AI proves influential. Machine learning-based automation aids in developing playbook-centric responses, enhancing business continuity. While it's unclear how large language models fit into this role, small language models and ML demonstrate significant potential in automating response and remediation processes.

The third area is the role of large language models in ingesting data from various log sources. Traditionally, data ingestion is typically handled using parsers, specific connectors, or APIs. Large language models can actually change that entire play and enable data ingestion from all and any sources, including occupational therapy and modular operating theatre devices.

In summary, both SLMs and LLMs hold distinct yet complementary roles in cybersecurity. Small language models have a pivotal role in specific, real-time threat detections. Both small and large language models contribute to analysis, search, and detection over time, addressing lateral movements. The automation of response and remediation also benefits from small language models using structured playbooks. Meanwhile, large language models are set to transform how we manage data ingestion, eliminating the need for parsing and API management.

While SLMs provide the precision needed for specific threat detection and prevention, LLMs deliver the breadth and depth needed for predictive analytics and seamless data integration. Together, they represent the future of cybersecurity, one where threats are not only detected but anticipated and mitigated before they occur.

(Anand Naik, CEO and Co-founder of Sequretek, a cybersecurity, cloud security products and services company.)