Artificial intelligence can be used in cybersecurity tools to cover all phases: prevention, detection, and response

Positive Technologies conducted a study on the key applications of artificial intelligence in cybersecurity¹. According to the report, AI can be utilized in more than half of the cybersecurity countermeasures presented in the MITRE D3FEND² matrix. As many as 28% of countermeasures already use AI assistance, and another 27% will soon be covered by AI-enabled solutions currently in development.

With the help of artificial intelligence, defenders can proactively identify, predict, and prevent relevant cyberthreats. For example, AI helps protect against potential data breaches by recognizing sensitive information in documents and flexibly adjusting their content to the task at hand and the user's clearance level. Additionally, AI technologies can be used for automated security testing: for instance, in PT Dephaze, generative AI helps generate the most likely passwords for a specific target, analyze text files, and create a final report.

Today, artificial intelligence is most actively used in cyberthreat detection, for example, to analyze user behavior, network traffic, and data on executable files. Experts believe that in the future, AI will help gather network intelligence, as well as detect and track software tools and services that might be unknown to the IT department and cybersecurity team. Currently, organizations can keep their IT infrastructure data up to date with vulnerability management solutions (such as MaxPatrol VM). It is expected that AI will be able to more realistically simulate user and system behavior, generate honeypots, and enable continuous biometric authentication.

A major advantage of AI-enabled cybersecurity tools is their ability to detect previously unknown threats. For instance, the behavioral analysis tool in PT Sandbox and the ML assistant called BAD (Behavioral Anomaly Detection) in MaxPatrol SIEM have repeatedly demonstrated this capability. By analyzing the emergence of anomalies and potentially dangerous behavioral patterns, the ML model helps identify zero-day vulnerability exploits and activity of unknown malware.

"One of the goals of embedding AI in cybersecurity solutions is to create an autopilot that would speed up incident response while also significantly reducing the burden on cybersecurity personnel. This is particularly important given the talent shortage and the increasing number of cyberattacks using artificial intelligence. The effectiveness of this concept was proven by our metaproduct MaxPatrol O2 during the Standoff 13 cyberbattle: the autopilot detected and prevented attacks, stopping red reams from breaching a replica of Positive Technologies' IT infrastructure," says Roman Reznikov, Cybersecurity Research Analyst at Positive Technologies.

Moreover, AI significantly accelerates incident-related decision making by providing additional context to SOC teams: explaining security system alerts and offering advice. It also helps automatically create a response scenario to quickly thwart an attack, providing multiple options with varying degrees of human involvement. This approach is used in MaxPatrol O2, a metaproduct developed by Positive Technologies.

However, the use of artificial intelligence in cybersecurity faces several challenges that require high-quality training data and the expertise of top-notch professionals. On the one hand, novel AI modules help defend against cybercriminals, but they also represent a potential target for attackers. We recommend taking a responsible approach to the development and implementation of new technologies, carefully considering the risks, and following the general recommendations for personal and corporate cybersecurity.