One of the ways the blueteam can leverage AI and LLM’s is using them as a soundboard, mentor and breach coach.
AI then fits in place like a senior team member that is always available that can respond to narrow focused questions and guide analysts through how to acquire, analyse, and process the evidence.
In a common example of a cyber investigation, everything has to begin with the end in mind. Sounds a bit dramatic, but not all cases need the same level of rigour.
Using this as the end goal for the investigation, (caveat: all of this effort is more suited for a DFIR case) create a set of instructions via a thorough llm prompt.
To do this I recommend breaking them into 5–10 actionable steps. The level of detail is like following a recipe as well as processing the ingredients (if you want a cake then you’re grinding the wheat to make flour.)
This part will need a separate blog post on its own, but get started with these:
1. Define the final output (the end in mind)
Identify all instances of an attack during the time frame of x date to x date, explaining the activities that were performed.
2. Identify the inputs:
Web server logs, proxy logs,pcaps, firewall logs, Azure Sign-in logs,Azure Audit logs etc.
3.Break the tasks into subtasks for easier processing while also assigning a persona to the llm.
Eg: Important this [csv timeline, screenshot,log file]
Extract certain actions [initial access, data exfiltration]
Align to MITRE tactics
All of these activities should be prefaced by the persona. This ensures the correct frame of mind and knowledge is used by the llm.
4. Be clear and concise. Specify exactly what you are trying to achieve with this output. Use bullet points and phrases like: (ensure you include, do not use the words)
5. Add context as needed. “You’re investigating a suspected incident of data exfiltration.”
“You’ve already extracted the following evidence”
6. Explain in depth how the output should be formatted. Do you want columns, paragraphs, 1 or 2 sentence responses?
7. Review the results that are returned and add constraints as you need to. Sometimes the llm gets things right first try (especially if you are experienced in prompt engineering)
If not, be specific. Give it time frames and dates to adhere to. Think of it like filtering in excel.
Then, it’s just practice practice and research.