Generative AI in action in incident response!

Let’s use generative AI in cybersecurity incident response operations!

In this article, we present an example of using generative AI in cybersecurity incident response (hereinafter “incident response operations”). Incident response operations require deriving response policies and methods based on a large amount of past data. This is a process where generative AI, which is good at extracting information and developing ideas from a large amount of data, can be easily applied.

The NIST cybersecurity framework (NIST CSF ^* 2) is divided into five phases: identification, defense, detection, response, and recovery. In many cases, products and services such as SIEM and EDR are used to identify, defend, and detect cybersecurity threats, and much depends on the performance, design, and configuration of the products themselves. In many cases, these products already have AI capabilities. In contrast, in the response and recovery phases, it is necessary to use knowledge and human resources to analyze the detected information and derive appropriate response and recovery procedures. For operations that rely heavily on human response capabilities, generative AI can be expected to improve operational efficiency. Therefore, we used generative AI for operations in the two phases of response and recovery.

• (^* 2)
  
  NIST: Cybersecurity Framework
  

Figure 1: Study on AI application in the cybersecurity framework (NIST CSF)

In the response and recovery phases, analysis and detailed procedures are performed on the detected incident information, mainly using the following information.

Public information: Publicly available information on the Internet (information on security vulnerabilities, current threats, etc.)

Internal information: Internal information (business content, employee information, etc.), incident response manual, past incident response information, etc.

Due to the enormous amount of data, manually processing the information is very time consuming. The actual time depends on the type of incident and the amount of internal information, but can take several days even for a dedicated member.

Figure 2: Typical business picture for incident response/recovery

That's why we got generative AI to use and learn this information to test whether appropriate incident response/recovery is possible.

Figure 3: Business picture of incident response/recovery using generative AI

We have used SaaS like ChatGPT and Copilot to collect public information. For internal information with highly confidential information, we have created a secure environment using Azure Open AI/Vertex AI that allows us to create our own environment so that we can search for and analyze the required information in this environment. In this environment, we will ask generative AI questions for incident response and test how much useful information can actually be obtained in the incident response and recovery phases.