Ruslan Rakhmetov, Security Vision
In this article we will look at the use of large language models ( LLM, Large Language Model) and their "brothers" from the world of artificial intelligence ( AI, Artificial Intelligence ) in solving cybersecurity problems, the story about which we began in last time. First, we'll give examples of how to use such tools, and then we'll dive into LLM agents and chatbots in more detail.
Unlike other big data analytics methods (vector analysis, supervised machine learning, decision trees, etc.), the model can understand informal descriptions and even irony, which is especially useful for analyzing insider activity, open-source threats from which text can be copied, and generally lowers the entry threshold for new SOC employees. The faster an employee approaches data analysis, the higher the overall response speed.
LLM can be "trained" for a specific infrastructure, security policy and/or knowledge base. For example, you can load your own logs , alerts , policies inside, and use them in chains MISP, MITRE ATT& CK, Sigma Rules and even adapt the model to fit your company's terminology.
After analyzing how these models work and applying many variations in our own products, we have identified 5 key aspects:
· Natural language
· Contextual interpretation
· Automation processes
· Education on internal data
· Multimodality
Experts can formulate queries in plain language (Example: "Show all incidents with a possible leak in the last week"), and LLM will understand and process the query, help analyze raw logs and highlight key events, speed up TTP search, tag incidents and generate reports. Modern models process text, images, even network diagrams, can analyze entire sites and search for data on the network, providing multimodality and convenience.
In modern conditions, various language modules are increasingly used, both cloud and local. For example, Gemini (Google), Copilot (Microsoft), ChatGPT (OpenAI), Claude 3 ( Anthropic), LLaMA, Mistral, Falcon and specialized models built into information security solutions. Of course, from the point of view of cybersecurity and proximity to sensitive data, companies prefer to use locally deployed models (for example, the last 3 in the list above) instead of those available online by subscription. The relevance of using local models was proven when some services were slowed down or limited in various territories. At their core, LLM agents are systems that, unlike standard chatbots, have additional components that give them the ability to act autonomously. The key difference is the presence of a goal and the ability to independently plan and perform steps to achieve it. We now propose dividing these models into groups, which we will discuss in more detail:
· Analytical agents collect, structure and interpret logs and "raw" events, are responsible for processing and categorizing incidents, identifying anomalies, structuring information. Such agents work as a home bot-accountant, to which you give a list of all your expenses for the month, including checks, bank statements, handwritten notes - it itself classifies everything into categories (food, transport, entertainment), shows suspicious expenses and makes a diagram of expenses. Only instead of financial streams - data about incidents.
· Learning agents conduct phishing simulations, answer questions about security policies, and generally train employees. They generate trainings and phishing simulations, answer user requests, and work like tutors. Imagine preparing for a traffic rules exam, in which a training agent not only explains, but also offers to take a series of tests, finds your weak points, and gives advice. A training agent can also be imagined as a bot that helps with cooking. You ask it: “Teach me how to cook lasagne. I have an oven and a microwave,” and it suggests practicing on pasta with béchamel sauce first, because it is easier and similar in technique.
· SOC assistants assist operational teams, explain incidents, suggest response steps, response prompts, generate dynamic playbooks, and automate ticketing and reporting. Imagine a home dispatcher bot that you can ask questions about housekeeping and get useful advice. You say to it: “Our light bulb burned out and the shower is broken” - the bot asks clarifying questions, suggests a course of action, tells who at home knows how to fix it, or calls a repairman, for example: "First turn off the electricity, then take out the lamp. If you want, I'll order new with delivery?"
· DevSecOps assistants, who analyze IaC configurations for security holes, explain the risks associated with code changes. You can ask such an agent, for example, "Check this Kubernetes - Manifesto for Insecure Configurations" and it will speed up CI/CD process companies.
· Threat Intel Agents will analyze and structure data from threat reports (e.g. Mandiant, Kaspersky, CISA), extract indicators of compromise (IoC) from bulletin texts and can combine data from different sources (RSS, darknet forums, X, Pastebin, etc.).
· Red/Blue Team agents, on the one hand, model attacks, simulate hacks and create phishing emails, and on the other hand, help identify false alarms, suggest defense steps and explain incidents in understandable language. Such LLM models are responsible for creating phishing emails, realistic attack teams, simulating attack scenarios taking into account MITRE ATT&CK and false positive detection and expanded incident context by analyzing external sources.
Different types of agents are already in use in Security solutions Vision, in particular, in the module SOAR :
· Calculate scoring False Positive: The model is trained on closed incident data. When a new incident is received, the system evaluates how similar it is to previously closed false positive cases and outputs the result as a percentage match.
· Search for similar incidents: the model analyzes the context of the incident, searches for and displays similar cases. This allows the analyst to see similar incidents that are also currently being processed, as well as to see how similar situations were handled in the past.
· Offer recommendations on the history of actions: the model will tell the analyst what actions were performed at different phases during the investigation of similar incidents in the past. Thus, a new SOC employee will undergo adaptation faster, even if he does not have ready-made instructions, due to access to accumulated data on how incidents are handled.
· Supplement the knowledge base recommendations: in addition to documentation, the analyst can receive a recommendation in the chat about what actions should be taken for a specific incident at a specific response phase. A model trained on best practices for responding to cyber incidents will give a short answer taking into account the entire context of the incident.
· Help with searching through documentation: now you can ask a question about a product model and get an answer in the chat.
Thus, LLMs become part of automated action chains, including generating an incident description, justifying the selected response steps, preparing reports for different roles, from technical to CISO. Now, together with classic templates in SOAR, the system generates a detailed report, which explains what happened, why it is important and what actions were taken - in "human" language.
Use this set of tips to understand where LLM models will produce better results than the machine learning models we've looked at so far. Choose LLM if:
· need an explanation of the incident or a report;
· interaction with the operator in natural language is required;
· you are conducting phishing simulations or looking for help with training.
ML will show better results if:
· it is necessary to identify an anomaly in a large flow of events;
· It is necessary to classify events according to known characteristics.
The best practice would be combining technologies as is done in modules of the platform. For example, the ML model can detect an anomaly when an IP address behaves atypically, and the LLM will explain the details to the analyst, for example, that this address belongs to an employee from the marketing department, but the connection occurred from Vietnam at 2 a.m. - which means this is a possible incident.
In addition to the current overview, we have prepared a clear comparison with a focus on information security in the form of a table with various application aspects. You can download it below or from our resources dedicated to the modules SOAR And UEBA .
