- Chapter Objectives
- Technical Aspects of AI in Threat Intelligence
- Case Study: Using CNNs for Malware Classification
- Case Study: Detecting and Analyzing Phishing Campaigns
- Leveraging AI to Automate STIX Document Creation for Threat Intelligence
- Case Study: Automating Threat Intelligence for a Financial Institution
- Autonomous AI Agents for Cyber Defense
- Case Study: Using MegaVul to Build an AI-Powered Vulnerability Detector
- AI Coding Agents
- Summary
- Multiple-Choice Questions
- Answers to Multiple-Choice Questions
- Exercises
This chapter is from the book
This chapter is from the book
This chapter is from the book
Case Study: Detecting and Analyzing Phishing Campaigns
A large financial institution experienced sophisticated phishing attacks targeting its employees and even its customers. The company needed to improve its threat detection capabilities while maintaining privacy and ethical guidelines. The security team recognized that traditional rule-based detection methods were becoming less effective against evolving threats and decided to implement an NLP-based solution.
The team began by building a comprehensive dataset for analysis. They collected and sanitized historical phishing emails, carefully removing all customer personally identifiable information (PII) to protect privacy. This effort was supplemented with public threat intelligence reports, security advisories, and carefully monitored discussions from public security forums. System logs and alerts were also incorporated to provide additional context and correlation data.
The core of the solution was a sophisticated NLP pipeline that could process and analyze various types of security data. The team used named entity recognition to automatically identify critical security artifacts such as malicious URLs, command and control server addresses, and malware signatures. The system applied sentiment analysis and intent classification to detect subtle social engineering patterns that might indicate manipulation attempts. By generating embeddings of threat data, the system could cluster similar attack patterns, while knowledge graphs mapped complex relationships between different threat indicators. Figure 4-2 shows this high-level process.
)
The team leveraged generative AI in several innovative ways. To address the challenge of limited training data, they used generative models to create synthetic training examples that preserved the characteristics of real attacks while avoiding privacy concerns, as illustrated in Figure 4-3.
)
This system could also generate detailed threat reports from raw intelligence data, significantly reducing the time analysts spend on documentation. It also automated the creation of initial incident response drafts and proposed potential mitigations based on observed threat patterns.
The implementation showed impressive results, with a 65 percent improvement in early detection of novel phishing campaigns and a 45 percent reduction in analysis time for security incidents. The system provided deeper insights into attacker tactics through comprehensive pattern analysis and enabled more consistent threat documentation. Several factors were important to this success: strict data handling controls and privacy protection measures, continuous human oversight of AI-generated analysis, regular model retraining to adapt to new threats, and seamless integration with existing security infrastructure.
You can now see that when properly implemented with appropriate controls and oversight, NLP and generative AI can significantly enhance threat intelligence capabilities while maintaining ethical standards and privacy protections.
Federated Learning
In the preceding case study, you saw an example of federated learning. This popular method trains AI models across decentralized data sources (for example, across multiple organizations or devices) without pooling sensitive data in one place. It uses an AI model to create synthetic data based on the original sensitive data, as you saw in the example illustrated in Figure 4-3.
One of the main goals of federated learning is preserving privacy. Federated learning allows you to train an AI model that benefits from a wide range of threat observations, improving accuracy against malware or attacks. For example, federated learning has been used to build robust malware classifiers by combining insights from many organizations’ encounters with new malware variants—all without exposing each organization’s raw data.
Reinforcement Learning (RL)
Reinforcement learning AI models learn optimal actions through feedback and rewards, making them useful for adaptive security. In a cybersecurity context, an RL-based system can dynamically adjust defenses or response policies by continuously learning from the success or failure of its actions. For instance, an RL AI agent integrated in a security information and event management (SIEM) platform could learn to prioritize critical alerts and trigger response playbooks automatically, refining its strategy to contain threats more effectively over time. This trial-and-error learning enables real-time adaptation to evolving attack tactics, as illustrated in Figure 4-4.
)
