- Chapter Objectives
- Technical Aspects of AI in Threat Intelligence
- Case Study: Using CNNs for Malware Classification
- Case Study: Detecting and Analyzing Phishing Campaigns
- Leveraging AI to Automate STIX Document Creation for Threat Intelligence
- Case Study: Automating Threat Intelligence for a Financial Institution
- Autonomous AI Agents for Cyber Defense
- Case Study: Using MegaVul to Build an AI-Powered Vulnerability Detector
- AI Coding Agents
- Summary
- Multiple-Choice Questions
- Answers to Multiple-Choice Questions
- Exercises
This chapter is from the book
This chapter is from the book
This chapter is from the book
Case Study: Automating Threat Intelligence for a Financial Institution
A large financial institution faced an increasing volume of unstructured threat intelligence—from open-source reports to dark web chatter—that needed to be rapidly analyzed and acted upon. Its security operations center (SOC) was overwhelmed with raw data, leading to delays in detecting and mitigating threats.
The institution required an automated solution to
Ingest and normalize unstructured threat data
Generate STIX documents that capture key details (for example, IoCs, threat actor profiles, attack patterns)
Disseminate this structured intelligence in near real time to improve incident response
AI-Driven Solution Implementation
The institution deployed web scrapers and API integrations to collect unstructured threat intelligence data from reputable sources (security blogs, vendor reports, dark web feeds). The collected data was preprocessed using the NLP techniques in recent AI models to remove noise and standardize language.
Entity Extraction with Transformer Models
A fine-tuned transformer-based model derived from the open weight Llama series of models was used to analyze the text and extract relevant threat indicators such as IP addresses, file hashes, malware names, and descriptions of attack methods. The organization used the latest version of the Llama model found in Hugging Face (huggingface.co) and ran it on-premises using the Ollama software (ollama.com).
The model was fine-tuned using Unsloth on a cybersecurity corpus to understand the nuances of threat language.
Mapping to STIX Objects
The extracted entities were then mapped to corresponding STIX objects. For example:
Indicators: Representing IoCs such as malicious IP addresses and file hashes
Threat Actors: Detailing the groups or individuals behind an attack
Campaigns: Grouping related indicators under a common attack scenario
Predefined mapping rules and validation checks ensured that the generated STIX objects conformed to the latest STIX 2.1 standards.
STIX Bundle Generation and Dissemination via TAXII
The individual STIX objects were aggregated into a STIX bundle—a complete, self-contained JSON document that encapsulated the threat intelligence narrative. Automated validators checked the bundle for compliance with STIX/TAXII specifications.
The final STIX bundle was then transmitted using a TAXII server, allowing the financial institution’s SOC to ingest the intelligence seamlessly. Integration with the SIEM and security orchestration, automation, and response (SOAR) platforms ensured that automated playbooks were triggered upon detection of relevant threat indicators. Figure 4-6 illustrates this process.
)
This case study demonstrates that by automating the automatic creation, validation, and transmission of threat intelligence information, the company reduced manual threat data processing from hours to seconds. AI-based entity extraction minimized human error in data interpretation and automated dissemination through TAXII allowed the SOC to receive up-to-date threat intelligence in near real time, enabling quicker incident response. The solution easily scaled to handle growing volumes of threat data without additional human resources.
