Context aware threat hunting AI
November 19, 2017
Posted by on
Morning aware, location, aware, application aware, pattern aware (high dimension coincidence)
Basic items like checking user logins of ID and password with context aware ML will help SOC analysts.
Every morning 10,000 employees login into their workstations. They enter the building and come into each office area each morning using their RFID badges. They sit down at specific desktops and login. Laptop users will hit specific WiFi access points.
On Monday morning some forget their passwords or had password change the week before. These users can get buckets into risky behavior for the failures. Most will enter their routine of getting their coffee and come back to their workstations. Users will check their email and open their calendars. Users will check slack. Mostly predictable behaviors.
All of these behaviors are easily logged and can be eliminated as threat vectors quite easily. Add video analysis and facial recognition, chat behaviour, and response analysis for both email and slack, and you can be pretty confident the right person is using the right resources.
I haven’t discussed IP addresses or ports. How about asking the user if you are really unsure? Slack message, confirmation from peers?