BigSnarf blog

Infosec FTW

Context aware threat hunting AI

3d travel and navigation planning, concept

Morning aware, location, aware, application aware, pattern aware (high dimension coincidence)

Basic items like checking user logins of ID and password with context aware ML will help SOC analysts.

Every morning 10,000 employees login into their workstations. They enter the building and come into each office area each morning using their RFID badges. They sit down at specific desktops and login. Laptop users will hit specific WiFi access points.

On Monday morning some forget their passwords or had password change the week before. These users can get buckets into risky behavior for the failures. Most will enter their routine of getting their coffee and come back to their workstations. Users will check their email and open their calendars. Users will check slack.  Mostly predictable behaviors.

All of these behaviors are easily logged and can be eliminated as threat vectors quite easily. Add video analysis and facial recognition, chat behaviour, and response analysis for both email and slack, and you can be pretty confident the right person is using the right resources.

I haven’t discussed IP addresses or ports. How about asking the user if you are really unsure? Slack message, confirmation from peers?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: