Blog Post November 16, 2023

Unraveling Cyber Defense Model Secrets: Machine Learned Detections

By: Jeet Dutta, Director of Data Science 

Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team and, explore the team’s latest detections, and learn how to navigate the cyberattack landscape. This blog examines how Adlumin Data Science implements automated surveillance against network intrusion and data exfiltration, empowering our incident response teams to track and eliminate threats in four different ways.

The key motivation for Artificial Intelligence in cybersecurity is to find “needle in haystack” anomalies from billions of data points that appear indistinguishable. These applications are usefully grouped under the term UEBA (User and Entity Behavior Analytics), involving mathematical baselining of users and devices on a network followed by machine-identification of suspicious deviations.

Let’s take a look at the innovations and threat alerts in the works. 

Lateral Movement

The Adlumin platform has long featured an AI detection for lateral movement based on deviance from the UEBA baseline of daily access for any account in the network. A separate AI algorithm, developed subsequently to boost fidelity in lateral movement alerts, identifies anomalous logons among Windows users by aggregating events that don’t belong in a machine-defined context for combinations of users, hosts, logon types, and access timestamps. Collectively, the two independently developed algorithms project a high-fidelity threat signal.

The latest round of updates soon to roll out to our lateral movement detection framework will include data filtering and real-time scoring. Applying domain knowledge to filter out logon events unlikely to originate from a threat actor will further boost fidelity. Scoring events as they are ingested into the platform made possible via innovations in our cloud architecture will go a long way to improve the timeliness of the alert. 

Malicious Scheduled Task 

After compromising a privileged account, authenticated threat actors can abuse the Windows Task Scheduler for running malware. Adlumin Data Science will soon deploy a defense against this vulnerability by stringing a sequence of neural networks for isolating process execution anomalies and applying subsequent checks for known indicators of compromise. These checks include verifying the binary hash being called by the scheduler has a history of malware delivery.

Malicious Script Block

Adlumin provides automated detection of malicious PowerShell executions via an AI algorithm that matches each executed command in a customer network against a huge dataset of benign commands, performing string-matching calculations at scale. Script Block executions are excluded, however, being too large for feasibly matching strings.  Adlumin Data Science is in the development of anomalous Script Block detection capability via rule-based filtering and ensemble machine learning methods. 

AI Code Analysis

The malicious PowerShell alert often requires intense and lengthy post-detection incident response from our security analysts, who go through the code in each flagged command. A breakthrough innovation we recently deployed leverages the power of ChatGPT to do the initial heavy lifting. Adlumin data scientists have prompt engineered a new feature that obtains an explanation from GPT4 (the most advanced GPT model) for the command initially flagged anomalous under our proprietary AI model. This results in the delivery to our customer portal of a step-by-step explanation of the command code and independent determination if it is malicious, benign, or questionable.

Experience The Innovations 

In an era where cybersecurity threats are continuously advancing, organizations need enhanced visibility to stay ahead of emerging threats. It is crucial for them to have modern solutions in place to detect and respond to security incidents efficiently, ultimately enhancing their security maturity.

At Adlumin, we understand the vital role of visibility in cybersecurity solutions and offer a tailored Security Operations Platform and MDR services to provide organizations with a 360 view of their IT landscape. But we don’t stop there. We believe in the power of experience, so we invite you to take a platform tour, giving you firsthand access to our solution’s benefits.

Discover how our platform empowers your team to effectively detect and respond to threats by scheduling a demo or signing up for a free trial today. Take the tour and elevate your organization’s visibility to new heights.