IBM Security has expanded the capabilities of the QRadar Advisor with Watson with attack techniques gleaned from the MITRE framework.
On Wednesday, Big Blue said the artificial intelligence (AI)-based security platform has been bolstered with a repository of cybercriminal techniques and cases, which will "allow it to learn from security response activities within an organization."
In addition, the AI platform will now be referencing the open-source MITRE ATT&CK knowledge base, which contains records of real-world attack scenarios, techniques, and exploits used to compromise enterprise security.
Within the repository, you can find everything from attack vectors based on HTTP to the Dynamic Data Exchange, movement, areas of compromise, the consequences of infection, and what defenders can expect in the future.
The latest release of the platform has been given what IBM calls "learning loops," in which new analytic models and algorithms will permit QRadar Advisor to identify more attack patterns -- whether they are quick hits or progressive infiltration -- and adapt this knowledge to local environments.
In addition, a flag system based upon this data gives users a confidence rating in how security incidents correlate with historical data.
"Standards like MITRE ATT&CK, which take advantage of the collective knowledge of the security community, are crucial to advancing the industry and helping security teams stay ahead of increasingly sophisticated threats," said Chris Meenan, Director of Security Intelligence Offering Management and Strategy at IBM Security. "Combining the ATT&CK framework of known adversary tactics with Watson for Cyber Security's ability to stay current on the latest security research, QRadar Advisor can help arm analysts of all levels with the knowledge needed to better respond to the threats they're facing."
QRadar Advisor with Watson draws upon the MITRE ATT&CK project with the aim of going further. While the former provides a step-by-step guide in how attacks may progress, IBM's solution aims to take this objective information and transform it into actionable data by applying it to corporate networks.
For example, knowledge and examples of a drive-by compromise listed on MITRE which could lead to network compromise and data theft could be combined with QRadar Advisor with Watson's AI capabilities to track down where the malware is, what information it may have stolen, and additional, contextual factors which may bolster response times for IT staff.
"By helping analysts visualize how an attack has evolved, this capability allows analysts to understand immediately where an incident stands in a threat lifecycle and what it might do next, which can significantly improve response times and effectiveness," IBM says. "These additional insights from QRadar Advisor can augment the skills of analysts and help them connect the dots to see the full scope of an attack in a way that a higher-level analyst or threat hunter could do."