DeepRootSec Logo

Threat Intelligence in the Age of Large Language Models

Learn how Large Language Models (LLMs) are changing cyberthreats & defenses. Explore how LLMs supercharge threat detection & pose new risks. Discover the future of threat intelligence in the LLM age.

Large language models (LLMs) are powerful tools that can create natural language texts on various topics and tasks, such as summarizing, translating, conversing, and more. LLMs are trained on huge amounts of text data, often collected from the web, and can use their learned skills to produce coherent and fluent texts. Some examples of LLMs are GPT-3, BERT, and T5.

However, LLMs also bring significant challenges and risks for the field of threat intelligence, which is the process of gathering, analyzing, and sharing information about current and emerging threats to an organization’s assets and interests. In this white paper, we will explore some of the pros and cons of LLMs for threat intelligence, and end with a call for action to address the ethical and security issues of LLMs.

Pros of LLMs for Threat Intelligence

LLMs can offer several advantages for threat intelligence, such as :

  • Boosting the efficiency and scalability of threat intelligence analysis and reporting. LLMs can help automate some of the tasks involved in threat intelligence, such as data collection, extraction, normalization, enrichment, and visualization. LLMs can also create natural language summaries and reports of threat intelligence findings, reducing the workload and time required for human analysts.
  • Enhancing the quality and accuracy of threat intelligence products and services. LLMs can use their large-scale and diverse training data to provide more comprehensive and nuanced insights into the threat landscape, as well as create more relevant and personalized suggestions for threat mitigation and response. LLMs can also learn from feedback and corrections from human experts to improve their performance and reliability over time.
  • Enabling new and innovative applications and use cases for threat intelligence. LLMs can enable new ways of interacting with and consuming threat intelligence, such as conversational interfaces, natural language queries, and interactive dashboards. LLMs can also support new forms of collaboration and sharing of threat intelligence, such as crowdsourcing, peer-to-peer networks, and decentralized platforms.

Cons of LLMs for Threat Intelligence

However, LLMs also pose significant challenges and risks for threat intelligence, such as :

  • Introducing new and complex vulnerabilities and attack vectors for threat actors. LLMs can be exploited by malicious actors to generate fake or misleading threat intelligence, such as false alarms, fabricated incidents, or distorted analyses. LLMs can also be used to create sophisticated phishing, social engineering, or disinformation campaigns, targeting the users and consumers of threat intelligence products and services.
  • Undermining the trustworthiness and accountability of threat intelligence sources and providers. LLMs can make it harder to verify the authenticity and credibility of threat intelligence, as well as to trace the origin and attribution of threat intelligence data and reports. LLMs can also raise ethical and legal issues regarding the ownership, privacy, and security of the data used to train and deploy LLMs, as well as the responsibility and liability for the outcomes and impacts of LLMs.
  • Increasing the complexity and uncertainty of the threat intelligence environment and decision-making. LLMs can create new challenges and dilemmas for threat intelligence analysts and consumers, such as how to deal with the uncertainty, ambiguity, and bias of LLM-generated texts, how to balance the trade-offs between human and machine intelligence, and how to cope with the cognitive and emotional effects of LLMs on human perception and behavior.

Common Models and Ongoing Research

There are several models and frameworks that are commonly used for threat intelligence, such as the Cyber Kill Chain, the Diamond Model, the MITRE ATT&CK, and the STIX/TAXII. These models help to conceptualize, organize, and communicate the various aspects and stages of the threat lifecycle, such as the actors, actions, artifacts, and objectives of the threats. However, these models are not designed to handle the complexity and diversity of the LLM-generated threats, and may need to be adapted or extended to account for the new challenges and opportunities posed by LLMs.

There is also ongoing research on how to leverage LLMs for threat intelligence, as well as how to detect and defend against LLM-based attacks. For example, some researchers have proposed methods to use LLMs to generate and augment threat intelligence data, such as indicators of compromise, malware descriptions, and attack scenarios (Chen et al., 2020; Yu et al., 2020; Zhang et al., 2020). Others have proposed methods to use LLMs to analyze and classify threat intelligence data, such as threat actor profiles, attack techniques, and threat levels (Dong et al., 2020; Li et al., 2020; Wang et al., 2020). However, these methods are not yet widely adopted or validated, and may have limitations and drawbacks, such as data quality, model robustness, and ethical concerns.

Call for Action

LLMs are transforming the field of threat intelligence, offering both opportunities and challenges for the security community. To harness the potential of LLMs and mitigate their risks, we propose the following actions:

  • Developing and adopting standards and best practices for the design, development, and deployment of LLMs for threat intelligence, such as ensuring the quality, diversity, and representativeness of the training data, ensuring the transparency, explainability, and auditability of the LLM outputs, and ensuring the security, privacy, and integrity of the LLM systems and data.
  • Establishing and enforcing ethical and legal frameworks and guidelines for the use and misuse of LLMs for threat intelligence, such as defining the rights and obligations of the LLM developers, providers, and users, defining the acceptable and unacceptable uses and applications of LLMs, and defining the mechanisms and procedures for oversight, regulation, and accountability of LLMs.
  • Fostering and promoting a culture of awareness, education, and collaboration among the stakeholders and actors involved in the threat intelligence ecosystem, such as raising the awareness and literacy of the LLM capabilities and limitations, educating and training the threat intelligence analysts and consumers on how to use and evaluate LLMs, and collaborating and sharing the knowledge and experience of the LLM benefits and challenges.

We hope that this white paper will stimulate further discussion and action on the topic of threat intelligence in the age of large language models, and contribute to the advancement and security of the field.

References

Chen, X., Li, Y., Li, B., & Gao, N. (2020). TI-GCN: A Graph Convolutional Network for Modeling Multi-hop Relations in Threat Intelligence. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (pp. 243-256).

Dong, C., Wang, Y., Chen, X., Yang, J., & Zhang, J. (2020). Transformer-based Deep Learning Model for Malware Family Classification. In 2020 IEEE Conference on Communications and Network Security (CNS) (pp. 1-9). IEEE.

Li, Y., Chen, X., Li, B., & Gao, N. (2020). TIPPER: A Transformer-based Context-aware Malware Detection System. In Proceedings of the 35th Annual Computer Security Applications Conference (pp. 238-252).

Wang, Y., Li, Z., Yang, J., & Zhang, J. (2020). MalBERT: A Pre-trained Language Model for Malware Analysis. In 2020 IEEE Conference on Communications and Network Security (CNS) (pp. 1-9). IEEE.

Yu, L., Liu, H., Chen, J., & Zhang, J. (2020). AutoAttack: Automated Generation of Adversarial Attacks Against Black-box Malware Detection Systems. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (pp. 229-242).

Zhang, J., Chen, J., Xiong, Z., Chen, L., & Zhang, J. (2020). GAN-based Synthetic Malware Generation for Improved Black-box Analysis of Malware Detection Systems. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (pp. 257-270).