Investigations are a key component of cybersecurity incident response. The incident response cycle can be described as:

• Detection | Which security events present enough of an anomaly or threat to justify the resources it will take to investigate further?
• Investigation | Now that you’ve decided to inspect the matter further, how can you determine whether the threat is valid or benign?
• Remediation | Once you’ve identified and legitimized the exploit, you can now implement proper measures to negate it.

Because time is an essential component, artificial intelligence is being leveraged like never before to do this process faster, more efficiently, and with increased success.

The Challenge of Automating Investigations

The investigation process is often where things get tricky. How much data is too much, and how much is not enough? As noted by Grant Oviatt, Head of Security Operations at Prophet Security, “The challenge is that the need for automation is its own development cycle – with each alert requiring its own type of planning, integrations, and automation that put a different strain on your team.”

While Security Automation, Orchestration, and Remediation (SOAR) tools can do a lot to help get this process moving in an automated fashion, these can have high start-up costs when it comes to time and resources. Your team is stuck either pulling in workflows one by one or writing custom scripts so that data turns into streamlined investigation. In addition, the investigation process is dynamic, so static workflows for each kind of alert might only result in loads of contextual information - and still no clear direction.

The trick is finding and attaching the right contextual data to alerts, and this is where artificial intelligence and machine learning can play a starring role.

The Need for AI in Digital Forensics & Cyber Investigations

Dr. Raymond Choo, digital forensics researcher and professor of Cloud Technology at the University of Texas, San Antonio, asserts that “The digital forensics industry—and, more broadly, the cybersecurity industry—has recognized the importance of integrating automation and artificial intelligence in their solutions and products.”

This is largely because of AI’s ability to reduce cycles for overwhelmed IT teams and take over manual processes like searching volumes (petabytes, even) of data to hunt out anomalies. Spotting deviations from the baseline is a key feature of the digital forensics process, as malicious anomalies are identified by the non-standard behaviors they exhibit in an environment. By being able to hunt quickly through large datasets and flag these instances, machine learning models can search for certain digital artifacts (images, text, malicious patterns) and help the investigation process by bringing them to light.

This is an especially helpful task as humans alone are unable to keep up with data at scale as environments complexify and attack surfaces expand. This means investigation and response across the cloud, on-premises servers, cloud-native vs. cloud-hosted applications, IoT, shadow data, social media, personal devices being used for work, remote networks, and more.

The Benefits of Artificial Intelligence in Cyber Investigations

Unleashed on this modern kaleidoscope of a threat landscape, AI can detect patterns (thereby filtering out noise), take in an exponentially larger amount of raw data than manual investigations alone, and perform data collection and analysis at a rate unsurpassed by any other technology.

In short, the list of benefits of leveraging AI in cybersecurity investigations include:

• Image Recognition | This is like facial recognition for digital objects; AI scans media files and assigns them categories based on context. This is good for data classification and assigning differing levels of security to each group, which can help provide context in investigations.
• Network Traffic Analysis | Trained AI-based tools can automatically analyze network traffic packets and patterns at scale to spot anomalies, correlating them with known attack patterns.
• Malware Detection | With polymorphic malware on the loose and other advanced techniques that obfuscate code, AI-based threat detection techniques are increasingly coming in handy.
• Natural Language Processing (NLP) | Social engineering continues to play a large part in breaches and extended exploits today. Hence, a lot of valuable evidence can be hidden within swaths of emails, online messages, and more. Using NLP techniques, practitioners can more easily pinpoint and analyze large chunks of relevant, text-based information for investigative purposes.
• Forensic Triage | AI in forensic triage helps investigators narrow down their field of vision and refine the scope of their search. While having too little context is unhelpful, so is having too much. Machine learning algorithms can be utilized to classify and organize large batches of digital files (continually “learning” from metadata, content, and more) to determine which ones are germane to an investigation. Then, those files can be consulted first, leading to faster and more efficient investigations and less time getting lost in the weeds.
• Automated Log Analysis | Any security practitioner knows that scouring logs can be a time-consuming task. With AI-powered tools, SOCs can analyze log files at a scale and speed unimaginable before without the risk of human error. Being able to quickly deduce what areas require further in-depth scrutiny not only gives human practitioners a more reasonable area to focus on, but lets them locate and shut down exploits faster.

The Future of AI in Cybersecurity Investigations

While AI seems to be inextricably entwined with the future of cybersecurity investigations, chances are slim that it can carry the task alone. As Ali Hader, an internationally-recognized cybersecurity architect and advocate, states:

“We should not neglect the power of Humans; incorporating human intelligence and intuition alongside AI technologies can enhance threat detection and response capabilities. Security teams can provide context and insights that AI algorithms may overlook, improving overall accuracy and effectiveness.”

 It is important that we bring our human curiosity to bear even as we incorporate force-multiplying tools like AI, ML, and LLMs into the cybersecurity investigations process. We need to get all pertinent information but run it through the lens of our common sense, situational knowledge, and expertise. This will most likely be the model in which AI-based investigation tools are run now and in the future.

While they may never be “intelligent” enough to do the task themselves, AI-based solutions are unquestionably helpful if we point them in the right direction.

About the Author
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire (News - Alert), and many other sites.