Researchers warn that widespread use of AI agents in Cyber Threat Intelligence (CTI) boosts productivity but raises concerns about reliability, transparency, and the ability to trust another analyst’s prompts or workflows. A case study using an LLM-driven agentic system to analyze Russian internet leaks demonstrates both practical benefits and the need for adapted research methodology and clear communication of AI-assisted judgments. #Dreadnode #LABScon25
Keypoints
- Analytical tradecraft and shared standards turned CTI into a collaborative, industry-wide research endeavor.
- AI assistants are increasingly used to handle data preparation, analysis, and entire workflows in CTI, improving productivity.
- Reliance on AI introduces new costs related to reliability and transparency, especially when reusing others’ prompts or agentic workflows.
- CTI methodology must evolve to address promises, pitfalls, and probabilities inherent in AI-assisted work.
- Case study: an LLM-driven agentic system was built to analyze Russian internet content leaked by Ukrainian cyber activists.
- The presenters detail system architecture and evaluate performance across simple collation tasks to complex adversary-tracking pipelines.
- Communicating assessments of AI strengths and limits to peers and broader audiences is crucial for accountability and transparency.
MITRE Techniques
- [T1583 ] Acquire Infrastructure – Used to collect and collate leaked Russian internet content via an LLM-driven agentic system (“…an LLM-driven agentic system to analyze Russian internet content leaked by Ukrainian cyber activists…”).
- [T1078 ] Valid Accounts – Implied in tracking adversaries across online infrastructure and accounts through agentic analytical pipelines (“…used to track adversaries”).
- [T1592 ] Gather Victim Identity Information – Employed by the system to analyze public-facing Russian content and extract identifying data for intelligence purposes (“…analyze Russian internet content leaked by Ukrainian cyber activists”).
- [T1609 ] Data from a Local System – Utilized in data preparation stages where researchers feed local datasets into AI assistants for analysis (“…teams increasingly hand off data preparation, analysis, and entire workflows to AI assistants”).
- [T1490 ] Ingress Tool Transfer – The agentic workflows perform multi-stage transfers between tools and models to build analytical pipelines (“…system’s architecture and show how it performs across tasks from straightforward data collation to complex analytical pipelines”).
Indicators of Compromise
- [Leak Source ] context – Russian internet content leaked by Ukrainian cyber activists (example: leaked Russian web posts; and other leaked content).
- [Tool/System ] context – LLM-driven agentic system used for analysis – example system architecture and agentic workflows (no specific filenames or hashes provided).