Keypoints
- Mandiant collects telemetry from frontline incident responses, Google Cloud SecOps, and proactive OSINT to form high-quality training data for ML models.
- Dozens of AI models process raw data: malware classifiers for binaries, ranking models for strings output, and deep learning to identify/explain function behaviors.
- An NLP pipeline extracts entities, classifies topics, translates content, and annotates forum/messaging data to make unstructured sources machine-readable.
- Scoring models reduce alert noise and prioritize indicators—reporting a 96% reduction in false positives for alerts and a 97% IOC reduction when filtering high-confidence indicators.
- Tactical outputs are converted to machine-readable threat intelligence (MRTI) and detection signatures; Breach Analytics for Chronicle automates pipelines to operationalize front-line findings.
- Continuous feedback from analyst reviews and customer interactions retrains models, refines collections (botnets/forums/channels), and improves detections over time.
- Google’s Sec-PaLM 2 LLMs are used for automated summarization, report generation, conversational knowledge access, and assisting with detection, analysis, and attribution tasks.
MITRE Techniques
- No specific MITRE ATT&CK technique IDs (e.g., Txxxx) or named techniques were cited in the article.
Indicators of Compromise
- [Hashes] referenced as IOC types used in scoring and filtering – no specific hash examples were provided in the article.
- [IP addresses] referenced as IOC types used in scoring and filtering – no specific IP examples were provided in the article.
- [Alerts / Indicators] context – alerts generated by Digital Threat Monitoring and scored indicators are mentioned; no concrete alert IDs or filenames were listed.
- [MRTI / Signatures] tactical intelligence – article states intelligence is converted to machine-readable threat intelligence and detection signatures for customers, but no sample artifacts or filenames were shown.
Mandiant’s technical process begins with broad, high-fidelity data collection: frontline incident telemetry from breach responses, Google Cloud SecOps global telemetry, and proactive OSINT collections (botnets, forums, messaging channels). This raw data seeds and continuously retrains many targeted ML models—malware classifiers for multiple file types, a ranking model to prioritize Strings output, and deep learning models that identify and explain binary function behaviors—while an NLP pipeline performs entity extraction, topic classification, translation, and annotation on unstructured sources. These enrichments normalize and annotate artifacts so they become machine-readable inputs for downstream systems.
For analysis and operationalization, Mandiant runs scoring models on indicators and alerts to reduce noise and prioritize high-confidence items (citing a 96% reduction in false positives for alerts and 97% IOC reduction when filtering high-confidence indicators). Enriched IOCs and tactical findings are converted into MRTI and detection signatures and ingested into automated pipelines such as Mandiant Breach Analytics for Chronicle, enabling rapid deployment of detections. AI also clusters and associates attacker activity to reveal TTP overlap, aiding attribution and focusing analyst effort on the most relevant leads.
Feedback loops close the lifecycle: analyst validation, artifact analysis, and customer feedback feed model retraining and collection adjustments (e.g., adding new botnets or forums to monitor). Emerging LLM capabilities—specifically Google’s Sec-PaLM 2—are applied to automate report generation, summarize diverse threat artifacts at configurable technical depth, provide conversational querying of threat knowledge, and assist with detection, analysis, and attribution tasks, thereby scaling expertise and accelerating time-to-detection.
Read more: https://www.mandiant.com/resources/blog/ai-five-phases-intelligence-lifecycle