{"id":9177,"date":"2025-12-18T03:02:24","date_gmt":"2025-12-18T03:02:24","guid":{"rendered":"https:\/\/mailitics.com\/index.php\/2025\/12\/18\/four-ways-ai-can-finally-make-threat-intelligence-useful-and-not-just-noisy-1603545943\/"},"modified":"2025-12-18T03:02:24","modified_gmt":"2025-12-18T03:02:24","slug":"four-ways-ai-can-finally-make-threat-intelligence-useful-and-not-just-noisy-1603545943","status":"publish","type":"post","link":"https:\/\/mailitics.com\/index.php\/2025\/12\/18\/four-ways-ai-can-finally-make-threat-intelligence-useful-and-not-just-noisy-1603545943\/","title":{"rendered":"Four ways AI can finally make threat intelligence useful and not just noisy"},"content":{"rendered":"

Four ways AI can finally make threat intelligence useful and not just noisy
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n <\/p>\n

For years, many CISOs have been told that threat intelligence is the missing piece in their security program. In other words, the glue that would finally tie risk, controls and decision-making together. Yet inside most organisations the reality is very different. Threat intelligence feeds are noisy. Reports often arrive out of context or too late to make a difference, and the sheer volume of data makes it difficult for already-stretched security teams to turn intelligence into action.<\/p>\n

That experience isn\u2019t unique. According to Google Cloud research cited in ISACA\u2019s recent white paper, Building a Threat-Led Cybersecurity Program with Cyberthreat Intelligence<\/a>, 61% of cybersecurity professionals say they\u2019re overwhelmed by the number of intelligence feeds coming in, and nearly the same number say they can\u2019t make the intelligence actionable. The outcome is predictable: millions are spent, minimal operational value is gained and threats continue to slip through the cracks.<\/p>\n

But the threat environment isn\u2019t standing still: attackers are stealing credentials at scale, buying and selling access to networks, and using generative AI to speed up their operations. To keep up and stay ahead, defenders need to rethink how they use threat intelligence. The ISACA white paper shows that a modern, threat-led approach, supported by AI and automation, can finally turn intelligence into real operational value.<\/p>\n

Below are four practical ways AI can do exactly that.<\/p>\n

1. Using LLMs to analyse initial access broker activity at scale<\/h4>\n

The cybercrime ecosystem increasingly resembles a mature market, complete with supply chains, brokers and marketplaces. Initial access brokers (IABs) are central players, selling entry points into enterprise networks. But their posts are often cryptic, inconsistent and buried across dozens of dark-web forums and encrypted channels.<\/p>\n

Historically, manually analysing IAB chatter has been slow, labour-intensive work. A human analyst might review a few dozen posts a day; meanwhile, thousands more are published.<\/p>\n

Large language models change that equation.<\/p>\n

LLMs can be used to automatically identify IAB listings, extract structured information from unstructured posts, and flag listings relevant to a specific organisation or sector. This significantly reduces manual triage time and helps analysts focus on the highest-risk access for sale, the kind that precedes ransomware incidents.<\/p>\n

2. Prioritising breached identities using automated classification<\/h4>\n

Infostealer malware has become one of the most damaging and underestimated drivers of enterprise compromise. The white paper notes that millions of \u2018stealer logs\u2019 are sold annually, and nearly a third originate from enterprise-licensed environments. This means corporate credentials, session cookies, browser-stored passwords and sensitive tokens are ending up in criminal markets at unprecedented rates.<\/p>\n

The challenge? No human team can meaningfully triage that volume of exposure.<\/p>\n

AI-assisted prioritisation is now essential. By automatically classifying breached identities based on factors such as domain sensitivity, privileged access, critical system relevance, active sessions and MFA posture, security teams can immediately escalate the exposures that really matter.<\/p>\n

This flips the model in that instead of drowning in alerts, teams receive a structured, risk-ranked queue of high-priority exposures. For organisations running hybrid identity environments, this is one of the most impactful steps they can take.<\/p>\n

3. Automating credential verification and remediation<\/h4>\n

Most Australian enterprises still grapple with credential-based intrusions. Attackers know it: they continue to target the easiest path of reusing stolen credentials purchased from stealer logs or phishing kits.<\/p>\n

ISACA\u2019s guidance emphasises the value of establishing automated workflows that:<\/p>\n