As cyber threats continue to grow in scale and sophistication, blue team defenders increasingly require advanced tools to proactively detect and mitigate risks. Large Language Models (LLMs) offer promising capabilities for enhancing threat analysis. However, their effectiveness in real-world blue team threat-hunting scenarios remains insufficiently explored. This paper presents CyberTeam, a benchmark designed to guide LLMs in blue teaming practice. CyberTeam constructs a standardized workflow in two stages. First, it models realistic threat-hunting workflows by capturing the dependencies among analytical tasks from threat attribution to incident response. Next, each task is addressed through a set of operational modules tailored to its specific analytical requirements. This transforms threat hunting into a structured sequence of reasoning steps, with each step grounded in a discrete operation and ordered according to task-specific dependencies. Guided by this framework, LLMs are directed to perform threat-hunting tasks through modularized steps. Overall, CyberTeam integrates 30 tasks and 9 operational modules to guide LLMs through standardized threat analysis. We evaluate both leading LLMs and state-of-the-art cybersecurity agents, comparing CyberTeam against open-ended reasoning strategies. Our results highlight the improvements enabled by standardized design, while also revealing the limitations of open-ended reasoning in real-world threat hunting.

Cyber threat hunting is the practice of proactively searching for latent threats in a network. Engaging in threat hunting can be difficult due to the volume of network traffic, variety of adversary techniques, and constantly evolving vulnerabilities. To aid analysts in identifying techniques which may be co-occurring as part of a campaign, we present the Technique Inference Engine, a tool to infer tactics, techniques, and procedures (TTPs) which may be related to existing observations of adversarial behavior. We compile the largest (to our knowledge) available dataset of cyber threat intelligence (CTI) reports labeled with relevant TTPs. With the knowledge that techniques are chronically under-reported in CTI, we apply several implicit feedback recommender models to the data in order to predict additional techniques which may be part of a given campaign. We evaluate the results in the context of the cyber analyst's use case and apply t-SNE to visualize the model embeddings. We provide our code and a web interface.

In the rapidly evolving landscape of the IoT, the security of connected devices has become a paramount concern. This paper explores the concept of proactive threat hunting as a pivotal strategy for enhancing the security and sustainability of IoT systems. Proactive threat hunting is an alternative to traditional reactive security measures that analyses IoT networks continuously and in advance to find and eliminate threats before they occure. By improving the security posture of IoT devices this approach significantly contributes to extending IoT operational lifespan and reduces environmental impact. By integrating security metrics similar to the Common Vulnerability Scoring System (CVSS) into consumer platforms, this paper argues that proactive threat hunting can elevate user awareness about the security of IoT devices. This has the potential to impact consumer choices and encourage a security-conscious mindset in both the manufacturing and user communities. Through a comprehensive analysis, this study demonstrates how proactive threat hunting can contribute to the development of a more secure, sustainable, and user-aware IoT ecosystem.

Threat hunting is sifting through system logs to detect malicious activities that might have bypassed existing security measures. It can be performed in several ways, one of which is based on detecting anomalies. We propose an unsupervised framework, called continuous bag-of-terms-and-time (CBoTT), and publish its application programming interface (API) to help researchers and cybersecurity analysts perform anomaly-based threat hunting among SIEM logs geared toward process auditing on endpoint devices. Analyses show that our framework consistently outperforms benchmark approaches. When logs are sorted by likelihood of being an anomaly (from most likely to least), our approach identifies anomalies at higher percentiles (between 1.82-6.46) while benchmark approaches identify the same anomalies at lower percentiles (between 3.25-80.92). This framework can be used by other researchers to conduct benchmark analyses and cybersecurity analysts to find anomalies in SIEM logs.

In recent years, the increase in non-Windows malware threats had turned the focus of the cybersecurity community. Research works on hunting Windows PE-based malwares are maturing, whereas the developments on Linux malware threat hunting are relatively scarce. With the advent of the Internet of Things (IoT) era, smart devices that are getting integrated into human life have become a hackers highway for their malicious activities. The IoT devices employ various Unix-based architectures that follow ELF (Executable and Linkable Format) as their standard binary file specification. This study aims at providing a comprehensive survey on the latest developments in cross-architectural IoT malware detection and classification approaches. Aided by a modern taxonomy, we discuss the feature representations, feature extraction techniques, and machine learning models employed in the surveyed works. We further provide more insights on the practical challenges involved in cross-architectural IoT malware threat hunting and discuss various avenues to instill potential future research.

Cybersecurity protects internet-connected systems, including hardware, software, and data, from attack, damage, or unauthorized access. The importance of cybersecurity has grown in recent years as more and more of our daily activities and important information are stored and transmitted online. There are many different types of cybersecurity threats, including hacking, malware, phishing, and ransomware. Hacking refers to unauthorized access to a computer system or network. Malware is software specifically designed to harm or exploit a computer or network.

Artificial intelligence (AI) in cybersecurity was a popular topic at RSA's virtual conference this year, with good reason. Many tools rely on AI, using it for incident response, detecting spam and phishing and threat hunting. However, while AI security gets the session titles, digging deeper, it is clear that machine learning (ML) is really what makes it work. ML allows for "high-value predictions that can guide better decisions and smart actions in real-time without humans stepping in." Yet, for all ML can do to improve intelligence and help AI security do more, ML has its flaws.

Security leaders are increasingly turning to AI and ML-based defenses against cyberattacks as pessimism grows over the efficacy of human-based cybersecurity defense efforts. A recent survey from MIT Technology Review Insights, sponsored by Darktrace, found more than half of business leaders think security strategies based on human-led responses to fast-moving attacks are failing; nearly all have begun to bolster their defenses in preparation for AI-enabled attacks. "Cyber AI autonomously stops threats in their tracks and surfaces relevant information in a digestible narrative, augmenting human teams and giving them time to focus on strategic tasks that matter," said Darktrace's director of threat hunting, Max Heinemeyer. "All that organizations can do to prepare is simply embrace self-learning AI as a force multiplier." He noted that AI-powered cybersecurity platforms can integrate with other tools in a security toolbox, ingest new forms of telemetry from existing investments for further enrichment, share detections and incidents with workflow tools and even orchestrate response actions across the rest of the digital estate, for example, by integrating with preventative tools.

To improve their cybersecurity, many organizations are turning to endpoint services like endpoint protection platforms (EPP) to keep their networks safe. As employees continue to work remotely, a company's number of endpoints grows and they become more vulnerable. Hackers can use smartphones, laptops, and even printers to access company data. To help you protect your network, we've provided a list of the top endpoint protection platforms for 2021. McAfee Endpoint Security prevents malware and breaches with antivirus protection, behavioral analysis, and robust firewalls.

The cybersecurity landscape is looking at higher than ever threat levels, data volumes quadrupling every 36 months, computing power and data transfer speeds increasing just as fast, and a diversity of IoT devices ushering in a new era of automation. To get a grip on this, more organizations are exploring how AI can help. The Next-generation security operations center (SOC) incorporates automation and orchestration -- automation applied to both defense operations and threat hunting incorporating AI and machine learning, and orchestration managing how multiple sets of tools and platforms work together. "AI and ML are not only used in a next-generation SOC to enhance detection and prevention activities, but also, increasingly, to augment incident response actions such as containment actions, ticket creation, and user engagement to triage and/or validate a suspicious action," stated John Harrison, Director, Cybersecurity Center of Excellence for Criterion, in an article he wrote for Nextgov. "The applications of AI and ML reduce the time spent on each alert and improve the Mean Time to Detect as well as the Mean Time to Repair."