What is multi-step reasoning? | Sysdig
Multi-step reasoning is a concept that is taught in grade school math class, but it applies far beyond mathematical calculations and word problems. It is the process of solving a problem requiring multiple individual calculations or steps in order to reach the final answer. Multi-step reasoning requires sequencing, logic, and sometimes prior knowledge or inference.
Multi-step reasoning also requires that each step taken in a decision-making process be valid on its own, while still contributing to a larger conclusion. It’s like constructing a building – the placement of every brick matters, and the foundation is as important as the roof and every layer in between.
In cybersecurity, where complexity is the norm, multi-step reasoning is imperative for everything from addressing incidents to anticipating future threats.
Cybersecurity professionals, particularly threat hunters, incident responders, and security analysts, frequently come face-to-face with multi-faceted threats. Cyberattacks are generally not straightforward. If they were, they’d be easy to stop. With the MITRE ATT&CK Framework and Lockheed’s Kill Chain, we know that cyberattacks involve many steps, from reconnaissance and persistence to privilege escalation and data exfiltration. Understanding and mitigating these attacks requires the ability to reason through each stage of an attack, predicting an attacker’s next moves and initiating an appropriate response.
Sans multi-step reasoning, security professionals might address independent symptoms of an attack without ever understanding the full picture. An incomplete or incorrect response and mitigation may allow attackers to persist, pivot, or try again with their operations.
For example, an organization’s security team receives a threat detection alert for anomalous network activity. What is the multi-step reasoning process?
- A security analyst observes an unusual spike in network traffic originating from a single, unfamiliar IP address.
- The analyst correlates the traffic pattern with open source intelligence in which a known vulnerability was recently disclosed but not yet patched in the firewall.
- An incident responder identifies the data being targeted by the attacker, considers the potential risk of access, and prioritizes a defensive posture.
- The responder takes action to block the IP and patch the firewall to prevent further damage.
- The responder and a threat hunter coordinate to check for additional signs of compromise to ensure the attacker is no longer present, cannot reenter the network, and did not exfiltrate any data.
Each step builds on the last, requiring careful, logical reasoning to address the threat effectively.
Attackers, especially advanced persistent threats (APTs), rarely reveal their hand in one move. APTs are long-term, stealthy attacks where adversaries carefully plan and execute multiple stages over time to evade detection and persist without being discovered. Even ransomware groups and other cybercriminals are careful to obfuscate parts of their campaigns. Threat detection and response is a multi-step reasoning process in and of itself, and each step of an attack requires independent identification and verification.
Initial access, lateral movement, and data exfiltration each require distinct, multi-step reasoning for detection and response. If a security team identifies suspicious activity in the network, it must trace the activity back to the source and understand how and where the attacker moved and may continue to move. Multi-step reasoning allows cybersecurity professionals to see the full picture by connecting individual events to form a complete threat narrative.
With the introduction of AI and LLMs in cybersecurity, multi-step reasoning is taking on a new dimension. These tools can now assist security teams by processing vast amounts of data, identifying patterns, and logical reasoning through multiple steps of an investigation.
For example, a security analyst receives a detection alert for an anomalous login from an administrator employee account. Upon initial review of the user’s event logs, the analyst sees that the user invoked a GetFunction. Rather than spending the next several minutes digging through new and old user events to find a pattern, the analyst first asks Sysdig Sage if the user event is suspicious. Sysdig Sage gives a contextual explanation of what information was obtained with the GetFunction call and mentions the user’s privileges, risk score, and other detected risks. The analyst should now have enough information and cause for concern to determine next steps for escalation and response. Based on the conversation, Sysdig Sage can also recommend immediate response actions, as well as forward-thinking prevention strategies and process improvements.
However, while Sysdig Sage can assist in seriously expediting multi-step reasoning and investigations to thwart attackers, human analysts are still crucial. They bring context, experience, and intuition — qualities that AI, no matter how advanced, cannot replicate.
In cybersecurity, multi-step reasoning is an essential skill for understanding and responding to the complex, multi-faceted threats that organizations face today. Through sequential threat analysis, security professionals can trace attacks, predict attacker behaviors, and create effective, layered defenses based on precise details and an accurate big picture.
Whether you’re detecting a phishing attack, responding to an APT, or leveraging AI for security, multi-step reasoning ensures that every action you take is deliberate, logical, and contributes to the ultimate goal: protecting the organization from evolving cyber threats.