Like many other security professionals, we are fascinated with the possibilities that GPT Large Language Models (LLMs) models create for security teams. But tools, software, and technologies have strengths, weaknesses, costs, benefits, and tradeoffs. These LLMs are no different. Understanding the appropriate use cases for these tools is an exciting and rapidly changing landscape. As an organization who values people over process over technology, we immediately began exploring the opportunities to augment or assist our people and our processes using this technology.
Intel Cell Use Cases
The analysts in the intel cell of our modern SOC are intently focused on ingesting, curating, analyzing, and distributing impressive amounts of derivative or finished threat intelligence to ensure our clients (and our organization) are focused on the most probable threats. The number of sources and quantity of information is simply overwhelming. We have always been focused on automating any process we can, and now, with the available LLMs from Microsoft’s OpenAI resources, we can utilize these models to assist in this process. We like to think of automation as recipes that have discrete, repeatable steps and consistent outcomes. The following section will break down our recipe (or pseudocode) for the general steps that need to occur, automated or manual, to process CTI reports.
Process
- Determine the report/source/social post that is interesting and needs to be analyzed.
- Collect, extract, normalize, and prepare the data
- Build the prompts to thoughtfully analyze the information
- Extract the pertinent details
- Post-process the output
- Voila! Report analyzed!
We use this process for several analytical activities, such as extracting MITRE metadata about an attack, threat, or campaign; matching threats to industries, or synthesizing a long report into an executive summary.
Not only can we extract the information we want, but we can request the LLM provide the logic behind the reasoning.
Extract MITRE ATT&CK Details
Consider the following phrase from a recent report on BlackCat:
- Local and domain user credentials were collected, on a few key systems, by dumping the LSASS process memory and extracting credentials with Microsoft Sysinternals Procdump and Dumpert
Putting on our (human) analyst hat, this language indicates that this was an action the attacker executed, which means it will probably map to a MITRE ATT&CK technique.
Sometimes, reports will include an appendix or table of relevant techniques, but other times, we are left to our own devices. In this instance, how can we map this sentence describing an action, to a MITRE technique?
Historically, we would do some sort of Natural Language Processing (NLP) which could parse a sentence into lexicological parts, extract key words, and do a comparison to known techniques. This is often quite error prone, especially when we are dealing with nuanced languages.
A better choice we now have is to create embeddings using an LLM. An embedding is a representation of text that these models can quickly compare. Embeddings and a vector database (a specialized database for embeddings) allow us to efficiently compare attacks described in natural language against a pre-existing corpus of MITRE ATT&CK Technique embeddings.
If we create an embedding of that above sentence describing an attack and query our vector database for the “most similar” embedding, we get: T1003.001 – LSASS Memory. Perfect!
Note that the Technique ID is not explicitly defined in the report excerpt, but the tool was able to reason about the sentence and match it to the appropriate technique from MITRE ATT&CK.
Using this process, we can extract attacker actions from the report, even if not explicitly defined. This helps us build comprehensive profiles on threat actors using multiple sources of information.
Map Reports to Industries
Mapping threat information, from real-world uses cases to industry buckets, is a challenging problem. Accurate mappings let our analysts more closely align actual threats and more accurately determine real risk. This is not a common callout in reports or writeups. At best, company names may be mentioned, or generic “industry buckets” are indicated, so often we need to parse it out ourselves.
Consider the following statements:
- … major breach of law firm …
- … against the law in their country …
- … targeted the firm. The lawyers employed there …
Each of these three statements has a significantly different context, and it would be difficult to extract “meaning” using other types of NLP techniques. But LLMs do a great job of understanding these more like a human would.
- … major breach of a law firm … : this actor may target law firms
- … against the law in their country … : Law does not indicate an industry, just the action taken is illegal
- … targeted the firm. The lawyers employed there … : Lawyers employed at a firm = Law Firm. This actor may target law firms.
In this instance we have pre-built embeddings of industries, keywords, and descriptions which we cover for our customers. Just like in the previous example, we can create an embedding for the content under analysis and do a quick comparison for similarity to find a matching industry that this threat may be targeting.
Summarize Reports
Text summary is a prime example of LLM functionality and is often the first use case when applying LLMs to solve a problem. There are many examples of summarizing academic papers and even whole books. Let’s do the same for threat intel reports.
The current versions of LLMs have token limits (you can think of tokens as words or parts of word). This means that there is a limit to the amount of information we pass into a query. As an example, we could not pass a 30-page research paper into a prompt and then ask a question about it. A bit of extra work is required.
First, we need to split the report into “chunks” or blocks of text, of which we can analyze each chunk. A simple example would be splitting a paragraph into sentences. In a real example, a two-page threat intel report might be broken into 10 “documents” after chunking the text.
Then, we need to “reduce” the analysis by gradually summarizing the parts, then combining them back together to form a completed summarization. Using an external LLM service like Azure OpenAI, this would be broken into several API calls, each one getting closer to a final result. Depending on the prompt you supply, you will end up with a shortened, synthesized summary of the report.
Continued Work
The previous example just touches the surface of what we are doing (and can do in the future) with LLMs and threat intel. We can automatically gather new reports from the web or social media, aggregate them, and build crowd-sourced summarization around a threat. We can build vector based “profiles” of threat actors which we can chat and query against. We could even build a threat prediction engine which provides real-time, language-based analysis of your threat risk for a given industry sector. Exciting times, indeed. Stay tuned as we continue to explore Modern SecOps implementations.
If you are interested in using threat intel to drive security operations, reach out to info@meetascent.com.