Making Sense of Unstructured Threat Data

Presented at BSidesSF 2019, March 4, 2019, 11 a.m. (30 minutes).

Over the last decade the cybersecurity community has made significant progress on collecting and aggregating intelligence that describes threat actors and campaigns, their tactics and techniques, and technical IOCs leveraged by them. However, tracking this intelligence as part of cybersecurity operations or applying it to analytical systems is difficult because it is generally unstructured. Knowledge bases like MITRE's ATT&CK are an excellent example of how useful intelligence can be once it's organized—getting to that end state is a huge challenge. In this presentation we will show how recent advances in Natural Language Processing (NLP) can help us organize this intelligence and add structure to make it actionable. We will demonstrate how to use Word2Vec: a shallow neural network which understands meanings and relationships between words and can therefore be used to organize the information these documents provide. This exercise trains a Word2Vec model on open source intelligence reports coming from EU-CERT and US-CERT and clusters them into ‘tactical categories’, that can be mapped to the MITRE ATT&CK framework.

Presenters:

  • Zainab Danish - Trustar Technology
    Zainab has been working as a Data Scientist at TruSTAR since July 2018. She laid down groundwork for a new data infrastructure at TruSTAR and is helping design more optimized workflows. She also builds Machine Learning models to augment core services in the security platform and loves bringing the latest and greatest technologies to her work at TruSTAR. Prior to this, Zainab received her Masters in Data Science from University of San Francisco. Aside from Data Science, her other main love in life is tea and all its accompaniments.
  • Nicolas Kseib
    Nicolas is the Lead Data Scientist at TruSTAR Technology, a threat intelligence platform built to accelerate enterprise security investigations. He leads the company's data science initiatives and roadmap. He is always thinking of ways to leverage analytics and machine learning to design features improving the operational efficiency of security teams. Before joining TruSTAR, Nicolas received his M.S. and Ph.D. in Mechanical Engineering from Stanford University specializing in Flow Physics and Computational Engineering.

Links:

Similar Presentations: