GenAI-Security-Adventures icon indicating copy to clipboard operation
GenAI-Security-Adventures copied to clipboard

Published 20 hours ago verified publisher icon OTRF

Contribute set of threat intelligence experiments

Open TomInTheBytes opened this issue 10 months ago • 0 comments

Hi,

First of all, thanks for sharing your work @Cyb3rWard0g! This has been very inspiring to me and triggered me to look into this myself as well. Based on your research I have been experimenting and I would like to share some of this with you to contribute back to the community and potentially receive feedback to improve on this idea. This has been my first experience with using LLMs in programming so it has been very insightful already, but it also means there is much more to learn.

My experiments are the following:

  • Threat actor RAG using Langchain: inspired by your ATT&CK RAG, I was curious to see how this would perform with online published threat actor reports (news, vendor reports, etc) instead of the controlled and already structured formatting that MITRE provides. I use the ETDA threat actor encyclopedia while following your methodology of building a RAG.
  • Threat actor report summaries: using LLM I summarized all the scraped reports to collect condensed material for the next experiment and to be available as additional input to the RAG experiment above. I also foresee this being useful for MultiVector Retrievers.
  • Threat actor assessment: using the report summaries (non-RAG) we can try to assess threat actors through LLMs to prioritize them for a described victim. This leverages the threat box model that rates threat actor on intent and capability. LLMs are interesting there because of the manual work normally required to do this assessment (ideally on a recurring basis) and potentially to remove bias that an analyst could have. I believe this experiment shows great potential but is not quite there yet consistency wise.

I believe these experiments provide additional insight into both possibilities and limitations for these use cases. Hope to hear from you soon.

Note: as you might have already noticed I'm new to contributing to public repositories. I have been working in a separate repo, causing this commit to be huge. These are mostly the documents though. Excuse me if I'm not following some processes or quality standards; if this is the case, please inform me so I can learn and improve!

TomInTheBytes avatar Mar 29 '24 16:03 TomInTheBytes