Every AI Talk from DEF CON 2024

We will begin with an overview of event analysis systems and their challenges. Participants will learn about different types of data sources and logs, the prevalence of false positives, and the difficulty in identifying coordinated attacks. We will set the stage for the live, hands-on demonstration environment where participants can interact and apply what they learn in real-time. Importantly, no prior data science knowledge is required; all tasks will be performed using simple, user-friendly interfaces.

Introduction to MITRE ATT&CK Framework: An essential part of our session is understanding the MITRE ATT&CK framework. We will cover its structure, including Tactics, Techniques, and Procedures (TTPs), and explain why mapping alerts to this framework is crucial for standardizing threat detection and enhancing our capabilities.

Leveraging Open Source AI Tools: Next, we will delve into the open-source AI tools that will be used throughout the session. We will introduce families of algorithms including clustering and community detection, natural language processing with large language models (LLMs), and Markov chains. These tools are designed to be accessible and will be operated through straightforward interfaces. Participants will be guided through setting up a demo environment to follow along and interact with the exercises.

Data Preprocessing and Normalization: Participants will learn how to import and clean data from various sources, normalize data formats, and handle missing data. We will highlight some methods to get rich test data. This step is crucial for ensuring that the subsequent analysis is accurate and reliable. The hands-on exercise will involve preprocessing a sample dataset in real-time, using easy-to-follow steps and intuitive interfaces.

Mapping Alerts to MITRE ATT&CK Techniques: We will demonstrate techniques for mapping SIEM data to MITRE ATT&CK manually and using automated tools. The live demo will include a hands-on exercise where participants will map a sample dataset to MITRE ATT&CK Techniques, using AI to enhance mapping accuracy. All this will be done through simple interfaces that do not require deep technical knowledge.

Clustering Alerts into Contextualized Attack Steps: This section focuses on methods such as clustering and community detection. Participants will learn the criteria for clustering alerts based on temporal, spatial, and technical attributes. They will engage in a hands-on exercise to cluster sample alerts and evaluate the quality and relevance of the clusters, again using user-friendly interfaces.

Building Killchains: Participants will understand the concept and importance of killchains in cybersecurity. We will demonstrate methods for linking attack steps into a cohesive killchain, with a hands-on exercise to create a killchain from clustered data. Participants will analyze killchains to identify patterns and coordinated attacks, all through accessible interfaces.

Generating Actionable Tickets: We will outline the criteria for generating three types of tickets: FP Tickets, Incident Tickets, and Attack Story Tickets. Through a hands-on exercise, participants will generate sample tickets and learn how to ensure each ticket type is comprehensive and actionable. This process will be facilitated through simple interfaces that guide the user step-by-step.

Integrating and Automating the Workflow: Finally, we will discuss integrating this workflow into existing SOC setups and automating the process using scripts and tools. Participants will see how to maintain and update the system, ensuring continuous improvement in threat detection and response. The automation will be demonstrated in a way that requires minimal technical skills.

Q&A and Troubleshooting: The session will conclude with an open floor for questions, addressing common issues, and offering troubleshooting tips. Participants will also receive resources for further learning and support to continue enhancing their skills post-session.

Conclusion: By the end of this interactive session, participants will have hands-on experience using open-source AI tools to enhance their SOC capabilities. They will be able to map alerts to MITRE ATT&CK Techniques, cluster data into meaningful attack steps, and build comprehensive killchains to uncover coordinated attacks. Additionally, they will learn to generate actionable tickets to facilitate immediate response and long-term improvements in their security posture. All of this will be achieved without needing advanced data science knowledge, thanks to the simple and intuitive interfaces provided.

Participants are encouraged to apply these techniques in their own environments and continue exploring the vast capabilities of open-source AI in cybersecurity. The live demo environment setup will provide a practical and engaging way to solidify these concepts and skills.

Given a SIEM loaded with alerts, logs and events from a variety of data sources, your task is to find the coordinated attack in the LOTS of noise of false positives & lone incidents.

Together we will use opensource AI tools to map all of the hetrogenous data on the SIEM to MITRE ATT&CK Techniques, and then Cluster based on a variety of attributes to form contetualized Attack Steps. We will then fuse these attack steps based on timeline, causality and assets involved into killchains to reveal coordinated attacks.

You are required to output the following tickets:

– FP Ticket that has clusters of false positives and tuning advisories & suggestions that should be forwarded to detection engineering to tune.

– Incident Ticket that has remediation & investigation advisories & action playbooks for the contextualized lone-incidents identified.

– Attack Story Ticket that has a correalted set of clusters of alerts & logs revealing a coordinated attack killchain affecting a variety of assets over a stretch of time.



Source link