Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Contribute set of threat intelligence experiments #3

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Contribute set of threat intelligence experiments #3

wants to merge 1 commit into from

Conversation

TomInTheBytes
Copy link

@TomInTheBytes TomInTheBytes commented Mar 29, 2024
edited
Loading

Hi,

First of all, thanks for sharing your work @Cyb3rWard0g! This has been very inspiring to me and triggered me to look into this myself as well. Based on your research I have been experimenting and I would like to share some of this with you to contribute back to the community and potentially receive feedback to improve on this idea. This has been my first experience with using LLMs in programming so it has been very insightful already, but it also means there is much more to learn.

My experiments are the following:

  • Threat actor RAG using Langchain: inspired by your ATT&CK RAG, I was curious to see how this would perform with online published threat actor reports (news, vendor reports, etc) instead of the controlled and already structured formatting that MITRE provides. I use the ETDA threat actor encyclopedia while following your methodology of building a RAG.
  • Threat actor report summaries: using LLM I summarized all the scraped reports to collect condensed material for the next experiment and to be available as additional input to the RAG experiment above. I also foresee this being useful for MultiVector Retrievers.
  • Threat actor assessment: using the report summaries (non-RAG) we can try to assess threat actors through LLMs to prioritize them for a described victim. This leverages the threat box model that rates threat actor on intent and capability. LLMs are interesting there because of the manual work normally required to do this assessment (ideally on a recurring basis) and potentially to remove bias that an analyst could have. I believe this experiment shows great potential but is not quite there yet consistency wise.

I believe these experiments provide additional insight into both possibilities and limitations for these use cases. Hope to hear from you soon.

Note: as you might have already noticed I'm new to contributing to public repositories. I have been working in a separate repo, causing this commit to be huge. These are mostly the documents though. Excuse me if I'm not following some processes or quality standards; if this is the case, please inform me so I can learn and improve!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@TomInTheBytes