Detecting multi-stage cyber attacks is challenging as incidents are often disjointed and hidden among noise. Current correlation rules have limited effectiveness due to inconsistent alert tagging and lack of complexity to model full attack flows.
This talk explores using open-source AI models to connect disparate security events into cohesive MITRE ATT&CK campaigns. We leverage large language models to classify alerts with relevant ATT&CK techniques, and graph models to cluster related events, establishing incident context. A tailored model then cross-correlates and chains these clusters, probabilistically revealing full ATT&CK flows.
Experiments across public and private datasets showcase the approach's ability to accurately correlate slow, stealthy attack chains that evade traditional detection. Key findings, use cases, and limitations are presented.
Novel aspects include using subject matter expert language models for alert enrichment, transforming enriched data into temporal knowledge graphs, and applying hierarchical clustering and Markov models to probabilistically chain incidents into campaigns.
This lays groundwork for a new era of open, cutting-edge security analytics to thwart cyber threats by prioritizing targeted campaigns over individual incidents. Perspectives are shifted from narrow correlation rules to capturing diverse attack flows hiding in the noise.