An attack is composed of many incidents across the cyber kill chain, and connecting these seemingly unrelated incidents is a critical but challenging and time-consuming manual endeavor, as they tend to hide in the noise of lone-incidents and false positives.

State of the art solutions are using multi-step correlation or chaining rules that would join same-origin alerts tagged with sequential Mitre ATT&CK Techniques happening within a short time window of each other.
This is ineffective as most environments have multiple sensor types with varying quality and consistency of Mitre ATT&CK Techniques tagging to their alerts. Additionally the correlation logic is inadequate and lacks the necessary complexity to encompass possible Mitre ATT&CK Flows and be resilient to detection gaps. On top of all of that ,running these numerous rules for every alert is extremely computationally expensive and hence they aren't really used in today's SOCs, even at Fortune 100s.

In creating our own weakly supervised solution, we explore the realm of open-source AI models, and find many models with promising capabilities that can be repurposed to connect disjointed incidents into cohesive Mitre ATT&CK Flows.
To do so, we utilize a custom made LLM to classify each alert with relevant ATT&CK Techniques, and a specifically designed graph model to probabilistic-ally cluster alerts with relevant telemetry and events to establish incident context. Subsequently, a tailored model comprehensively cross-correlates and chains incidents, revealing Mitre ATT&CK Flows.

We conducted experiments using a diverse range of public and private datasets, allowing us to identify several models that exhibited promising results. Notably, top performing models excelled in correlating slow and stealthy attack chains, showcasing impressive accuracy.

Our briefing showcases specific examples to illustrate the effectiveness of these models. Furthermore, we present our key findings, lessons learned, and practical use cases, while also addressing the challenges and limitations encountered during the process.

Completely new here is the application of subject matter expert LLMs in cyber security operations and events abstraction, standardization, normalization and enrichment via classifying MITRE ATT&CK Techniques in events or alerts regardless of format, vendor or data type.

Another novel ground breaking application here is transforming these enriched security events into a temporal knowledge graph specifically designed to be exploitable for logs, alerts, and events inter relationships. This graph is then analyzed by a state of the art novel scalable temporal knowledge graph embedding algorithm that represents these alerts in a data encoding fine tuned for a state of the art hierarchial density based clustering algorithm.

End to end novelty is reached when a specifically design markov model, recurrent neural network and a transformer are used to chain these clusters and find Mitre ATT&CK Flows probabilistic-ally, with highly interpret-able and explainable logic.

Laying the underground core work to a new era of open and cutting edge analytics for security operations, forensics, and incident response that can help thwart cyber crime, when paired with commoditized detection as code, open data lakes, and standardized data formats.

Change your perspective from prioritizing highly malicious incidents, to prioritizing highly targeted campaigns.

Transform your frame of mind from thinking AI usage is for data scientists only, and use open models on your security events, with your team of security analysts and forensics specialists. We drive cars without being automotive scientists.

Rewire your thinking from fine tuning narrow correlation rules into fine tuning procedures that could capture stealthy and slow attack campaigns of various kinds.

Evolve your mindset from threat hunting IOCs and IOAs to hunting sequential/causal attacks hiding in the noise of lone-incidents and false positives.

Understanding and usage of new cutting edge open data science models solving cyber security operations core problems.