Cybelle Oliveira
Cybelle is a Cyber Threat Intelligence researcher and a Master’s student in Cyber Intelligence. She teaches in a postgraduate CTI specialization program in Brazil and is the co-founder of La Villa Hacker — the first DEF CON village dedicated to the Portuguese and Spanish-speaking community.
Cybelle has spoken at some of the world’s leading security conferences, including DEF CON, BSides, H2HC, 8.8 Chile, Radical Networks, Mozilla Festival. among many others. Her work often explores the intersection of cyber threats, geopolitics, and underreported regions, with a particular interest in the strange, obscure, and catastrophically messy corners of cybersecurity.
Session
Threat hunting is a proactive approach for identifying undetected threats within an organization's environment, and it requires various sophisticated skills.
RAGnarok is an assisting tool for the threat hunting process with Large Language Model (LLM). It can generate a Sigma rule automatically for a specific attack technique based on threat intelligence.
As the threat hunting strongly depends on environmental elements that are often regarded as confidential information, RAGnarok adopts a local LLM. RAGnarok can collect and interpret the environmental information autonomously, then reflect it in the generated results without uploading any information to the Internet.
To achieve better results with limited computer resources, RAGnarok is based mainly on 3 technologies: "Quantized LLM", "Retrieval-Augmented Generation (RAG)", and "Multi-Agent System". Quantized LLM can make the execution faster, and the RAG mechanism enables RAGnarok to avoid hallucination and improve the accuracy of the generated result without fine-tuning. In addition, combining RAG with a multi-agent system allows the application to gain deeper specialization. These technologies can allow RAGnarok run on CPU only machine and generate practical outputs.
This talk provides the technical details of RAGnarok, a demo, know-how, and tips obtained by developing it.