Detect Fast Fast

**

Team members and respective divisions

**

1. Zhuang Xinmin – CDOI – Threat Intelligence Research & Analysis [Team Lead]
2. Jervin Tan – CDOI – Threat Intelligence Research & Analysis
3. See Kar Leong – CDOI – Detection Development
4. Yap Jun Xian – CDOI – Detection Development
5. Kit Han Seah – CDOI – GITSIR
6. Kelvin Leong – CSG Engineering – Product development

Details on your problem statements and problem formulation process

The increasing volume and complexity of threat intelligence reports present a significant challenge for security operations teams. Manually extracting Tactics, Techniques, and Procedures (TTPs) from these reports is a time-consuming and error-prone process, hindering the proactive development and deployment of effective detection rules. This project aims to automate the ingestion, analysis, and extraction of TTPs from threat intelligence, leveraging an AI agent to generate YARA-L rules. These rules will be automatically tested and validated within a Google SecOps environment via a streamlined DevOps pipeline, significantly improving the speed and accuracy of threat detection capabilities.

Problem Formulation Process

Following the discussions with the business owner, two significant problems/challenges were identified:

1. The review and extraction of critical information, specifically Tactics, Techniques, and Procedures (TTPs), from reports demands substantial organizational resources and time investment.
2. The development of detection rules is time-intensive and may be constrained by the engineers' comprehension and interpretation of the report contents. To address the problems listed above, the aim of the solution would have to minimize turnover time from report received to generating of the detection rule.

Details on the solution

We can use LLMs to analyze the reports and extract the TTPs, as well as create the detection rules in Yara-L, the language used in the Government Cyber Security Operations Centre (GCSOC). Intel teams can then review the findings and rules to ensure accuracy and useability, leading to higher efficiency.

• Prototype solution – Using the AI bot to extract the TTPs and its information from the report uploaded. Subsequently, creating the detection rule. The user will be able to consistently refine the rule on the AI bot before implementing it on chronicle. The AI bot has been trained with more than 1000 chronicle rule that is found in the public repository used by many out there. Impact and outcomes analysis of your solution After using the AI bot to help with the problem, we have seen a significant reduce in time taken from report received to detection rule generation. Despite there are still requirements for the bot to be prompt a few times before the rule syntax are of a certain confidence/fidelity. We may require more variant of rule syntaxes to train the RAG of the LLM but are constrained by the amount of available public resources.

Future steps for the project

• We plan to set up 1 LLM (TTPs extraction and Rules Creation) with an AI agent to call back SecOps (Chronicle SIEM) for managing rules (List, Get, Create and Delete)
• We plan to Improve LLM accuracy to ensure high fidelity of rules’ detection to avoid false negatives or false positives