BSidesSF 2019

Over the last decade the cybersecurity community has made significant progress on collecting and aggregating intelligence that describes threat actors and campaigns, their tactics and techniques, and technical IOCs leveraged by them. However, tracking this intelligence as part of cybersecurity operations or applying it to analytical systems is difficult because it is generally unstructured. Knowledge bases like MITRE's ATT&CK are an excellent example of how useful intelligence can be once it's organized—getting to that end state is a huge challenge. In this presentation we will show how recent advances in Natural Language Processing (NLP) can help us organize this intelligence and add structure to make it actionable. We will demonstrate how to use Word2Vec: a shallow neural network which understands meanings and relationships between words and can therefore be used to organize the information these documents provide. This exercise trains a Word2Vec model on open source intelligence reports coming from EU-CERT and US-CERT and clusters them into ‘tactical categories’, that can be mapped to the MITRE ATT&CK framework.