Death to the IOC: What's Next in Threat Intelligence

Black Hat USA 2019

Presented by: Bhavna Soman
Date: Thursday August 08, 2019
Time: 09:00 - 09:25
Location: South Seas ABE

Humans cannot scale to the amount of Threat Intelligence being generated. While the Security Community has mastered the use of machine readable feeds from OSINT systems or third party vendors, these usually provide IOCs or IOAs without contextual information. On the other hand, we have rich textual data that describes the operations of cyber attackers, their tools, tactics and procedures; contained in internal incident response reports, public blogs and white papers. Today, we can't automatically consume or use these data because they are composed of unstructured text. Threat Analysts manually go through them to extract information about adversaries most relevant to their threat model, but that manual work is a bottleneck for time and cost.

In this project we will automate this process using Machine Learning. We will share how we can use ML for Custom Entity Extraction to automatically extract entities specific to the cyber security domain from unstructured text. We will also share how this system can be used to generate insights such as:

We will cover:

Bhavna Soman

Bhavna Soman is a Security Researcher working for the Windows Defender Research Team. In her day job, she develops Machine Learning models to classify malware in real time. In the past she worked in the field of Threat Intelligence. This project is a combination of her experiences in Threat Intelligence, with her expertise in Machine Learning and Natural Language Processing. Bhavna holds a master's degree in Computer Security from Georgia Tech and is also a trainer for Malware Reverse Engineering with Blackhoodie.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats