As a new joiner, one of my first tasks involved familiarising myself with Elemendar’s READ. tool – a tool designed to leverage Machine Learning techniques to add structure to unstructured CTI data such as white papers, reports and articles.
As READ. works in two main ways: either in a “headless” fashion – totally autonomous from the human user – or as a desktop tool that allows a human user to manually annotate the result. It is this latter function that I will be outlining within the remainder of this blog.
After uploading a report from Recorded Future on Chinese APT groups, within seconds READ. automatically moves the imported URL onto the top stack titled “For Review”.
Fig 1: READ. user interface on import view
Following this, there is an immediate option to pivot back to the ‘source’ of the article or to ‘analyse’.
Fig 2: First glimpse of the report from the Analysis button: READ. has indicated various entities that are to be confirmed with an Analyst in the Loop
Annotating the document…
When redirected to the ‘Analyse’ page, one thing I appreciated about READ. is that the AI pulls readable, known entities that are components of STIX and the MITRE ATT&CK framework (such as Identities, Tools, Indicators, Threat Actors, Malware and Vulnerabilities). These are then left unconfirmed to allow a human analyst (such as myself) to confirm them. This gives analysts a chance to immediately alter these entities where necessary, making comprehension of CTI documentation a lot faster.
Fig 3: An efficient way of altering an entity Type – Modifying Roshan from a Tool to an Organisation.
Figure 3 exemplifies how we can collectively and efficiently modify many instances of an entity, ensuring it remains corrected for the rest of the report.
Once ‘analyse’ is clicked or a report is edited, the report moves to the top of the “reviewing” stack. This is where a report is now in the process of having entities’ labels confirmed.
Fig 4: Any form of modification done on a report immediately moves it to the “Reviewing” column.
Diving into the analysis…
The final step within the READ. process is the STIX bundle highlighting the relationships between entities indicated within a report.
Fig 5: STIX Bundle showing entities and the relationships that exist between them.
In summary, Elemendar’s READ. tool facilitates the CTI analyst and easily integrates into their workflow. In practise, the following features stood out to me as I became familiar with the tool:
- The colour coding of entities.
This colour-coding feature provides me with a form of organisation of the entities that will need my attention. I’ve learned quite early on that there are certain STIX groups I was naturally more confident about – such as Identity, Threat Actor, and Indicator. With READ.’s ability to highlight specific entity categories using colours, I can quickly choose to accept or reject READ.’s entity extraction.
2. The ability to immediately change or specify a group of entities further.
In guiding READ to be more specific, I can mass a lot a “deeper” classification. For example, instead of leaving the entity “Afghanistan” as just Identity, I can mass alter the designation to Afghanistan – Identity (Country) in two clicks.
3. The Analyst in the loop feature allows human analysts to confirm/reject entity extractions.
There is an inherent good in READ. cross-checking its entity extractions with me, as an Analyst, because it will allow me to dictate the units of the document I’d like the AI to pay attention to. I get to correct its assumptions and/or mistakes and rectify them too, making READ. a bit more nuanced in its entity procurement.
Potentially, one new feature I am looking forward to is READ. enabling switching a report’s visibility from “Private” to “Organisation” and vice versa.