“Shields Up” is a current initiative that was launched by the US Cybersecurity and Infrastructure Security Agency’s (CISA) earlier this year. With the aim to protect the US and organisations from cyber threats spilling over amid the Russian Federation’s invasion of Ukraine, despite some confused assessment, the Russia/Ukraine conflict has proved a turning point for the practice of cyber warfare. Delivering the potential of the cyberspace to fully participate in full spectrum/hybrid warfare that the Global War on Terror only suggested in comparison.
But how do private sector organisations consume the huge trove of data CISA presents on its Shields Up site?
The Shields Up site delivers a staggering amount of content which combines into a heady mixture of alerts, threat actor profiles and guidance across the strategic, operational and tactical level. Although collating an incredible trove of data, digesting at such volume is challenging for even the most well-resourced intelligence teams.
How Elemendar’s READ. can help with information overload
Elemendar’s proprietary READ. tool uses Machine Learning (ML) to automatically structure unstructured data like the documents presented in the Shields Up trove.
As an example, take the CISA Alert (AA22-083A) linked from the Shields Up page. At over 7000 words, the report is not a quick read and is dense with technical details. Equally, the report most certainly contains important intelligence that defenders should integrate into their defences. Passing the document through READ. almost instantly extracts 103 MITRE ATT&CK Patterns, 28 Indicators of Compromise, 16 Malware types, 7 Threat Actors and 3 Tools (shown below).
Figure 2 visualises the way READ. extracts data from text into a STIX format either for onward transit into a Threat Intelligence Platform or immediate analysis. Even from the “snapshot” of the CISA report provided by READ. in Figure 1, it is clear that the report is Tactics, Techniques and Procedures (TTPs) heavy within its content. This is shown by the prominence of the blue icons visualising the MITRE ATT&CK TTPs in READ. (to the right of figure 2).
Scaling up the example shown in Figure 2, it is evident that READ. can become a power tool for ingesting large volumes of CTI data into your security set up.
“But what about extraction errors?”
Is a common question we often get asked by our clients when integrating READ. into their workflow and it is a valid concern. However, as with any Machine Learning (ML) driven solution there is a degree of error innate to any extraction. Why? Because ML is fundamentally teaching a machine to do a human process and no human is 100% accurate all of the time. So how can assurance be developed around ML extraction at such a scale?
The answer to this is via our ‘Confidence Level’ feature we have recently implemented within READ. (shown below within the UI).
At a functional level, the Confidence Level feature allows the READ. user to specify their credence regarding entity extractions within a document. Similarly, the wider the range (Almost certain to Probable) the larger the number of results with a higher degree of error within the extraction. At a more strategic level, the Confidence Level feature allows READ. to be run autonomously and at scale with an “Almost certain” degree of confidence around extractions. Although the number of entities will be less, the confidence around these entities ensures that insight can be reliable to extract from large troves of data such as the those presented on Shields Up.