ZERO-RULES Alert Contextualizer and Correlator for Detecting Multi-Stage Cyber Attacks

Explore innovative approaches to detecting multi-stage cyber attacks in this 54-minute conference talk from BSidesLV. Delve into the challenges of connecting disjointed security events and learn how open-source AI models can be leveraged to create cohesive MITRE ATT&CK campaigns. Discover the use of large language models for classifying alerts with relevant ATT&CK techniques and graph models for clustering related events. Examine a tailored model that cross-correlates and chains these clusters to reveal full ATT&CK flows probabilistically. Review experiments across public and private datasets demonstrating the approach's effectiveness in correlating slow, stealthy attack chains that evade traditional detection. Gain insights into key findings, use cases, and limitations of this novel method. Explore the groundbreaking aspects of using subject matter expert language models for alert enrichment, transforming data into temporal knowledge graphs, and applying hierarchical clustering and Markov models for incident chaining. Understand how this approach shifts perspectives from narrow correlation rules to capturing diverse attack flows hidden in noise, paving the way for a new era of open, cutting-edge security analytics to combat cyber threats.