GPT Requests for TI investigation and enrichment

[fr0gger]

With this new feature, MSTICpy will be able to send investigation data to GPT for advanced analysis and data enhancement.

To make this process even more efficient, we will include a module that comes with 10 default prompts that have been specifically tested and approved for threat investigation. Additionally, analysts will have the option to create their own prompts, allowing for greater customization and flexibility.

An alternative approach that may be worth considering is to integrate the module with Microsoft Security Copilot instead of GPT.

For example, a prompt could be:

"Identify possible signs of a cyber attack in the following logs: [insert log data here]."
"Analyze this network traffic data [insert data here] and determine if there are any indicators of compromise."
"Given the following list of IP addresses [insert list here], identify any known malicious IP addresses and their associated threat actors."
"Review the following email [insert email content here] for signs of phishing or other malicious content."
"Based on the following user behavior data [insert data here], identify any suspicious or anomalous activities that may suggest a security breach."
"Analyze the following domain names [insert domain list here] and identify any known malicious domains or those associated with threat actors."
"Given these file hashes [insert file hash list here], identify any known malware samples and their associated threat groups."
"Review the following incident report [insert report here] and suggest possible attack vectors that the threat actors may have used."
"Assess the security of this web application based on the following logs [insert log data here] and identify any potential vulnerabilities or signs of exploitation."
"Based on the following threat intelligence report [insert report here], summarize the key findings and provide recommendations for improving our security posture."

"Given the following log data [insert log data here], identify any activities related to the 'Spearphishing Attachment' (T1566.001) ATT&CK technique."
"Analyze this network traffic data [insert data here] and determine if there are any indicators related to 'Command and Control' (T1105) activities."
"Based on the following process execution data [insert data here], identify any signs of 'Scripting' (T1064) or 'PowerShell' (T1059.001) usage that may indicate malicious behavior."
"Review the following account access data [insert data here] and identify any activities that suggest 'Valid Accounts' (T1078) or 'Account Discovery' (T1087) techniques."
"Analyze the following file modification events [insert data here] and identify any signs of 'Data Encrypted for Impact' (T1486) or 'Data Destruction' (T1485) techniques."
"Given the following network communication logs [insert data here], identify any activities that indicate 'Exfiltration Over C2 Channel' (T1041) or 'Data Compressed' (T1002) techniques."
"Based on the following registry modification data [insert data here], identify any signs of 'Registry Run Keys / Startup Folder' (T1547.001) or 'Create or Modify System Process' (T1543.003) techniques."
"Analyze the following logon events [insert data here] and determine if there are any indicators of 'Brute Force' (T1110) or 'Credential Dumping' (T1003) techniques."
"Review the following endpoint security logs [insert log data here] and identify any activities related to 'Exploitation for Privilege Escalation' (T1068) or 'Bypass User Account Control' (T1088) techniques."
"Given these network connection events [insert data here], identify any signs of 'Remote File Copy' (T1105.002) or 'External Remote Services' (T1133) techniques being used."

[juju4]

Good discussion

Still may want to have a banner/disclaimer on usage that can be disabled with appropriate configuration.
Something like
"Like for all investigations, we recommend that

• You always apply critical thinking on findings and don't blindly trust information. This is to assist you, not do your job or take over your responsibility.
• You ensure usage is part of a defined and tested process and technical guidance. Make educated usage of the tool.
• Tool usage and process have your leadership buy-in.
• Tool usage and process have your legal team buy-in.
• Avoid sending sensitive data aka PII, PHI, Intellectual Property and similar.
• Ensure service you are using is adequately protected, notably by authentication and network controls."

[fr0gger]

Agreed this is very important!

[ianhelle]

Could you implement a PoC for this? It isn't super clear what it would look like.
We are actively planning on greater integration with security copilot. I don't think the two are mutually exclusive.

[fr0gger]

Yes, you are absolutely right. I think it would be quite similar. I will try to work on a proof of concept as soon as possible or at least describe a little bit more what I have in mind.