This presentation forms part of the CTA's Threat Intelligence Practitioners' Summit
Thursday 5 October 2023 14:30 - 15:00, Small Talks room
Kihong Kim, Changgyun Kim & Hyunjong Lee (SANDS Lab)
Recently, cybersecurity threats have gone beyond causing damage to IT infrastructure alone, taking various forms of advanced attacks to achieve attackers' political, economic and military objectives. The complexity of advanced attacks, which involve techniques to bypass various security devices, and attackers’ unique and creative methods to achieve their purpose make it challenging to analyse and respond to them.
Numerous cybersecurity experts and cyber threat intelligence companies are generating information that can be analysed to classify attacks in detail, including the attackers' identity, motives, and the techniques applied. The diverse information obtained through analysis can be used as valuable information for establishing long-term security policies by identifying the security vulnerabilities (attack surfaces) of companies and institutions and by profiling information about the attackers' intentions and objectives, and the threat actor responsible for the attack. Furthermore, it is considered an essential competency in the cyber threat intelligence market to utilize such information as evidential data to eradicate cybercrime.
However, such advanced techniques can only be analysed by a limited number of profiling experts, and there are often cases where interpretations are based on their different experiential knowledge, which limits the guarantee of objectivity. In addition, due to the limited number of experts, it is often impossible for them to analyse all the threats that are emerging. Therefore, there is a limit to generating advanced analysis information that can be used as digital evidence for cybercrime.
Our research team has developed a new technology called DBP (Deep Binary Profiler). DBP is a technology that can automatically profile attack groups and attack techniques using artificial intelligence technology. It disassembles the executable malware file, separates the information by function, and labels the separated function information with the attack group and attack technique (T-ID) defined by MITRE ATT&CK. The labelled dataset we constructed using our original method includes characteristic information of functions, which can be used to train AI models. Our AI model trained with this dataset can automatically identify the attack group and technique without human intervention by tracking the relevance with past data when new unknown malicious code is infiltrated, and provide information accordingly. In addition, it is a core technology that can infer the evolution of malicious codes, attackers, and attack techniques by quantifying the degree of similarity and variation between codes. The DBP technology can provide quantitative rationale and objective evidence based on dataset, which can generate useful profiling information in the field of cybersecurity and can also be utilized to enhance digital evidence.
SANDS Lab’s AI Technology Development Team will introduce the use of this technology to track various attack groups in real time and compare and analyse existing malware cluster information. Our team also aims to present the results of profiling various malicious code samples collected in real time using our core technology.
Kihong Kim is a seasoned cyber threat intelligence (CTI) professional, boasting approximately 20 years of expertise in malicious code analysis and the development of cyber threat intelligence technology. As a freshman at Yonsei University, he established SANDS Lab, successfully managing the company ever since.
He is committed to efficiently countering cyber threats and actively participates in global alliance groups such as the Cyber Threat Alliance. His outstanding work in real-time mitigation of various cyber threats and pre-emptive damage prevention for companies and institutions has been recognized by the South Korean government, earning him accolades from the Prime Minister and the Minister of Science and Technology.
Moreover, the core CTI technology he developed has received high acclaim and has been awarded the New Excellent Technology (NET) certification for two consecutive years in South Korea.
Changgyun Kim is an assistant research engineer at KSign's Security Technical Research Institute. He holds an M.Sc. in computing with a specialization in artificial intelligence and machine learning from Imperial College London. His current research focuses on developing threat intelligence using AI techniques. Though he is a new member of the research community, Changgyun is passionate about contributing to the field of cybersecurity and is excited to share his insights with the Virus Bulletin audience.
Hyunjong Lee received his M.S. degree from Dankook University, South Korea. After completing his degree, he worked as a junior researcher at the Security Technology Institute, KSign. He currently serves as a research staff member at SANDS Lab in South Korea. His research interests are focused on machine learning and representation learning.