Matthew Berninger

FireEye

TweetSeeker: Extracting Adversary Methods from the Twitterverse (pdf, video)

Like it or not, Twitter is a useful cybersecurity resource. Every day, cybersecurity practitioners share red team exploits, blue team signatures, malware samples, and many other indicators on Twitter. Users can debate policy issues such as responsible disclosure, intelligence sharing, and nation-state attribution. Connections are made, communities are built, and knowledge is shared.

On the FireEye Advanced Practices Team, our primary mission is to discover and detect advanced adversaries and attack methods. Using Twitter as an intelligence source, we have built an automated framework to help our team focus on actionable cybersecurity information, extracted from the myriad threads and discussions within the “Infosec Twitter” community. This presentation will show the various data science and machine learning methods we are currently using to discover, classify, and present this actionable intelligence to our analysts.

Within this presentation, we will describe how we address two related tasks:

1. Detect and prioritize actionable indicators and warnings for ingest and review by analysts
2. Discover previously unknown sources of intelligence for further collection

We will discuss the various data science concepts that we used for this project, including natural language processing, topic modeling, supervised classification, and graph-based analytics. In addition, we will provide a case study of how our analysts currently use this system to augment our intelligence operations.

We will also describe and demonstrate many of the challenges we have encountered in this research. These include representations of industry-specific terms, Twitter API usage and limitations, dimensionality reduction, and issues related to context. Finally, we will provide lessons learned, next steps, and feedback from front-line analysts using the system.