Profiled Project

Email Threat Automation Detection

PROJECT OUTCOME

TAPE is a system designed to ease cognitive overload for Security Operation Centre (SOC) analysts who are responsible for protecting their organisations’ networks. The project’s primary objectives include leveraging generative AI or large language models to identify critical incidents and help with the proactive detection of phishing campaigns.

 

WHO’S INVOLVED

This project was funded by the Cyber Security CRC and the Government of Western Australia. Research and development has been undertaken by CSIRO’s Data61.

 

WHAT’S THE ISSUE?

Malicious emails are one of the most reported cyber incidents. While there are many products on the market to detect and stop phishing, attackers continuously and rapidly evolve to evade detection. Hence, even a small number of phishing attempts may pose a risk for organisations. SOC analysts are often overloaded with monitoring, analysing and responding to security issues to prevent attacks on their business systems and networks. This project aims to increase efficiency and help make their work more manageable.

 

WHAT WERE THE OBJECTIVES?

  • Find a solution that offers better protections against phishing emails;
  • Develop machine learning software that supports human security experts in their daily efforts to identify phishing campaigns and prioritise responses;
  • To effectively facilitate the sharing of information across Australian organisations;
  • To ease the workload for Security Operation Centre (SOC) analysts who are tasked with monitoring, detecting and responding to security incidents within an organisation, and allow them to make more informative decisions

 

TECHNOLOGY DESCRIPTION

TAPE uses a combination of state of the art, and novel proprietary machine learning algorithms to examine and learn from phishing email alerts and malicious websites at a deeper level. This enables greater detection of advanced phishing attempts by categorisation, prioritisation and attributions. It scans incoming email alerts from services such as Microsoft 365 Defender on SOC platforms such as Microsoft Sentinel. TAPE then enriches these alerts by collecting and correlating with various third-party intelligence services such as Malware Information Sharing Platform (MISP), PhishTank and others. TAPE builds a graph based on 15 novel indicators that identify phishing campaigns' presence, prioritising them from the least to most dangerous based on various factors, and displays those campaigns to SOC analysts for guidance. This allows the SOC analysts to take appropriate safety precautions by quickly identifying emails with similar patterns that bypass the system, updating the system to stop the new ones, tracking the attackers and taking them down.

 

APPLICATION

TAPE aims to facilitate the sharing of identified campaigns across Australian organisations, especially those more likely to be targeted by common attackers/phishers

The system is easy to integrate via a server-side plugin into Microsoft Sentinel, which used by a wide range of organisations now for Security Information and Event management (SIEM). The system has also been built as a stand-alone web platform with easy deployment on Amazon AWS or Azure, in potential partners' cloud environments.

Acknowledgement of Country

We acknowledge the many Traditional Custodians of Country throughout Australia and honour their Elders past and present.

We respect their deep enduring connection to their lands, waterways and surrounding clan groups since time immemorial. We cherish the richness of First Nations Peoples’ artistic and cultural expressions.

We are privileged to gather on this Country and through this website to share knowledge with future generations.