Time Series Analysis by Leveraging GPT-4o Vision for Threat Intel (2024)

In threat intelligence, you often have to work with timelines, data graphs, and more. As part of our training, Blue Team Arsenal Python and Generative AI for Threat Intelligence, we are showcasing and teaching how generative AI can be practically applied to threat intelligence workflows.

One example we demonstrate in the courseware is the analysis of the Conti Leaks. The Conti Leaks were major leaks about the Conti Ransomware organization that occurred in February 2022. Part of this leak was the internal Jabber discussions of the members, where they discussed all sorts of information such as TTPs, targets of interest, organizational details, and more. As you can imagine, this was juicy from a threat intel perspective.

To illustrate this blog, I used a graph I created that visualizes the number of discussions per day on the Jabber chats, highlighting some peaks of activity. It was interesting to correlate these peaks with major events such as geopolitical developments, policy decisions, major cyber attacks, or vulnerability exploit releases. At the time of the investigation, I browsed the internet and gathered intel about the dates of the peaks to correlate with the activities, discussions, and potential geopolitical events or anything that could spark interest within the group. When the leak came out, generative AI was not as advanced as it is today…

In our training, we teach practical use cases of leveraging Generative AI. Our goal is to automate boring tasks, speed up analysis, and increase the efficiency of Threat Intel teams. So, I thought using GPT-4 Vision for image analysis would be a good approach, and this is what I am discussing in this post. 😎

GPT-4o Vision integrates text and image understanding, that allows to process and generate text based on visual inputs. This model handles text and images and identify objects and scenes within images while generating coherent text responses based on visual content.

In threat intelligence, GPT-4o Vision can improve analysis and visualization capabilities. For graph analysis, it helps visualize complex threat networks and identify relationships and patterns in threat data. When analyzing time series, it detects trends over time to spots irregular activities, peaks and other elements.

In my case, I generated a graph of activity on the Conti Jabber discussions to visualize when the discussions were most active. Another interesting aspect is that GPT-4o also has web browsing capabilities that can enhance our research.

Using Python and the Bokeh library, I created an overview of the activity, making it easy to spot peaks.

Basic Prompt

The easiest way to do it is by uploading the graph to GPT and asking with a simple prompt, we get the following result:

Answer:

# Spike in Discussions within the Conti Ransomware Organization 
(Late August 2021)
The spike in discussions within the Conti ransomware organization 
around late August 2021 can be attributed to several significant events 
and internal disruptions:
1. **Conti Playbook Leak (August 5, 2021):** 
 An affiliate of the Conti group leaked a cache of internal documents, 
 revealing detailed information about the group's operations and tactics. 
 This insider leak provided unprecedented insights into Conti's ransomware 
 techniques and could have caused a flurry of activity and discussions 
 within the group as they assessed the impact and took countermeasures​ 
 (CISA)​​ (Tenable®)​.
2. **Increased Ransomware Activity:** 
 Around this period, ransomware attacks, including those attributed to 
 Conti, were escalating globally. Conti was particularly active and 
 aggressive, targeting various sectors and using sophisticated methods to 
 infiltrate and encrypt data, which likely resulted in heightened internal 
 communication to coordinate these operations and manage the increased
 workload​ (Flashpoint)​.
3. **Geopolitical Tensions:** 
 In 2021, ransomware attacks were increasingly being linked to geopolitical 
 tensions, especially involving Russia-based groups like Conti. The global 
 crackdown on ransomware operations, coupled with mounting international 
 pressure, likely led to increased internal discussions as the group 
 navigated these challenges and adjusted their strategies​ (Chainalysis)​.
These factors combined to create a period of intense activity and communication
within the Conti ransomware organization, as reflected in the spike in 
discussions during that time.

Not bad, but as you can imagine, we can do better!

Better Prompting

Prompting is very important as it allows you to format the output and be more specific about what you expect. With a better prompt, I get a more detailed analysis of potential events.

The below screenshot shows the prompt I used to define the output.

Answer:

# Analysis of Daily Jabber Activity of the Conti Ransomware Organization
The image depicts a graph of the daily jabber activity of the Conti ransomware 
organization and its affiliates, showcasing the number of discussions per day. 
The graph spans from March 2021 to March 2022, illustrating significant 
fluctuations in activity, with notable peaks that likely correlate with various
 geopolitical events, cyber incidents, government actions, and other relevant 
factors.
## Analysis of Key Periods and Correlations:
### Timeframe: Early 2021 (March 2021 - May 2021)
**Background Activity:** The activity shows a steady level of discussions with 
several minor peaks, averaging around 100-300 discussions per day.
**Relevant Events:**
- **Geopolitical Tension:** Tensions in Eastern Europe, particularly between 
 Russia and Ukraine, were high, contributing to increased cyber activities by
 state-affiliated groups.
- **Cyber Incidents:** The Colonial Pipeline attack in May 2021, one of the 
 most significant ransomware attacks, disrupted fuel supplies across the U.S.
- **Policy Changes:** Increased focus on cybersecurity by the U.S. government,
 including Executive Orders on improving the nation's cybersecurity.
**Assumption:** The general trend in activity could be attributed to 
preparations and coordination for major ransomware operations like the 
Colonial Pipeline attack, as well as reactions to emerging geopolitical 
tensions.
### Timeframe: Mid 2021 (June 2021 - August 2021)
**Background Activity:** This period shows a moderate increase in discussions, 
 with a significant spike in late August 2021.
**Relevant Events:**
- **Geopolitical Tension:** Continued Russian government actions and escalating
 international conflicts involving key cyber actors.
- **Cyber Incidents:** JBS Foods ransomware attack in June 2021, impacting one 
 of the world's largest meat suppliers.
- **Policy Changes:** U.S. sanctions against specific cybercriminal groups, 
including those linked to ransomware attacks.
- **Notable Activities:** The Conti playbook leak in early August 2021 by an 
affiliate discontented with their compensation.
**Assumption:** The spike in discussions in late August can be directly 
correlated with the Conti playbook leak, leading to increased internal 
communications to manage the fallout and adjust their operations accordingly.
### Timeframe: Late 2021 (September 2021 - December 2021)
**Background Activity:** This period shows fluctuating activity with 
significant peaks, especially in October and November.
**Relevant Events:**
- **Geopolitical Tension:** Ongoing tensions between Russia and Ukraine, 
influencing cyber activities.
- **Cyber Incidents:** Multiple ransomware attacks, including those targeting 
critical infrastructure and healthcare sectors.
- **Policy Changes:** International crackdowns on ransomware operations, 
including coordinated efforts by law enforcement agencies across different 
countries.
**Assumption:** The peaks in discussions during this period could be related 
to the coordination and execution of multiple high-profile ransomware attacks,
as well as responses to increased law enforcement actions and geopolitical 
pressures.
### Timeframe: Early 2022 (January 2022 - March 2022)
**Background Activity:** The activity begins to decline, showing fewer peaks 
and a general decrease in discussions.
**Relevant Events:**
- **Geopolitical Tension:** Intensification of the Ukraine-Russia conflict, 
leading to heightened cybersecurity measures globally.
- **Cyber Incidents:** Continued ransomware activities, although with possibly 
reduced intensity due to increased defenses and awareness.
- **Policy Changes:** New cybersecurity policies and increased international 
collaboration to combat ransomware.
**Assumption:** The decline in activity may be due to the increased pressure 
on ransomware groups from law enforcement and international efforts, as well 
as strategic shifts within the Conti group in response to these pressures.
## Detailed Insights and Justifications:
The fluctuations in Conti's jabber activity can be broadly correlated with 
several key factors:
- **Geopolitical Events:** Tensions and conflicts, particularly involving
Russia, have a significant impact on cyber activities. The Ukraine-Russia 
conflict, in particular, has been a catalyst for increased cyber operations 
by state-affiliated and independent groups.
- **Major Cyber Incidents:** High-profile ransomware attacks such as those 
on Colonial Pipeline and JBS Foods lead to spikes in activity as the group 
coordinates these operations and manages their aftermath.
- **Government Actions:** Sanctions, policy changes, and international 
crackdowns create both opportunities and challenges for ransomware groups, 
influencing their internal communications and operational strategies.
- **Underground Cybercriminal Community Activities:** Leaks, arrests, and 
changes in criminal marketplaces directly impact the discussions and 
activities within groups like Conti.
- **Vulnerabilities and Exploits:** The discovery and exploitation of new 
vulnerabilities drive discussions as the group plans and executes attacks 
leveraging these weaknesses.
In summary, the jabber activity levels within the Conti ransomware organization
 are closely linked to a combination of geopolitical events, significant cyber 
incidents, government actions, and other factors that influence their 
operations. The peaks and troughs in the graph reflect the group's response 
to these external pressures and opportunities, highlighting the dynamic nature 
of the ransomware ecosystem.

In that case we get a much more detailed result with several information that can be explored further. Of course this is an initial step and those information requires correlation with the actual chat.

But you get the idea!🧐

GPT-4o Vision is an interesting tool to help analyze and pinpoint data that could be boring to search manually. It allows you to rapidly find data of interest. Alexandre Dulaunoy conducted a similar experiment for timezone analysis which is also very interesting to explore. There are many other usecases and your imagination is the limit!

As you can see, prompting is quite important to obtain the information you want in the format you need. In the Blue Team Arsenal class, we use Python to automate and scale everything, we dive deeper into practical use cases and explore opportunity to leverage GenAI in every part of your threat intel workflow.

Of course, GenAI is not magic nor perfect, but it is a fantastic tool to help pinpoint interesting areas and speed up your analysis.

If you want to learn more about our training, we have multiple dates announced:

1. x33fcon Poland June 10–12: 3 days
2. BlackHat USA August 3–8: 4 days
3. Defcon USA August 12–13: 2 days
4. HackSydney Sydney November 4–6: 3 Days

Check out our website for additional details: https://store.securitybreak.io/blueteamarsenal

More dates will be announced. You can also reach out for more infos on Twitter or Linkedin! ❤