New Video: John Hammond Discusses AI-Powered Cyber Threat Analysis with Estelle Rulin

In this captivating video, John Hammond interviews Estelle Rulin, a cyber threat intelligence researcher at Flare, to discuss an innovative project using artificial intelligence and language models (LLM) to analyze stealer malware logs. This project, named Steel Lens, aims to automate and accelerate the analysis of data stolen by malware such as Redline or Raccoon, which extract massive amounts of information from compromised devices. These logs contain sensitive data such as passwords, browsing history, screenshots, running processes, and more. The goal is to transform these raw data mountains into actionable information to understand how an infection occurred. Estelle explains that the idea behind Steel Lens was born from a simple observation: manually analyzing a single stealer log can take hours, even days, due to the complexity and volume of data. To solve this problem, her team trained a language model to replicate the logic of a human analyst. The model can identify suspicious elements, such as strange software names, randomly named processes, or suspicious browsing activities (e.g., YouTube videos on cracks or hacking tools). One of the major challenges was to avoid the model's "hallucinations," i.e., unfounded or incorrect hypotheses about the data. To address this, the team integrated strict rules and cross-checks between different sections of the log, such as browsing history and installed software, to validate infection hypotheses. The operation of Steel Lens is divided into two main parts. The first consists of an automatic analysis of the log, which generates a detailed infection hypothesis, supported by evidence. For example, if a user watched a YouTube video on a "GTA Enhanced Mod Menu" and software with the same name was installed shortly afterward, the model identifies this as a strong sign of infection. The second part is a conversational agent that allows the analyst to interact with the results. This agent can answer natural language questions, such as "What are the five closest browsing entries to the time of infection?" or "Can you propose an alternative infection hypothesis?". This feature is particularly useful for refining the analysis and avoiding biases, as the agent can recognize its own limitations and propose counterpoints or competing hypotheses. A concrete example presented in the video involves the analysis of a log from a malicious actor nicknamed Quinn. This log contained a screenshot showing a LinkedIn account verification tool, as well as suspicious processes related to a proxy. Manual analysis of this log had left Estelle puzzled, but Steel Lens was able to replicate her doubts and propose plausible hypotheses, demonstrating the model's reliability. This case illustrates the tool's usefulness for cybersecurity researchers, who can now save valuable time and focus on higher-value tasks, such as tracking malicious campaigns or detecting new threats. Beyond individual log analysis, Estelle discusses an ongoing project to use Steel Lens on a large scale. By applying this technology to tens of thousands of logs, her team can track infection campaigns in real-time and alert the public to traps to avoid. For example, they could announce that "the gaming sector, like Roblox or Counter-Strike, is particularly risky today," based on trends observed in the logs. This proactive approach helps raise user awareness and reduce infection risks. On the technical side, the integration of frameworks like Nova to secure interactions with the conversational agent is also mentioned. Nova allows filtering potentially dangerous questions or jailbreak attempts, ensuring the tool remains safe and reliable. Estelle emphasizes that, although LLMs are powerful, they cannot think for themselves: it is essential to teach them each step of human reasoning to obtain relevant results. This involves breaking down complex tasks into micro-steps and clearly defining what is considered suspicious or normal. Finally, Estelle shares her atypical journey, which led her from studying mathematics and criminal psychology to cybersecurity. Her interest in online criminality and desire to combine various disciplines led her to become a data scientist specializing in analyzing cybercrime-related data. Her approach, which involves making data visually understandable and automating repetitive tasks, reflects a growing trend in the field of threat intelligence, where AI plays an increasingly central role. In summary, this video highlights a major advancement in stealer log analysis, with significant practical implications for cybersecurity. Steel Lens not only saves time but also improves the accuracy of analyses and democratizes access to critical information for combating cyber threats. For those wishing to delve deeper into the subject, the video offers a fascinating glimpse into the behind-the-scenes of threat intelligence research and the technological innovations shaping this field.