TAPE: Threat Automation and Prioritisation of Emails

December 23rd, 2022

Duration: 20 months August 2022 – March 2024

What is TAPE?

Security Operation Centre (SOC) teams receive a large volume of phishing Email alerts at Microsoft Sentinel generated from Microsoft 365 Defender, which operates as a black box. However, handling all these alerts leads to:

 

  • Cognitive overload on SOC analysts
  • Delay identifying critical incidents
  • Failure to be proactive in identifying similar phishing attacks that bypass the system

 

TAPE aims to address those critical gaps by developing Machine Learning (ML) software to support human security experts in their daily effort to identify phishing campaigns within the reported email alerts from Microsoft 365 Defender and prioritise the response. It also enables the security team to proactively identify new campaign traits and update their Microsoft Sentinel rules periodically.

Who are involved?

TAPE is supported by the Government of Western Australia, the Office of Digital Government (DGov), under its participation in Cyber Security CRC (CSCRC). CSIRO’s Data61 performs research and development as CSCRC’s research provider.

How can I get involved and benefit?

Organisations such as WA agencies and others are encouraged to participate by sharing phishing email alerts reported by Microsoft 365 Defender to their Microsoft Sentinel.  It is a very safe and anonymous/metadata activity as there is NEITHER email content NOR attachments in these alerts. Agencies will benefit from the results of identified campaigns, enrichment with early indications of compromise, and autonomous prioritisation.

Can you tell me how it works? Do I have to replace existing systems?

TAPE is intended to be built as a stand-alone system. It works seamlessly with Microsoft Sentinel by taking Email alerts as feeds, processing them in the background using our ML models to identify campaigns and prioritising the alerts based on their potential threats. Then, TAPE will feed back the intelligence into the Microsoft Sentinel in the form of early indications of compromise and campaigns. Agencies could use this intelligence in their Microsoft Sentinel Security orchestration, automation, and response (SOAR). There will be no impact on existing agency infrastructure and systems.

Who do I get in touch with?

Sharif Abuadbba
sharif.abuadbba@data61.csiro.au
TAPE project Lead

CSIRO’s Data61

Rachel Mahncke
Rachel.Mahncke@dpc.wa.gov.au
Department of Premier and Cabinet
Government of Western Australia

Acknowledgement  for the rest of the TAPE Development team

 

  • Dr. Shuo Wang, Research Scientist, CSIRO’s Data61
  • Dr. Wei  Kang, Research Scientist, CSIRO’s Data61
  • Seung  Jang, Senior Research Engineer, CSIRO’s  Data61