Automated Retrieval of ATT&CK Tactics and Techniques for Cyber Threat Reports
This addresses the challenge for cybersecurity professionals in efficiently processing large amounts of threat intelligence data, though it is incremental as it applies existing classification methods to a specific domain.
The paper tackles the problem of manually extracting cyber attack Tactics, Techniques, and Procedures (TTPs) from unstructured text reports by evaluating classification approaches to automate retrieval, resulting in the development of rcATT, a freely distributed tool for automated analysis.
Over the last years, threat intelligence sharing has steadily grown, leading cybersecurity professionals to access increasingly larger amounts of heterogeneous data. Among those, cyber attacks' Tactics, Techniques and Procedures (TTPs) have proven to be particularly valuable to characterize threat actors' behaviors and, thus, improve defensive countermeasures. Unfortunately, this information is often hidden within human-readable textual reports and must be extracted manually. In this paper, we evaluate several classification approaches to automatically retrieve TTPs from unstructured text. To implement these approaches, we take advantage of the MITRE ATT&CK framework, an open knowledge base of adversarial tactics and techniques, to train classifiers and label results. Finally, we present rcATT, a tool built on top of our findings and freely distributed to the security community to support cyber threat report automated analysis.