Technique Inference Engine: A Recommender Model to Support Cyber Threat Hunting
This work addresses the difficulty for cyber analysts in proactively hunting threats due to high data volume and evolving vulnerabilities, though it is incremental as it applies existing recommender models to a new domain-specific dataset.
The authors tackled the challenge of identifying co-occurring adversarial techniques in cyber threat hunting by developing the Technique Inference Engine, which uses implicit feedback recommender models on the largest available dataset of cyber threat intelligence reports labeled with TTPs, achieving predictions of additional techniques for campaigns.
Cyber threat hunting is the practice of proactively searching for latent threats in a network. Engaging in threat hunting can be difficult due to the volume of network traffic, variety of adversary techniques, and constantly evolving vulnerabilities. To aid analysts in identifying techniques which may be co-occurring as part of a campaign, we present the Technique Inference Engine, a tool to infer tactics, techniques, and procedures (TTPs) which may be related to existing observations of adversarial behavior. We compile the largest (to our knowledge) available dataset of cyber threat intelligence (CTI) reports labeled with relevant TTPs. With the knowledge that techniques are chronically under-reported in CTI, we apply several implicit feedback recommender models to the data in order to predict additional techniques which may be part of a given campaign. We evaluate the results in the context of the cyber analyst's use case and apply t-SNE to visualize the model embeddings. We provide our code and a web interface.