TTPHunter: Automated Extraction of Actionable Intelligence as TTPs from Narrative Threat Reports

TTPHunter: Automated Extraction of Actionable Intelligence as TTPs from Narrative Threat Reports

연구 분야: Safety

학회: ACSW '23: Proceedings of the 2023 Australasian Computer Science Week

With the proliferation of attacks from various Advanced Persistent Threats (APT) groups, it is essential to comprehend the threat actor’s attack patterns to accelerate threat detection and response. The MITRE ATT&CK framework’s Tactics, Techniques, and Procedures (TTPs) help to decipher attack patterns. The APT reports, published by security firms, contain rich information on tools and techniques used by threat actors. These reports are available in unstructured and natural language texts. There is a need for an automated tool to extract TTPs present in natural language text. However, there are few tools available in the literature, but their performance is not very satisfactory. In this work, we propose TTPHunter, to extract TTPs from APT reports by mapping sentence context to relevant TTPs. We fine-tune linear classifiers, which take input as BERT (Bidirectional Encoder Representations from Transformers) embeddings of sentences. We create two datasets: sentence-based (8,387 sentence samples) and document-based (50 threat reports) to validate TTPHunter. TTPHunter achieves the F1-score of 88% and 75% for both datasets, respectively. We compare the TTPHunter with rcATT and AttacKG baseline models, and it outperforms both baselines.