Automated Retrieval of ATT&CK Tactics and Techniques for Cyber Threat Reports

TL;DR

This paper develops and evaluates machine learning classifiers to automatically extract cyber attack tactics and techniques from unstructured threat reports using the MITRE ATT&CK framework, and introduces a tool for automated analysis.

Contribution

It presents a novel approach combining classification methods with the ATT&CK framework to automate TTP extraction from textual reports, and provides a publicly available tool for the cybersecurity community.

Findings

Effective classifiers for TTP extraction are identified.

The rcATT tool supports automated analysis of threat reports.

The approach improves efficiency in threat intelligence processing.

Abstract

Over the last years, threat intelligence sharing has steadily grown, leading cybersecurity professionals to access increasingly larger amounts of heterogeneous data. Among those, cyber attacks' Tactics, Techniques and Procedures (TTPs) have proven to be particularly valuable to characterize threat actors' behaviors and, thus, improve defensive countermeasures. Unfortunately, this information is often hidden within human-readable textual reports and must be extracted manually. In this paper, we evaluate several classification approaches to automatically retrieve TTPs from unstructured text. To implement these approaches, we take advantage of the MITRE ATT&CK framework, an open knowledge base of adversarial tactics and techniques, to train classifiers and label results. Finally, we present rcATT, a tool built on top of our findings and freely distributed to the security community to support cyber threat report automated analysis.