On Technique Identification and Threat-Actor Attribution using LLMs and Embedding Models

TL;DR

This paper explores using large language models and embedding techniques to automate cyber-attack attribution by extracting behavioral indicators from forensic documents, aiming to improve speed and accuracy in threat attribution.

Contribution

It evaluates off-the-shelf LLMs for TTP extraction and develops an end-to-end pipeline for threat-actor attribution from raw cyber threat intelligence documents.

Findings

LLMs produce noisy TTP datasets with low similarity to human data

Generated TTPs are similar in frequency to MITRE datasets

The approach improves attribution performance despite dataset noise

Abstract

Attribution of cyber-attacks remains a complex but critical challenge for cyber defenders. Currently, manual extraction of behavioral indicators from dense forensic documentation causes significant attribution delays, especially following major incidents at the international scale. This research evaluates large language models (LLMs) for cyber-attack attribution based on behavioral indicators extracted from forensic documentation. We test OpenAI's GPT-4 and text-embedding-3-large for identifying threat actors' tactics, techniques, and procedures (TTPs) by comparing LLM-generated TTPs against human-generated data from MITRE ATT&CK Groups. Our framework then identifies TTPs from text using vector embedding search and builds profiles to attribute new attacks for a machine learning model to learn. Key contributions include: (1) assessing off-the-shelf LLMs for TTP extraction and attribution, and (2) developing an end-to-end pipeline from raw CTI documents to threat-actor prediction. This research finds that standard LLMs generate TTP datasets with noise, resulting in a low similarity to human-generated datasets. However, the TTPs generated are similar in frequency to those within the existing MITRE datasets. Additionally, although these TTPs are different than human-generated datasets, our work demonstrates that they still prove useful for training a model that performs above baseline on attribution. Project code and files are contained here: https://github.com/kylag/ttp_attribution.