Looking Beyond IoCs: Automatically Extracting Attack Patterns from External CTI

by   Md Tanvirul Alam, et al.

Public and commercial companies extensively share cyber threat intelligence (CTI) to prepare systems to defend against emerging cyberattacks. Most used intelligence thus far has been limited to tracking known threat indicators such as IP addresses and domain names as they are easier to extract using regular expressions. Due to the limited long-term usage and difficulty of performing a long-term analysis on indicators, we propose using significantly more robust threat intelligence signals called attack patterns. However, extracting attack patterns at scale is a challenging task. In this paper, we present LADDER, a knowledge extraction framework that can extract text-based attack patterns from CTI reports at scale. The model characterizes attack patterns by capturing phases of an attack in android and enterprise networks. It then systematically maps them to the MITRE ATT&CK pattern framework. We present several use cases to demonstrate the application of LADDER for SOC analysts in determining the presence of attack vectors belonging to emerging attacks in preparation for defenses in advance.


page 1

page 2

page 3

page 4


AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports

Cyber attacks are becoming more sophisticated and diverse, making detect...

EXTRACTOR: Extracting Attack Behavior from Threat Reports

The knowledge on attacks contained in Cyber Threat Intelligence (CTI) re...

POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting

Cyber threat intelligence (CTI) is being used to search for indicators o...

CGraph: Graph Based Extensible Predictive Domain Threat Intelligence Platform

Ability to effectively investigate indicators of compromise and associat...

Decaying Indicators of Compromise

The steady increase in the volume of indicators of compromise (IoC) as w...

Attacker Profiling Through Analysis of Attack Patterns in Geographically Distributed Honeypots

Honeypots are a well-known and widely used technology in the cybersecuri...

Denial of Wallet – Defining a Looming Threat to Serverless Computing

Serverless computing is the latest paradigm in cloud computing, offering...

Please sign up or login with your details

Forgot password? Click here to reset