Automated Retrieval of ATT&CK Tactics and Techniques for Cyber Threat Reports

Valentine Legoy, Marco Caselli, Christin Seifert, Andreas Peter

Research output: Contribution to conferencePaper

69 Downloads (Pure)


Over the last years, threat intelligence sharing has steadily grown, leading cybersecurity professionals to access increasingly larger amounts of heterogeneous data. Among those, cyber attacks' Tactics, Techniques and Procedures (TTPs) have proven to be particularly valuable to characterize threat actors' behaviors and, thus, improve defensive countermeasures. Unfortunately, this information is often hidden within human-readable textual reports and must be extracted manually. In this paper, we evaluate several classification approaches to automatically retrieve TTPs from unstructured text. To implement these approaches, we take advantage of the MITRE ATT&CK framework, an open knowledge base of adversarial tactics and techniques, to train classifiers and label results. Finally, we present rcATT, a tool built on top of our findings and freely distributed to the security community to support cyber threat report automated analysis.
Original languageEnglish
Number of pages20
Publication statusPublished - 2020
Event1st Cyber Threat Intelligence Symposium, CTI 2020 - Online
Duration: 9 Mar 202011 Mar 2020
Conference number: 1


Conference1st Cyber Threat Intelligence Symposium, CTI 2020
Abbreviated titleCTI
Internet address


  • Cybersecurity
  • Automation
  • Cyber threat intelligence
  • ATT&CK tactics and techniques
  • Multi-label classification


Dive into the research topics of 'Automated Retrieval of ATT&CK Tactics and Techniques for Cyber Threat Reports'. Together they form a unique fingerprint.

Cite this