Inferring Recovery Steps from Cyber Threat Intelligence Reports

Zsolt Levente Kucsván; Marco Caselli; Andreas Peter; Andrea Continella

Inferring Recovery Steps from Cyber Threat Intelligence Reports

Zsolt Levente Kucsván, Marco Caselli, Andreas Peter, Andrea Continella

Semantics, Cybersecurity & Services

Research output: Contribution to conference › Paper › peer-review

322 Downloads (Pure)

Abstract

Within the constantly changing threat landscape, Security Operation Centers are overwhelmed by suspicious alerts, which require manual investigation. Nonetheless, given the impact and severity of modern threats, it is crucial to quickly mitigate and respond to potential incidents. Currently, security operators use predefined sets of actions from so-called playbooks to respond to incidents. However, these playbooks need to be manually created and updated for each threat, again increasing the workload of the operators. In this work, we research approaches to automate the inference of recovery steps by automatically identifying steps taken by threat actors within Cyber Threat Intelligence reports and translating these steps into recovery steps that can be def ined in playbooks. Our insight is that by analyzing the text describing threats, we can effectively infer their corresponding recovery actions. To this end, we first design and implement a semantic approach based on traditional Natural Language Processing techniques, and we then study a generative approach based on recent Large Language Models (LLMs). Our experiments show that even if the LLMs were not designed to solve domain-specific problems, they outperform the precision of semantic approaches by up to 45%. We also evaluate factuality showing that LLMs tend to produce up to 90 factual errors over the entire dataset.

Original language	English
Number of pages	20
Publication status	Published - 17 Jul 2024
Event	21st Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA 2024 - EPFL, Lausanne, Switzerland Duration: 17 Jul 2024 → 19 Jul 2024 Conference number: 21 https://www.dimva.org/dimva2024/

Conference

Conference	21st Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA 2024
Abbreviated title	DIMVA 2024
Country/Territory	Switzerland
City	Lausanne
Period	17/07/24 → 19/07/24
Internet address	https://www.dimva.org/dimva2024/

Keywords

Cybersecurity

Access to Document

kucsvan-recovery-2024Accepted author version, 852 KB

Cite this

@conference{75e86cd1a23e46518a221ae7290caae8,

title = "Inferring Recovery Steps from Cyber Threat Intelligence Reports",

abstract = "Within the constantly changing threat landscape, Security Operation Centers are overwhelmed by suspicious alerts, which require manual investigation. Nonetheless, given the impact and severity of modern threats, it is crucial to quickly mitigate and respond to potential incidents. Currently, security operators use predefined sets of actions from so-called playbooks to respond to incidents. However, these playbooks need to be manually created and updated for each threat, again increasing the workload of the operators. In this work, we research approaches to automate the inference of recovery steps by automatically identifying steps taken by threat actors within Cyber Threat Intelligence reports and translating these steps into recovery steps that can be def ined in playbooks. Our insight is that by analyzing the text describing threats, we can effectively infer their corresponding recovery actions. To this end, we first design and implement a semantic approach based on traditional Natural Language Processing techniques, and we then study a generative approach based on recent Large Language Models (LLMs). Our experiments show that even if the LLMs were not designed to solve domain-specific problems, they outperform the precision of semantic approaches by up to 45%. We also evaluate factuality showing that LLMs tend to produce up to 90 factual errors over the entire dataset.",

keywords = "Cybersecurity",

author = "Kucsv{\'a}n, {Zsolt Levente} and Marco Caselli and Andreas Peter and Andrea Continella",

year = "2024",

month = jul,

day = "17",

language = "English",

note = "21st Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA 2024, DIMVA 2024 ; Conference date: 17-07-2024 Through 19-07-2024",

url = "https://www.dimva.org/dimva2024/",

}

TY - CONF

T1 - Inferring Recovery Steps from Cyber Threat Intelligence Reports

AU - Kucsván, Zsolt Levente

AU - Caselli, Marco

AU - Peter, Andreas

AU - Continella, Andrea

N1 - Conference code: 21

PY - 2024/7/17

Y1 - 2024/7/17

N2 - Within the constantly changing threat landscape, Security Operation Centers are overwhelmed by suspicious alerts, which require manual investigation. Nonetheless, given the impact and severity of modern threats, it is crucial to quickly mitigate and respond to potential incidents. Currently, security operators use predefined sets of actions from so-called playbooks to respond to incidents. However, these playbooks need to be manually created and updated for each threat, again increasing the workload of the operators. In this work, we research approaches to automate the inference of recovery steps by automatically identifying steps taken by threat actors within Cyber Threat Intelligence reports and translating these steps into recovery steps that can be def ined in playbooks. Our insight is that by analyzing the text describing threats, we can effectively infer their corresponding recovery actions. To this end, we first design and implement a semantic approach based on traditional Natural Language Processing techniques, and we then study a generative approach based on recent Large Language Models (LLMs). Our experiments show that even if the LLMs were not designed to solve domain-specific problems, they outperform the precision of semantic approaches by up to 45%. We also evaluate factuality showing that LLMs tend to produce up to 90 factual errors over the entire dataset.

AB - Within the constantly changing threat landscape, Security Operation Centers are overwhelmed by suspicious alerts, which require manual investigation. Nonetheless, given the impact and severity of modern threats, it is crucial to quickly mitigate and respond to potential incidents. Currently, security operators use predefined sets of actions from so-called playbooks to respond to incidents. However, these playbooks need to be manually created and updated for each threat, again increasing the workload of the operators. In this work, we research approaches to automate the inference of recovery steps by automatically identifying steps taken by threat actors within Cyber Threat Intelligence reports and translating these steps into recovery steps that can be def ined in playbooks. Our insight is that by analyzing the text describing threats, we can effectively infer their corresponding recovery actions. To this end, we first design and implement a semantic approach based on traditional Natural Language Processing techniques, and we then study a generative approach based on recent Large Language Models (LLMs). Our experiments show that even if the LLMs were not designed to solve domain-specific problems, they outperform the precision of semantic approaches by up to 45%. We also evaluate factuality showing that LLMs tend to produce up to 90 factual errors over the entire dataset.

KW - Cybersecurity

M3 - Paper

T2 - 21st Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA 2024

Y2 - 17 July 2024 through 19 July 2024

ER -

Inferring Recovery Steps from Cyber Threat Intelligence Reports

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this