CTI ANT: Hunting for Chinese Threat Intelligence

Abstract

As cybercriminals continually challenge the security of enterprises with sophisticated and rapidly evolving exploits, cyber threat intelligence (CTI) has emerged as a promising solution to enhance resilience against threats by understanding and limiting your focus on enemies that target your industry, efficiently leveraging the limited resources that hinder all SOCs. With a wide array of public and commercial sources that distribute threat intelligence, extending intelligence collection and analysis has become indispensable in developing effective cybersecurity measures.Unstructured data like technical articles and reports are known to be difficult to analyze and formalize. While many previous research works attempt to semantically extract unstructured threat intelligence, none of them is applied for Chinese data sources. As China is both the largest source and victim of cyberattacks, lacking visibility of Chinese data sources is a major blind spot of CTI.In this paper, we present CTI ANT, the first automatic system for analyzing Chinese CTI, which enlarges the threat intelligence visibility to Chinese data sources. CTI ANT is constructed of three sub-systems: an automatic classification system (CSAC) for inspecting threat intelligence types, a recommendation system (CTRS) that identifies trending keywords to assist threat analysts, and a Web API to label MITRE ATT&CK® techniques in Chinese APT reports. Evaluation results confirm that the proposed CSAC and CTRS have achieved superior performance with an average accuracy exceeding 93% and 80%, respectively. Moreover, the MITRE ATT&CK Web API presents precise labeling in Chinese ATT&CK reports, stimulating new insights on Chinese CTI.