SMET: Semantic mapping of CTI reports and CVE to ATT&CK for advanced threat intelligence

Abstract

With the rapid increase in the robustness and impact of cyber-attacks, a counter-evolution in defense efforts is essential to ensure a safer cyberspace. A critical aspect of cyber defense is the experts’ ability to understand, analyze, and share knowledge of attacks and vulnerabilities in a timely and intelligible manner that facilitates the detection and mitigation of emerging threats. Cyber threat intelligence (CTI) reports, and Common Vulnerabilities and Exposures (CVEs) are two primary sources of information that security analysts use to defend against cyber attacks. Analyzing the tactics, techniques, and procedures (TTPs) of attackers from these sources by mapping them to the ATT&CK framework provides valuable insights to defenders and aids them in countering various threats. Unfortunately, due to the complexity of this mapping and the rapid growth of these frameworks, mapping CTI reports and CVEs to ATT&CK is a daunting and time-intensive undertaking. Multiple studies have proposed models that automatically achieve this mapping. However, due to their reliance on annotated datasets, these models exhibit limitations in quality and coverage. To overcome these challenges, we present SMET – a tool that automatically maps text to ATT&CK techniques based on textual similarity. SMET achieves this mapping by leveraging ATT&CK BERT, a model we trained using the SIAMESE network to learn semantic similarity among attack actions. In inference, SMET utilizes semantic extraction, ATT&CK BERT, and a logistic regression model to achieve ATT&CK mapping. As a result, SMET has demonstrated superior performance compared to other state-of-the-art models.