RAG-ATT&CK : Exploring RAG-Assisted Mapping of Cyber Threat Intelligence to MITRE ATT&CK Techniques

Mapping unstructured Cyber Threat Intelligence (CTI) to MITRE ATT&CK techniques is essential for understanding and mitigating future cybersecurity threats. Existing automated methods require extensive fine-tuning of large language models (LLMs) or require static rules, limiting their adaptiveness to an evolving threat landscape. This work introduces RAG- ATT&CK , an automated mapping system utilizing Retrieval- Augmented-Generation (RAG). RAG-ATT&CK dynamically retrieves relevant MITRE ATT&CK techniques, providing the underlying LLM with factual context for classification, without the need for fine-tuning. While RAG-ATT&CK shows improvements over the baseline LLM system, it does not surpass the state-of-the-art methods. This study highlights the potential of RAG-based systems and offers a comparison to fine-tuning-based systems.