Retrieving ATT&CK tactics and techniques in cyber threat reports

Threat intelligence sharing has been expanding during the last few years, leading cybersecurity professionals to have access to a large amount of open data. Among those, the tactics, techniques and procedures (TTPs) related to a cyber threat are particularly valuable but generally found in unstructured textual reports, so-called Cyber Threat Reports (CTRs). In this study, we evaluate different multi-label text classification models to retrieve TTPs from textual sources, based on the ATT&CK framework – an open knowledge base of adversarial tactics and techniques. We also review several post-processing approaches using the relationship between the various labels in order to improve the classification. Our final contribution is the creation of a tool able to extract ATT&CK tactics and techniques from a CTR to a structured format, which, with more data, could reach a macro-averaged F0.5 score of 80% for the prediction of tactics and over 27.5% for the prediction of techniques.