Learning APT chains from cyber threat intelligence

With the rapidly evolving cyber attacks, cybersecurity specialists are actively using cyber threat intelligence to identify and respond to cyber attacks in a timely manner. However, this information will be highly useful for attack detection and mitigation if we can construct structured cyber threat intelligence and accurately generate TTP Chains to understand the steps of cyber attacks. In this poster, we present our preliminary Natural Language Processing (NLP) analysis to characterize the temporal relationship of attack actions of an APT attack to extract and construct the reported TTP chains using the popular standard, MITRE ATT&CK [1], and the Structured Sharing Language, STIX 2 [2], a machine-readable language that will help automate the process of understanding and responding to the cyber attacks shared in unstructured text via blogs, emails, and social media.