Looking Beyond IoCs: Automatically Extracting Attack Patterns from External CTI

Public and commercial organizations extensively share cyberthreat Cyber Threat Intelligence (CTI) offers crucial insights into the intelligence (CTI) to prepare systems to defend against existing rapidly evolving cyber threat landscape. This information includes and emerging cyberattacks. However, traditional CTI has primarily any evidence to identify and assess the associated threats, such as focused on tracking known threat indicators such as IP addresses indicators of compromise (IOCs), IP addresses, domain names, and and domain names, which may not provide long-term value in file hashes, and any associated tactics, techniques, and procedures defending against evolving attacks. To address this challenge, we (TTPs) used by the attacker(s). For instance, CTI can provide comprehensive, propose to use more robust threat intelligence signals called attack contextual information on emerging threats like the patterns. LADDER is a knowledge extraction framework that can advanced persistent threat (APT), ScarCruft [58]. Also known as extract text-based attack patterns from CTI reports at scale. The APT37, the cyber threat intelligence on ScarCruft reported that the framework characterizes attack patterns by capturing the phases of APT targets "individuals in South Korean organizations" with the an attack in Android and enterprise networks and systematically primary objective of "cyber espionage."