SoK: Automated TTP Extraction from CTI Reports – Are We There Yet?
Marvin Büchel
34th USENIX Security Symposium (USENIX Security '25) · Day 2 · ML and AI Security 2
In the rapidly evolving landscape of cyber security, the ability to rapidly understand and respond to new threats is paramount. Cyber Threat Intelligence (CTI) reports, meticulously crafted by security experts post-attack, serve as vital repositories of information detailing attacker targets, specific techniques, impact, and motivations. The dream of leveraging this intelligence for **proactive defense**, automated attacker profiling, and the discovery of overarching trends within the hacker community hinges on the ability to automatically extract and structure critical data, known as Tactics, Techniques, and Procedures (TTPs). However, a significant challenge persists: these reports are predominantly written in natural language, which is inherently ill-suited for automated comparison and aggregation.
AI review
Solid SoK that does what SoKs are supposed to do — establishes a unified evaluation framework, exposes the incomparability problem plaguing a decade of TTP extraction research, and delivers a genuinely useful finding: rule-based NER beats fancy LLMs in open-set conditions. Not groundbreaking, but honest and rigorous work that the community actually needs.