Mapping CKC Model Through NLP Modelling for APT Groups Reports

We are seeing a constant increase in the number of cyberattacks with both monetary and political motives behind them. As such it becomes crucial to identify Advanced Persistent Threats (APT) groups for future risk mitigation by both business and government. Multiple vendors like McAfee and Kaspersky periodically release reports on these APT groups that are absorbed by the security analysts worldwide. These reports identify the Tactics, Techniques, and Procedures (TTPs) used by the threat actors to carry out their operation. One important information to distill from these APT reports is the different stages of operation used by these APT groups. One such framework for classification of various stages in a cyberattack is Cyber Kill Chain (CKC) which was developed by Lockheed Martin to study and differentiate the various cyberattacks.Usually the process of identification of CKC stages in APT reports is a manual and time taking process. In this paper we have proposed the use of semantic search using Latent Semantic Indexing (LSI) and Latent Dirichlet Allocation (LDA) to automatically extract CKC stages from unstructured APT reports. We then compare our results with an existing research that has done such classification manually.