TRACE: Relationship Analysis and Causal Factor Extraction in Cyber Threat Intelligence Reports

Cyber Threat Intelligence (CTI) reports provide valuable insights into cybersecurity attack techniques, which are essential for understanding threat execution. Identifying the root causes of these techniques is crucial for developing effective defense mechanisms. However, the unstructured nature and inconsistent terminology of CTI reports pose significant challenges in extracting causal factors, such as Common Weakness Enumerations (CWEs) and vulnerable data components, limiting proactive responses and the understanding of attack interdependencies. To address these challenges, we propose TRACE, a novel framework that extracts causal factors linked to adversarial techniques and generates comprehensive causal graphs revealing interdependencies within CTI reports. TRACE combines pattern extraction and tagging methods to address the limitations of existing approaches. Utilizing Sentence-based Bidirectional Encoder Representations from Transformers (SBERT) embeddings enhanced with knowledge mappings and deep learning techniques, TRACE discovers and models causal relationships between attack techniques within the reports. By bridging the gap between attack techniques and their underlying vulnerabilities, TRACE provides actionable insights to enhance cybersecurity defenses. Evaluated on 710 CTI reports, TRACE achieved an F1 score of 0.87, demonstrating its accuracy in extracting causal factors and its potential to advance automated causal analysis in cybersecurity.