Threat Attribution using Generative AI

Abstract

Threat attribution is an important practice after an incident that does not only allow for legal actions against threat actors, but also to further enrich cyber threat intelligence (CTI). CTI then allows systems to be secured in a more targeted approach, since threat actors are known to reuse attack patterns. The challenge of threat attribution is the amount and vastness of the information both about an attack and about a threat actor. Hence, having the data in a form and in a quality that allows for attribution is difficult. Previous examples of automated threat attribution are using traditional machine learning or solutions dependent on intrusion detection systems. Since there are attacks almost all the time the systems need to stay up to date. Thus, traditional machine learning requires regular fine tuning, transfer learning, retraining or other methods to know about current incidents. The system proposed in this project investigates use of open-source CTI and the autonomous agent approach for generative AI to do the attribution. This way, the system is taking the CTI as it is required from curated data sources and does not need to train specifically on the data. To test the system two custom sets of questions were given and the results were quantitatively and qualitatively assessed. The evaluation of the tests lead to the conclusion that threat attribution can not be fully automated, yet. This is due to issues within the available CTI and the overall lack of information. To further improve and automate attribution, more high quality and standardized CTI would be necessary.