Large Language Models for Cyber Threat Intelligence: Extracting MITRE With LLMs

Cyber Threat Intelligence (CTI) reports provide information about emerging and current cyber threats, and their analysis is key for adopting appropriate countermeasures. Reports are typically in the form of long texts from which cybersecurity analysts extract the essential elements and translate them into actionable steps. In order to summarise and share the findings of this analysis, sentences in the reports are often labelled with the MITRE techniques, better describing the identified attack pattern. This task can be very time consuming, prone to errors and to the subjectivity of an analyst. In the literature, there have been some attempts to automate this process, in general by performing different pre-processing steps on the initial reports and then applying classification techniques. With the advent of Large Language Models (LLMs), considering that reports are written in a natural language, in this paper we describe an approach that relies entirely on LLMs and seeks to minimise preprocessing of reports and other human intervention, if not to replace at least to ease the task of the analysts.

KRASOVEC Andraz;  STERI Gary;  KAROPOULOS Georgios;  TRAPANI Mirko; 

2025-10-20

SPRINGER VERLAG

JRC142375

1611-3349 (online),   

https://link.springer.com/chapter/10.1007/978-3-032-00633-2_5,    https://publications.jrc.ec.europa.eu/repository/handle/JRC142375,   

10.1007/978-3-032-00633-2_5 (online),