Defending from cyberattacks requires practitioners to operate on high-level adversary behavior. Cyberthreat intelligence (CTI) reports on past cyberattack incidents describe the chain of malicious actions with respect to time. To avoid repeating cyberattack incidents, practitioners must proactively identify and defend against recurring chain of actions - which we refer to as temporal attack patterns. Automatically mining the patterns among actions provides structured and actionable information on the adversary behavior of past cyberattacks. The goal of this paper is to aid security practitioners in prioritizing and proactive defense against cyberattacks by mining temporal attack patterns from cyberthreat intelligence reports. To this end, we propose ChronoCTI, an automated pipeline for mining temporal attack patterns from cyberthreat intelligence (CTI) reports of past cyberattacks. To construct ChronoCTI, we build the ground truth dataset of temporal attack patterns and apply state-of-the-art large language models, natural language processing, and machine learning techniques. We apply ChronoCTI on a set of 713 CTI reports, where we identify 124 temporal attack patterns - which we categorize into nine pattern categories. We identify that the most prevalent pattern category is to trick victim users into executing malicious code to initiate the attack, followed by bypassing the anti-malware system in the victim network. Based on the observed patterns, we advocate organizations to train users about cybersecurity best practices, introduce immutable operating systems with limited functionalities, and enforce multi-user authentications. Moreover, we advocate practitioners to leverage the automated mining capability of ChronoCTI and design countermeasures against the recurring attack patterns.

翻译：防御网络攻击需要从业人员掌握高层次的对手行为。关于过去网络攻击事件的网络威胁情报（CTI）报告描述了随时间推移的一系列恶意行动。为避免网络攻击事件重演，从业人员必须主动识别并防御反复出现的行动序列——我们称之为时间攻击模式。自动挖掘行动间的模式，能提供关于过去网络攻击中对手行为的结构化、可操作信息。本文旨在通过从网络威胁情报报告中挖掘时间攻击模式，帮助安全从业人员优先开展主动防御。为此，我们提出ChronoCTI——一个从过去网络攻击的CTI报告中自动挖掘时间攻击模式的流水线。为构建ChronoCTI，我们建立了时间攻击模式的真值数据集，并应用了最先进的大语言模型、自然语言处理及机器学习技术。我们在713份CTI报告上应用ChronoCTI，识别出124种时间攻击模式，并将其归类为九种模式类别。我们发现最常见的模式类别是诱骗受害用户执行恶意代码以发起攻击，其次是绕过受害网络中的反恶意软件系统。基于观察到的模式，我们建议组织对用户进行网络安全最佳实践培训，引入功能受限的不可变操作系统，并实施多用户身份验证。此外，我们倡导从业人员利用ChronoCTI的自动挖掘能力，针对反复出现的攻击模式设计应对措施。