Public and commercial organizations extensively share cyberthreat intelligence (CTI) to prepare systems to defend against existing and emerging cyberattacks. However, traditional CTI has primarily focused on tracking known threat indicators such as IP addresses and domain names, which may not provide long-term value in defending against evolving attacks. To address this challenge, we propose to use more robust threat intelligence signals called attack patterns. LADDER is a knowledge extraction framework that can extract text-based attack patterns from CTI reports at scale. The framework characterizes attack patterns by capturing the phases of an attack in Android and enterprise networks and systematically maps them to the MITRE ATT\&CK pattern framework. LADDER can be used by security analysts to determine the presence of attack vectors related to existing and emerging threats, enabling them to prepare defenses proactively. We also present several use cases to demonstrate the application of LADDER in real-world scenarios. Finally, we provide a new, open-access benchmark malware dataset to train future cyberthreat intelligence models.

翻译：公共和商业组织广泛共享网络威胁情报（CTI），以准备系统防御现有和新兴的网络攻击。然而，传统的CTI主要侧重于跟踪已知威胁指标（如IP地址和域名），这在应对不断演变的攻击时可能无法提供长期价值。为解决这一挑战，我们提出使用更强大的威胁情报信号——攻击模式。LADDER是一个知识提取框架，能够从CTI报告中大规模提取基于文本的攻击模式。该框架通过捕获Android和企业网络中的攻击阶段来刻画攻击模式，并系统地将它们映射到MITRE ATT&CK模式框架。安全分析人员可利用LADDER确定与现有及新兴威胁相关的攻击向量的存在，从而主动准备防御措施。我们还展示了若干用例，以说明LADDER在真实场景中的应用。最后，我们提供了一个新的、开放访问的基准恶意软件数据集，用于训练未来的网络威胁情报模型。