Automating TTP Extraction: Turning Threat Intel into Executable Attack Paths

TLDR: Researchers have developed a framework that uses natural language processing and knowledge graphs to automatically extract TTPs from unstructured threat intelligence reports. By mapping these techniques to specific assets and permissions, the system generates adaptive, executable attack paths for Breach and Attack Simulation (BAS). This approach moves beyond static playbooks, allowing security teams to simulate realistic, multi-stage attacks tailored to their specific environment.

Threat intelligence reports are often a graveyard of good intentions. Security researchers spend hours dissecting APT campaigns, documenting every TTP, and mapping them to the MITRE ATT&CK framework. Yet, for the average pentester or red teamer, this information remains largely static. You read the report, you manually identify the relevant techniques, and you spend more time building a simulation than actually testing the target. The industry needs a way to turn these narrative reports into actionable, machine-readable attack paths that adapt to the specific infrastructure being tested.

From Unstructured Text to Attack Graphs

The core challenge in automating threat intelligence is the gap between human-readable prose and machine-executable logic. A report might describe an attacker using T1190-exploit-public-facing-application to gain initial access, followed by T1003-os-credential-dumping using tools like Mimikatz. Manually translating this into a simulation requires understanding the prerequisites for each step.

The research presented at Black Hat introduces a framework that bridges this gap using a knowledge graph. By applying natural language processing to threat reports, the system extracts entities—such as the attacker, the target software, and the specific TTPs—and maps the relationships between them. This isn't just a list of techniques; it is a structured graph that understands that a specific exploit requires a certain platform, a specific service state, and a particular set of user permissions.

When the system processes a report, it doesn't just tag the TTP. It builds a dependency chain. If a report mentions an attacker exploiting CVE-2022-21371 in Oracle WebLogic, the knowledge graph records the required service, the necessary network access, and the resulting privilege level. This allows a BAS tool to dynamically determine if a specific attack path is viable within a given environment.

Building the Knowledge Graph with Luwak

The researchers released a tool called Luwak to automate this process. At its heart, the tool uses a combination of pre-trained language models and transfer learning to identify TTPs within unstructured text. The system distinguishes between primary and secondary tactics, which is critical for reducing noise. A report might mention a dozen tools, but only a few are actually used to achieve the primary objective.

The technical implementation relies on a semantic web approach. By defining relationships like [Data-source] -> [DataComponent] and [DataComponent] -> [Technique], the framework allows for precise reasoning. For example, if your environment uses specific security products, the knowledge graph can infer which TTPs are likely to be detected and which might bypass your current controls.

During the demo, the team showed how they could ingest a report about the Vice Society ransomware group. The system automatically parsed the text, identified the target technologies—such as Atlassian Confluence and Microsoft Exchange—and generated a sequence of TTPs. The simulation engine then executed these steps, checking for prerequisites like local administrator access before attempting to dump credentials using T1003.001.

Practical Application for Pentesters

For a pentester, the value here is in the reduction of "recon-to-exploit" time. Instead of manually mapping out a chain of attacks, you can feed the system your target's asset list and let the knowledge graph suggest the most likely attack paths based on real-world threat data. This is particularly useful during long-term red team engagements where you need to maintain a consistent, realistic attack profile.

The impact of this automation is significant. It allows for "adaptive" testing. If your initial attempt to gain access via a public-facing application fails, the system can re-evaluate the knowledge graph to find alternative paths based on the permissions you did manage to acquire. It turns the testing process into a continuous loop of discovery and exploitation, mirroring how actual adversaries operate.

Defensive Considerations

Defenders can leverage this same knowledge graph logic to prioritize their patching and detection efforts. By mapping your internal assets against the TTPs extracted from reports relevant to your industry, you can identify which attack paths are most likely to succeed against your specific configuration. This is far more effective than chasing every high-severity CVE that hits the NVD. If a vulnerability exists in a service that is not reachable from the internet or does not provide a path to high-value assets, it should not be your top priority.

Focusing on the TTPs that actually matter to your environment is the only way to stay ahead. The next time you are staring at a 50-page threat report, ask yourself if you are just reading it or if you are actually using it to harden your defenses. Tools that automate the translation of intelligence into action are not just a convenience; they are becoming a requirement for any team that wants to move beyond compliance-based security. Start by mapping your most critical assets to the TTPs that threaten them, and build your testing strategy from there.