Automating TTP Extraction: Moving Beyond Manual Threat Intel Analysis

TLDR: Modern threat intelligence reports are often trapped in human-readable formats that make them difficult to operationalize for automated testing. This research introduces KGRAG, a framework that combines Large Language Models with Knowledge Graphs to extract structured TTPs and generate actionable attack scripts. By bridging the gap between static reports and dynamic simulation, this approach allows security teams to rapidly turn intelligence into functional red team payloads.

Threat intelligence is currently suffering from a massive data bottleneck. Every day, researchers publish high-quality reports detailing the latest adversary movements, yet most of this information remains locked in PDF or HTML files. Security teams spend countless hours manually parsing these documents to identify relevant tactics, techniques, and procedures (TTPs) before they can even begin to test their own defenses. This manual process is slow, error-prone, and fundamentally incapable of keeping pace with the speed of modern exploitation.

The Problem with Static Intelligence

Traditional machine learning models and even standalone LLMs struggle to bridge this gap. Standalone LLMs often hallucinate, inventing non-existent TTPs or misinterpreting the context of an attack. They lack the structural grounding required to map an adversary's actions to the MITRE ATT&CK framework. When you ask a model to extract an attack chain, it often misses the nuance of how a specific CVE-2021-26855 exploit fits into a broader lateral movement strategy.

The KGRAG framework solves this by using a Knowledge Graph to provide a source of truth. Instead of relying on the model to "remember" the entire landscape of cyber threats, the system uses the graph to validate the relationships between entities. If a report mentions a specific downloader, the Knowledge Graph ensures the extracted TTPs align with known behaviors associated with that tool, significantly reducing the rate of hallucination.

Mechanizing the Attack Chain

The workflow begins by feeding unstructured threat reports into an extraction pipeline. The system identifies the procedure type, such as phishing or remote service exploitation, and maps it to the corresponding ATT&CK technique. For instance, if a report describes an adversary using CVE-2020-1472 to gain domain controller access, the system doesn't just flag the CVE. It identifies the prerequisite conditions and the subsequent actions, such as credential dumping or persistence mechanisms.

Once the TTPs are structured, the framework uses a Retrieval-Augmented Generation (RAG) process to enrich the data. It queries the Knowledge Graph for similar historical attacks, pulling in relevant command-line arguments, tool configurations, and environmental prerequisites. This turns a vague description of an attack into a concrete, simulated scenario.

From Intelligence to Execution

The most impressive part of this research is the transition from intelligence to action. During the demonstration, the system took an extracted TTP and automatically generated a Metasploit module command. By leveraging the framework's understanding of the Metasploit API, the system can output the exact syntax required to test a vulnerability.

# Example of generated Metasploit module configuration
use exploit/windows/smb/psexec
set RHOSTS 192.168.1.10
set SMBUser Administrator
set SMBPass 31d6cfe0d16ae931b73c59d7e0c089c0
exploit

For a pentester, this is a force multiplier. Instead of spending an hour configuring a module based on a report, you have a baseline script ready for testing in seconds. The system also generates phishing lures by analyzing the context of the report, crafting emails that mimic the specific social engineering tactics described in the intelligence.

Real-World Applicability

This framework is not just for high-level threat hunting; it is a direct tool for engagement preparation. When you are tasked with a red team exercise, your first step is often mapping the client's environment to the threats they are most likely to face. By running their recent threat intel feeds through a system like KGRAG, you can generate a custom set of attack simulations that are tailored to the specific adversaries targeting that industry.

The impact of this automation is clear. It allows for a continuous feedback loop where intelligence informs testing, and testing validates the intelligence. If a specific TTP fails to trigger an alert, you know exactly where your detection gaps are.

Defensive Considerations

Defenders should view this as a double-edged sword. While it helps you test your own environment, it also lowers the barrier for adversaries to automate their own attack chains. The best defense is to focus on OWASP-recommended hardening practices that mitigate the underlying techniques, such as disabling unnecessary remote services or implementing strict credential hygiene. If you can break the TTP chain at the privilege escalation or lateral movement stage, the specific tool or exploit used becomes secondary.

Moving forward, the focus should be on refining the Knowledge Graph to include more granular environmental data. The more context the system has about the target network, the more accurate the generated attack chains will be. We are moving toward a future where threat intelligence is no longer a static document, but a living, executable set of instructions. Start looking at your own intel feeds and ask yourself if they are truly actionable, or if they are just noise waiting to be structured.