TLDR: A new research paper introduces TRIAGE, a hybrid AI system that uses Large Language Models (LLMs) to automatically map cybersecurity vulnerabilities (CVEs) to adversary tactics and techniques (ATT&CK). By combining rule-based mapping from MITRE’s methodology with data-driven in-context learning, TRIAGE provides a more efficient and accurate way to predict the real-world impact of vulnerabilities, outperforming existing state-of-the-art methods.
Cybersecurity professionals constantly face the challenge of keeping up with new vulnerabilities. Databases like the National Vulnerability Database (NVD) provide detailed descriptions of Common Vulnerabilities and Exposures (CVEs), but they often lack crucial information: the real-world impact of these vulnerabilities. This means knowing the specific tactics, techniques, and procedures (TTPs) that adversaries might use to exploit them. Manually linking CVEs to these TTPs is a time-consuming and complex task, especially with the sheer volume of new vulnerabilities emerging annually.
To address this critical gap, researchers Anders Mølmen Høst, Pierre Lison, and Leon Moonen have introduced a novel automated approach called TRIAGE. This system leverages the power of Large Language Models (LLMs) to efficiently map CVEs to relevant techniques from the MITRE ATT&CK knowledge base. The goal is to provide a clearer picture of how vulnerabilities can be exploited in actual attacks, enabling organizations to prioritize their defensive measures more effectively.
How TRIAGE Works: A Hybrid Approach
TRIAGE operates on a two-pronged strategy, combining both rule-based reasoning and data-driven inference:
-
Methodology Mappers: This component uses LLMs prompted with instructions based on MITRE’s CVE Mapping Methodology (CMM). The CMM defines a structured approach to link CVEs to ATT&CK techniques across three attack phases: exploitation technique, primary impact, and secondary impact. TRIAGE systematically applies the CMM’s five methods: Vulnerability type, Functionality, Exploitation Technique, Affected Object, and Tactic. Each method helps predict an initial list of relevant techniques based on predefined rules and descriptions.
-
In-Context Learner: The second module also uses LLMs but focuses on in-context learning. It maps a CVE to relevant techniques by learning from existing, already-labeled CVE examples. This data-driven approach allows the LLM to identify patterns and make predictions even when explicit rules might not cover every scenario.
The results from both the Methodology Mappers and the In-Context Learner are then combined to generate a final, comprehensive prediction of attack techniques for each mapping type. This hybrid approach aims to harness the strengths of both rule-based precision and data-driven flexibility.
Key Findings and Performance
The evaluation of TRIAGE revealed several significant insights:
-
The In-Context Learner consistently outperformed individual mapping methods, highlighting the power of learning from examples.
-
The hybrid approach, combining both components, successfully improved the recall of exploitation techniques, meaning it was better at identifying all relevant techniques.
-
In a comparison between different LLMs, GPT-4o-mini demonstrated better performance than Llama3.3-70B on this specific task.
-
TRIAGE also showed a clear improvement over SMET, a current state-of-the-art method for automated CVE to ATT&CK mapping, across various performance metrics.
The research also delved into the practical relevance of TRIAGE, noting that the process of mapping a CVE using this system is efficient and cost-effective. It takes approximately 50 seconds for GPT-4o-mini and 2 minutes 50 seconds for Llama3.3-70B, with a low cost per CVE analysis.
Also Read:
- Forecasting Cyber Attacks: A Machine Learning Framework for ATT&CK Techniques
- Securing Medical AI: Uncovering and Mitigating Data Poisoning Threats in Multimodal RAG Systems
Challenges and Future Directions
While TRIAGE marks a significant step forward, the researchers identified that predicting secondary impacts remains a challenging task for LLMs. This is partly attributed to a lack of sufficient labeled training samples for this specific impact type and the limited detail in CVE descriptions that would allow for deeper reasoning into the CMM intrusion kill chain.
The study concludes that LLMs can indeed be used to automatically predict the impact of cybersecurity vulnerabilities, and TRIAGE makes the process of mapping CVEs to ATT&CK more efficient. Future work aims to further standardize datasets, explore reasoning models, and integrate knowledge graphs to enhance the process. You can read the full research paper here.
