Proactive Cyber Defense: A Real-Time CTI Framework with ATT&CK–D3FEND Mapping

Abstract

The contemporary cyber-threat landscape is becoming increasingly diverse and complex, creating a persistent gap between situational awareness and operational response. This study presents a framework designed to bridge this gap by transforming up-to-date cyber-threat intelligence (CTI) into standardized knowledge structures and actionable defense measures. First, the proposed framework integrates the threat data collected from OpenCTI and normalizes them based on the MITRE ATT&CK tactics and techniques matrix. It then leverages a large language model to automatically generate diverse threat scenarios based on the analyzed intelligence. Each scenario is organized as a tactic sequence, and individual techniques are mapped to MITRE D3FEND defensive categories based on official ATT&CK–D3FEND relationships and structured contextual interpretation. Finally, the framework produces outputs in the form of a Defense Description that includes the corresponding technique IDs, recommended defense strategies, supporting rationales, and prerequisites. An evaluation using several recent cases demonstrates that the proposed framework effectively connects current threat intelligence with practical defense strategies. In summary, the proposed framework strengthens proactive cyber defense by directly linking structured attack flows to actionable context-aware defensive techniques. In addition, this framework provides a structured pipeline that systematizes and automates steps conventionally performed manually, thereby reducing repetitive analyst effort.

1. Introduction

Recent cyber-attack patterns have become increasingly sophisticated and diverse. In February 2024, the cyber attack on Change Healthcare disrupted healthcare and billing information systems nationwide, posing a direct threat to patient care and essential healthcare operations [1]. In January 2024, a fraud case was reported in Hong Kong in which perpetrators used DeepFake-based video conferencing to impersonate corporate employees and induce the victim to transfer HKD 200 million through multiple transactions [2]. These examples were selected to reflect the growing diversity of contemporary cyber threats while also considering operational impact scope, relevance to ATT&CK-oriented threat structuring, and public disclosure completeness. Together, they illustrate how both infrastructure-disruptive intrusions and AI-enabled social-engineering attacks can rapidly translate into serious operational and financial consequences.

This concern becomes even more critical in cyber–physical and critical infrastructure settings, where disruptions may propagate across coupled cyber and physical layers and lead to cascading operational consequences. Recent CPS robustness research has further suggested that, even when the cyber layer appears more robust than the physical layer under a given initial attack ratio, initial attacks targeting the cyber layer may still be more prone to triggering complete system collapse [3].

Moreover, contemporary cyber threats rarely end as isolated incidents and are often repeated in modified forms over a short period. Once vulnerabilities, tactics, or tools are disclosed, attackers rapidly share and reuse them, and initial-access techniques frequently evolve into chained attack campaigns. Even legacy vulnerabilities continue to be exploited. According to global statistics collected in the second half of 2023, attackers were repeatedly observed to exploit vulnerabilities that were more than 15 years old, and organizations targeted by attack tools and techniques introduced more than five years earlier were frequently identified [4]. The speed of attacker exploitation is accelerating, and many newly disclosed vulnerabilities are weaponized within a few days of disclosure. In 2023, the average time from vulnerability disclosure to exploitation decreased by 43% compared with the previous year [5].

Therefore, security must move beyond a reactive approach that responds only after incidents occur and instead strengthen proactive cyber-defense capabilities by rapidly collecting and operationalizing up-to-date CTI to anticipate and block similar attacks in advance [6]. In this study, “proactive cyber defense” refers specifically to the generation of pre-positioned defense strategies based on real-time CTI before closely related attack paths are realized. To this end, a systematic procedure that normalizes observed CTI into a standardized taxonomy for consistent interpretation and translates attack behaviors into actionable defensive measures is required. Therefore, this study constructs attack flows using MITRE ATT&CK, a representative knowledge base that systematizes adversarial tactics, techniques, and procedures (TTPs). Each technique is mapped to the corresponding defensive techniques using MITRE D3FEND to derive response options that can be applied immediately at the operational level.

This framework selects MITRE D3FEND as the defense-mapping target because D3FEND provides an OWL-based knowledge graph of defensive techniques and digital artifacts that can be linked directly to ATT&CK techniques through artifact-mediated relationships. This ontology structure is directly usable in the automated mapping module of the proposed framework. By contrast, frameworks such as NIST SP 800-53 and CIS Controls primarily organize higher-level controls, safeguards, or desired security outcomes. Although mappings from those frameworks to ATT&CK exist, they are generally provided as external mapping resources rather than as an artifact-centered ontology designed for automated attack–defense reasoning. Through this process, similar scenarios can be rapidly constructed even when a new attack emerges, and validated defensive measures can be applied to minimize the exposure time and contain the damage.

It should be noted, however, that the framework proposed in this study is primarily designed around enterprise IT-oriented CTI and ATT&CK Enterprise workflows. Industrial control system (ICS) and operational technology (OT) environments differ structurally from traditional IT environments in terms of patch cadence, availability requirements, deterministic real-time behavior, and the operational cost of disruption. To reflect these distinctions, MITRE maintains a separate knowledge base, ATT&CK for ICS, which defines ICS-specific tactics, including Inhibit Response Function and Impair Process Control, as well as techniques that do not appear in the Enterprise matrix. Accordingly, the framework proposed in this study should be understood as complementary to, rather than a replacement for, ICS-specialized frameworks. It should therefore not be interpreted as directly transferable to high-availability industrial control scenarios without additional ICS-specific adaptation. Extending the present framework toward ICS environments through integration with ATT&CK for ICS is identified as an important direction for future work (see Section 6).

The main contributions of this study are summarized as follows:

• We propose an integrated CTI–ATT&CK–D3FEND framework that enables proactive defense based on up-to-date CTI.
• We present a procedure for generating LLM-based variant scenarios by normalizing TTPs observed in OpenCTI into ATT&CK technique IDs (TIDs) and constructing a tactic-based kill chain.
• We combine ATT&CK–D3FEND mapping with risk analysis to derive scenario-specific defensive techniques and response procedures for prioritized applications.
• We visualize the relationships between ATT&CK techniques and D3FEND defensive techniques in graph form to support attack-flow-aware responses.
• We validate the effectiveness of the proposed framework by applying it to recent real-world cases.

The remainder of this paper is organized as follows. Section 2 reviews related work and provides background information on MITRE ATT&CK and D3FEND. Section 3 describes the data collection and preprocessing. Section 4 presents the proposed methodology, including the scenario generation, mapping, and risk-based countermeasures. Section 5 validates the framework using embedding-based similarity analysis and real-world case studies. Section 6 discusses the study limitations, and Section 7 presents the conclusions.

2. Related Work

2.1. Literature Review

This study includes a comparative analysis to systematically examine the research topics, scope, and limitations of prior studies, as presented in

Table 1. Literature review of MITRE-based studies focusing on key characteristics and limitations.

Category	Key Idea	Limitation	Source
Domain-Specific Modeling and ATT&CK–D3FEND-Based Evaluation	Structures ATT&CK-based attack scenarios in the maritime domain and link them to a D3FEND-oriented defense framework	Limited in terms of continuously incorporating emerging threats and conducting broad generalization validation	[7]
	Presents a cyber risk-management architecture for autonomous passenger ships by integrating the ATT&CK framework with a defense-in-depth strategy	Lacks broad applicability and operational-level quantitative validation owing to its reliance on limited-use cases and domain-specific assumptions	[8]
	Systematically surveys cybersecurity applications of the ATT&CK framework and synthesizes usage patterns and future research directions	Does not provide a concrete automated pipeline, operational validation, or domain-specific empirical comparisons	[9]
	Proposes an ATT&CK–D3FEND-based survivability testing technique and presents a test-oriented methodology for evaluating system-response capabilities against cyber attacks	Remains limited in integrating CTI-driven up-to-date threat reflection, scenario generation, and defense mapping into an operational workflow	[10]
Unstructured CTI-Based TTP Extraction and Attack-Scenario Structuring	Extracts text-based attack patterns from unstructured CTI reports at scale and maps them to the ATT&CK framework to address the limitations of IoC-centric detection	Relatively limited in direct linkage to D3FEND defensive techniques and response design	[11]
	Proposes a transformer-based approach that analyzes exploit code from public paste sites and maps it to ATT&CK TTPs in a multilabel manner	Limited in CTI narrative-based scenario construction and D3FEND-oriented defense linkage	[12]
	Presents a DistilBERT-based TIEF framework that extracts TTPs from threat intelligence and structures them through multilabel classification	Requires further extension for direct mapping to defensive techniques and operational automation	[13]
	Proposes a method for constructing a knowledge graph by extracting entities and relations from CTI text using LLMs	Requires additional design to ensure consistent alignment with standardized frameworks	[14]
	Proposes a framework for reconstructing integrated attack-scenario graphs from CTI reports, representing attack stages and their relationships in graph form	Further validation is required regarding relation inference errors and generalization under domain expansion	[15]
LLM/NLP-Based Scenario Generation and ATT&CK–D3FEND Quality Evaluation	Reduces manual ATT&CK–D3FEND mapping efforts and automatically recommends defense candidates through RoBERTa-based semantic similarity and relation inference	Its scope remains limited with respect to integrated scenario-level operation	[16]
	Proposes automated LLM-based cyber-attack scenario generation together with trimodal representations in text, graph, and mathematical forms	Limited in reflecting the latest CTI and emerging threats because it relies on publicly available cyber-incident reports	[17]
	Presents an AI-driven direction for automating cyber-threat intelligence-analysis tasks using LLMs	Model dependence, reproducibility, and quantitative evaluation remain limited, and consistent framework-based alignment remains challenging	[18]
	Presents an LLM-based threat-intelligence copilot framework that supports the overall threat-management lifecycle	Automation from CTI collection to scenario generation, mapping, and validation requires further refinement	[19]

. The reviewed studies are categorized into three groups: (i) domain-specific modeling and ATT&CK–D3FEND-based evaluation; (ii) TTP extraction and attack-scenario structuring based on unstructured CTI; and (iii) LLM-based scenario generation, ATT&CK–D3FEND integration, and automated quality evaluation.

Studies have reported domain-specific ATT&CK–D3FEND models that apply MITRE ATT&CK as an attack model and connect it with defense mechanisms from the perspective of D3FEND in industry-specific cybersecurity domains, such as maritime environments, autonomous vessels, industrial control systems (ICS), and supervisory control and data acquisition (SCADA). Yousaf et al. presented cybersecurity risk-management guidelines for autonomous ships and analyzed cyber-attack scenarios that may lead to physical consequences in maritime environments using the ATT&CK framework [7]. Amro et al. developed a cyber risk-management architecture for autonomous passenger ships by integrating the ATT&CK framework with a defense-in-depth strategy [8]. Afenu et al. applied the MITRE ATT&CK framework to ICS security validation and proposed a methodology to strengthen defense mechanisms by identifying indicators of compromise (IoCs) [20]. Sekonya et al. proposed a defense framework for SCADA environments by mapping the SANS Five ICS Critical Controls to the NERC CIP standard [21].

Research has also sought to automate the mapping between ATT&CK attack techniques and D3FEND defensive techniques. Akbar et al. proposed a RoBERTa-based relationship-inference model that automates knowledge-based mapping between ATT&CK techniques and the corresponding D3FEND defensive techniques, thereby supporting the development of defense strategies [16]. Yu and Miao proposed an ATT&CK–D3FEND-based survivability-testing technique and presented a methodology for evaluating the cyber-attack response capability of systems [10]. Jiang et al. comprehensively surveyed cybersecurity applications of the ATT&CK framework and discussed future research directions [9].

A growing body of research has focused on mitigating the limitations of IoC-centric detection by automatically extracting TTPs from observational data, such as unstructured CTI reports and code fragments, and mapping them to the ATT&CK framework. Alam et al. proposed the LADDER framework, which automatically extracts attack patterns from CTI reports and maps them to ATT&CK techniques [11]. Ampel et al. proposed a transformer-based deep-learning approach that analyzes exploit code and maps it to ATT&CK tactics, techniques, and procedures in a multilabel manner [12]. Joy et al. proposed a DistilBERT-based threat-intelligence extraction framework (TIEF) that enables cyber-threat intelligence extraction through multilabel classification [13].

Research has also explored the structuring of TTPs into knowledge graphs. Liu and Zhan proposed a large language model (LLM)-based method for constructing cyber-threat intelligence knowledge graphs [14], and Cheng et al. developed CRUcialG, a critical knowledge graph framework for CTI [15].

Recent studies have increasingly extended this line of work toward automating scenario generation, ATT&CK–D3FEND linkage, and even output-quality assessment by interpreting ATT&CK-based information with LLMs. Roh et al. proposed an LLM-based framework for automated cyber-attack scenario generation and trimodal representation [17]. Shah and Parast presented an AI-driven cyber-threat intelligence automation using GPT-4o and demonstrated substantial improvements in the efficiency of CTI analysis processes [18]. Liu et al. developed CyLens, an LLM-based cyber-threat intelligence copilot system that supports the overall threat-management lifecycle [19].

Existing approaches generally rely on information collected after incidents and manual interpretation. This causes delays from initial observation to operational deployment, making proactive defense difficult. In particular, although domain-specific ATT&CK–D3FEND modeling studies have demonstrated applicability in specific domains such as maritime and autonomous-vessel environments, they still lack automated workflows that continuously reflect emerging threats. TTP extraction studies are strong in rapid standardization but remain limited in their direct linkage to D3FEND defensive techniques. Similarly, although LLM-based scenario-generation studies have proposed methods for quality evaluation, integrated automated workflows may be improved.

To address these limitations, this study proposes an integrated framework that rapidly generates ATT&CK-based threat scenarios from up-to-date threat intelligence in OpenCTI, visualizes ATT&CK–D3FEND mappings to clearly present applicable defensive techniques, and validates the applicability of defensive techniques and proactive response strategies through case studies.

2.2. Background

MITRE ATT&CK is an open knowledge base that systematizes real-world adversarial behavior in terms of tactics and techniques and organizes observed TTPs in a structured manner. It is widely used in both the industrial and public sectors as a common reference for threat modeling, detection engineering, and incident response [22]. The framework defines adversarial objectives as tactics and classifies the specific actions used to achieve these objectives into techniques and subtechniques. In the ATT&CK matrix, the tactics are arranged in columns with the corresponding techniques listed beneath each tactic in rows. This structure enables the tracing of the relationships between specific actions and higher-level adversarial objectives. ATT&CK provides a hierarchical model that maps high-level attack goals to concrete behaviors, thereby helping analysts understand individual observed actions within the broader context of adversarial intent. The mitigation entries in the ATT&CK matrix describe security concepts or control measures that can prevent or constrain the successful execution of specific techniques or subtechniques. Rather than focusing on vendor-specific solutions, ATT&CK categorizes general security measures and defines relationships, indicating which mitigation measures can defend against particular sub-techniques. The group entries in the ATT&CK matrix represent specific threat-actor groups identified by the security community and track advanced persistent threat activity units observed in open-source threat-intelligence reports formatted based on ATT&CK. These interconnected groups and mitigation catalogs enable analysts to trace the TTPs used by particular groups and the mitigation measures considered effective against them. Finally, the campaign entry is a complementary ATT&CK object that describes a single intrusion activity conducted over a defined period with shared targets and objectives. This may not always be clearly attributable to a specific threat group and is distinguished from group entries by its explicit temporal scope [23].

MITRE D3FEND is an open framework designed to complement the adversary-centric MITRE ATT&CK by standardizing cybersecurity defensive techniques in the form of an ontology from the perspective of the defender. D3FEND organizes defensive objectives into tactical groups as presented in a web-based matrix. Its core tactics are Harden, Detect, Isolate, Deceive, and Evict, whereas the Model and Restore tactics are provided to support a systematic understanding of system analysis and recovery activities. The Model tactic defines analytical activities for building a shared understanding of defended systems, adversaries, and their interactions. In contrast, the Restore tactic includes recovery techniques, such as Restore Configuration, Restore File, and Restore Database. Each tactic provides definitions, operational considerations, digital artifact relationships, and related techniques [24]. The D3FEND website also supports bidirectional navigation through ATT&CK. In detailed views of attack techniques, it presents inferred relational graphs of related defensive tactics and techniques. In addition, it links ATT&CK mitigations to D3FEND technique groups, thereby serving as a guide between the two knowledge bases. Users can organize ontology classes and relationships as graph nodes and edges, respectively, to construct specific scenarios as implementable models.

3. Preliminary

3.1. Data Collection

To continuously reflect cyber-threat intelligence (CTI), this study collects CTI data centered on a self-operated OpenCTI platform (v6.5.3). OpenCTI is an open-source CTI platform that supports the storage, organization, and visualization of cybersecurity threat-intelligence knowledge and observations within an organization [25]. OpenCTI Connectors can automatically collect information from external CTI sources, convert it into a structured threat-information expression (STIX) 2.1 Bundle format, and ingest it into the platform [26]. STIX 2.1 is a standard by the Organization for the Advancement of Structured Information Standards that enables the exchange and automated processing of threat intelligence across organizations and tools by standardizing core CTI objects, such as IOCs, malware, threat actors, campaigns, and vulnerabilities, as well as the relationships among them, in a JSON-based format [27].

In the experimental environment of this study, 13 OpenCTI connectors, including AbuseIPDB, AlienVault, MITRE ATT&CK, and TAXII-based feeds, were directly configured and operated. After collecting CTI from the external sources, the connectors deliver the event and object data to RabbitMQ queues (v4.0.7). RabbitMQ is a message broker that provides asynchronous messaging between components, thereby supporting a stable pipeline operation by decoupling the collection and processing stages [28]. OpenCTI workers then receive and process messages from RabbitMQ queues, normalize them into STIX 2.1 objects, and reflect them on the OpenCTI platform. In this process, OpenCTI stores and indexes CTI objects and relationship information in Elasticsearch (v8.17.2), a distributed search and analytics engine that supports the retrieval and analysis of document-based data in distributed environments [29]. OpenCTI also manages auxiliary processing information, such as caches, sessions, and job states, through Redis (v7.4.2), an in-memory key-value data store that supports caching and high-speed data processing [30]. In addition, OpenCTI stores unstructured files, including report originals, attachments, and artifacts, in MinIO (RELEASE.2025-02-28T09-55-16Z), an object-storage system compatible with the Amazon S3 API that is well suited for large-scale file storage [31]. Consequently, the external CTI continuously accumulates in the OpenCTI instance through an automated collection pipeline.

The current OpenCTI instance stores approximately 18 million CTI documents, of which 4322 Report objects serve as the units of analysis in this study. Furthermore, the platform maintains an operational environment in which current threat trends are continuously reflected, as evidenced by the addition of 118 new Report objects during the most recent 30-day period. These figures indicate that the proposed framework operates on a continuously updated intelligence source, rather than on a static benchmark-style dataset. In this study, data were collected to construct JSON documents centered on Report objects, and the collection snapshot period was defined as 1 March 2025 to 30 June 2025. This operational collection approach complements the limitations of static datasets and provides a foundation for incorporating recent threat trends into the subsequent scenario-generation stages. For framework validation, the continuously collected 2025 snapshot was used to represent an operational CTI environment, whereas case studies were drawn from both recent and representative publicly documented incidents to assess the applicability of the proposed framework across incidents reported in different periods.

3.2. Preprocessing

The objective of the preprocessing stage is to structure the OpenCTI and MITRE ATT&CK/D3FEND data collected in the previous stage, such that they can be directly utilized within the proposed framework, and refine them into input forms required for scenario generation, mapping, risk analysis, and embedding- and clustering-based evaluation.

In the STIX object-normalization stage, the OpenCTI instance ingests and stores all STIX 2.1 object types supported by its connector pipeline. Among these, the five object types directly required for ATT&CK technique chain construction, namely Report, Campaign, Intrusion Set, Attack Pattern, and Vulnerability, are extracted and normalized to a common schema, and the reference relationships among these objects are reconstructed in a consistent manner. For each Report, related Attack Patterns, Threat Actors, Campaigns, and Intrusion Sets, and Common Vulnerabilities and Exposures (CVEs) are linked to construct a Report–Campaign/Group—technique ID (TID)–CVE relationship graph, and duplicate TIDs and CVEs are merged. In this process, nonstandard names and missing fields within OpenCTI are corrected based on TIDs and Tactic information defined in the official ATT&CK dataset, thereby minimizing the problem of the same technique being redundantly counted under different names.

The normalized graph and attribute information are serialized and stored in a JSON-based input format such that they can be reused through a common interface across subsequent modules. Report and campaign metadata include identifiers, sources, and timestamps. The technique-related information for each tactical stage includes the Tactic, Phase, TID, and Name. The Vulnerability information for each technique stores a list of CVEs corresponding to each TID. In addition, entity references are retained as STIX IDs or internally normalized IDs to ensure traceability, whereas text fields are stored after a cleaning process for embedding generation. Consequently, scenario generation, mapping, risk analysis, and embedding and clustering evaluation all use the same JSON schema as the input, thereby minimizing the scope of pipeline modifications, even when the data are updated or the underlying models are replaced.

In addition, a risk level is assigned to each TID by collecting a list of associated CVEs. CVE-specific Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS) scores are retrieved through OpenCTI and external vulnerability databases. EPSS scores are retrieved dynamically via the FIRST API, which returns predictions based on the most recent model version available at the time of query execution. Because the data collection for this study was conducted between March and June 2025, the active model at that time was EPSS v4, released on 17 March 2025. When multiple CVEs are linked to a single TID, the maximum value is used as the representative score. This study adopts a maximum-value-based representative score for conservative operational prioritization. However, this score should be understood as a simplified approximation of technique-level risk, and actual operational decisions should also consider the asset context and exploitability conditions. CVSS reflects the magnitude of the impact, and EPSS reflects the likelihood of real-world exploitation; therefore, the two indicators are jointly considered to calculate the risk ranking for each TID [32,33]. The formal definition of the composite risk score is presented in Section 4.3.

In the scenario seed-extraction stage, ATT&CK TIDs observed at the campaign or threat-group level are sorted in tactical or temporal order to generate tactic–technique sequences. Tactical labels are assigned to each TID using ATT&CK kill chain phase information and Tactic fields, and missing Tactics are supplemented by referring to the ATT&CK matrix. After reconstructing the tactical flow from Initial Access to Impact, excessively fine-grained subtechniques are simplified by grouping them into higher-level techniques when necessary. The resulting tactic sequences and TID lists serve as core inputs for natural-language threat-scenario generation using an LLM.

4. Methodology

As shown in Figure 1, this study proposes a framework that automatically constructs ATT&CK technique flows from up-to-date CTI and further expands them using an LLM. The framework generates new threat scenarios and maps them to D3FEND countermeasure techniques, thereby linking threat understanding with proactive defense. First, STIX-based CTI is collected from OpenCTI, and relevant TIDs are extracted from the MITRE ATT&CK knowledge base to form a candidate technique set. In the preprocessing stage, the technique information dispersed across tactics is reorganized into an attack sequence such that the input can be standardized.

In the generation module, a standardized sequence is used as the input to an API-based LLM to automatically produce various threat scenarios that enrich the observed CTI. The generated outputs are then passed to the mapping module, where ATT&CK–D3FEND relationships are established from a defense perspective. Next, an embedding-based validation step is performed to assess the consistency and plausibility of the newly generated scenarios. Finally, the security-countermeasure module prioritizes risks based on CVSS and EPSS and derives immediately applicable response items, which are then organized into a report format.

4.1. Threat-Scenario Generation

In this section, we present a procedure for structuring CTI continuously ingested into OpenCTI based on the MITRE ATT&CK framework and derive threat scenarios appropriate to a given group or campaign context. The scenario-generation pipeline was built on the open-source AttackGen framework but was extended and adapted to align with the objectives of this study [34]. AttackGen primarily focuses on ATT&CK-oriented scenario generation, whereas the present framework extends that baseline in three methodological respects: it replaces primarily static ATT&CK-aligned seeds with continuously ingested OpenCTI-derived CTI, expands the scope from scenario generation to tactic-chain-based ATT&CK–D3FEND defense mapping, and introduces CVSS- and EPSS-based prioritization of candidate countermeasures.

First, the latest official ATT&CK STIX dataset is used, and the scope of the analysis is constrained according to the domain and platform requirements of the target environment. This reduces the inclusion of irrelevant techniques for different operational environments, even within the same group or campaign, and helps ensure that the tactic–technique chains generated in subsequent stages remain consistent with the organizational context. In this study, the seed for scenario generation was shifted to CTI periodically ingested by OpenCTI. Specifically, ATT&CK techniques and subtechniques are extracted from CTI objects collected in OpenCTI, including reports, relationships, reference links, and timestamps, and these are used as seed units for scenario generation. The linkage among techniques is defined by leveraging both ATT&CK STIX relationships and the interobject link structure within OpenCTI, such that tactic–technique chains are constructed around CTI-based observations.

From the ATT&CK dataset filtered by the domain and platform, only those techniques and subtechniques that are directly associated with the CTI are selected to construct the candidate tactic–technique chains. Specifically, the phase_name values in the kill_chain_phases field of each technique object are read to reconstruct the corresponding tactics. If the tactic labels for a given technique are missing or incomplete, the ATT&CK matrix is referenced to supplement them, thereby minimizing the omissions during chain construction. The resulting tactic sequence is then organized in order from Initial Access to Impact. In addition, subtechniques are grouped under their parent techniques when necessary to simplify the representation and maintain a consistent structural backbone. This design choice is intended to suppress unnecessary branching and excessive granularity, thereby mitigating the tendency of the generated scenarios to overfit the mere enumeration of specific techniques.

Finally, the ordered tactic labels are linked to the representative techniques associated with each tactic to generate a kill_chain_string. The kill_chain_string is defined as the structural backbone of the scenario and serves as a consistent reference axis, even when diverse scenario variants are generated in the subsequent LLM stage. As a result, downstream analyses, such as tactic-flow comparisons across different natural-language scenarios and the stepwise mapping of response elements, become feasible.

The constructed tactic and technique chains are then expanded to natural-language scenarios using an LLM. In this study, OpenAI GPT-4.5 (released on 27 February 2025) was used via an API key as the natural-language generation model. The temperature was set to 0.7, and all other generation parameters were kept at their default values. GPT-4.5 was selected primarily for its 128K-token context window, which can accommodate the full kill_chain_string together with ATT&CK descriptions and OpenCTI metadata in a single prompt, as well as its stable adherence to structured Markdown output formats required by the downstream mapping and countermeasure modules. Although these prompt-level constraints reduce the likelihood of arbitrary or unsupported content, they do not constitute a formal fact-checking mechanism. Recent systematization work on automated TTP extraction has shown that generative LLM approaches still face inherent performance limitations and can be affected by ambiguities in TTP ontologies even under controlled settings [35]. However, reliance on a single model may introduce model-specific biases in scenario narration and technique-combination patterns. At the same time, the proposed framework is not tightly bound to one fixed LLM, because the scenario-generation component can be instantiated with alternative models as they become available. This modular design allows the framework to benefit from future improvements in model capability and reliability, although the extent of such improvements should be verified empirically. Accordingly, cross-model validation with alternative LLMs is identified as a necessary follow-up study in Section 6, where future work will compare how different models influence scenario generation, consistency, and downstream defense-mapping outcomes.

Four principles were incorporated into the prompt design to suppress unrealistic developments and encourage evidence-based descriptions. Specifically, the semantic scope of each technique was constrained by including the official ATT&CK description, thereby minimizing arbitrary interpretation, and the model was instructed to reference objects verified in OpenCTI, thereby strengthening the observation-based narration. In addition, while preserving the same kill_chain_string backbone, the model was required to generate realistic scenario variants such as alternative initial-access paths or data-exfiltration routes. Finally, evidential information, such as referenced reports and timestamps, was explicitly required at the sentence level to enhance the traceability and reproducibility of the generated scenarios.

The output is provided in the form of a markdown-formatted report centered on natural-language scenario text, and the report includes stepwise TIDs, the stage status, prerequisites, logs, events, and reference links. This ensures that the generated results are delivered not only as descriptive narratives but also as structured artifacts with evidential support and traceability.

To ensure that the generated threat scenarios can inform the actual response decision-making, this study further incorporates vulnerability information to prioritize response actions. First, CVEs mapped to each technique are collected and deduplicated. When multiple CVEs are linked to a single technique, the maximum CVSS score is used as the representative value to conservatively reflect the risk level of the technique [32]. EPSS is then incorporated to estimate exploitability, and the techniques are ranked by risk by jointly considering CVSS and EPSS [33]. This severity-exploitability combination approach complements the limitations of severity-only prioritization by providing a basis for preferentially allocating defensive capabilities to attack paths with higher real-world exploitability [36]. Through this procedure, observation-based evidence collected from OpenCTI for groups or campaigns is transformed into a consistent ATT&CK tactic chain and further expanded by the LLM into scenarios tailored to the organizational environment. The overall procedure for CTI-driven ATT&CK scenario generation is summarized in Algorithm 1.

Algorithm 1 CTI-Driven ATT&CK Scenario Generation.

Require:  CTI corpus $\mathcal{C}$, tactic order $\mathrm{\Pi }$, ATT&CK STIX bundle D Require:  scope $\sigma =(domain,plat form)$, profile $(industry,company\text{\_}size)$ Require:  LLM config $\mathrm{\Theta }$ Ensure:  Scenario text S   1: Parse CTI items in $\mathcal{C}$ and collect referenced TIDs ${\mathcal{T}}_{id}$   2: Resolve each $tid\in {\mathcal{T}}_{id}$ to technique object t ← GetTechnique$(D,tid)$ and extract $\left(name\right(t),tid,phase(t\left)\right)$   3: Filter techniques by scope $\sigma$: keep t only if InScope$(t;\sigma )$   4: Normalize $phase$ and deduplicate by $(phase,tid)$; group by phase ${\left\{T_p\right\}}_{p\in \mathrm{\Pi }}$   5: Initialize an empty Chain list $K\leftarrow \left[\right]$   6: for all $p\in \mathrm{\Pi }$ do   7:     if $T_p\ne \varnothing$ then   8:         Select representative tp ← SelectRep$\left(T_p\right)$   9:         Append $(p,name\left(t_p\right),tid\left(t_p\right))$ to K 10:     end if 11: end for 12: Format K into a kill_chain_string $K_{\mathrm{str}}$ as Phase: Technique (Txxxx) 13: Build prompts: $SysMsg$ (format/constraints), $UserMsg$ (profile, scope $\sigma$, CTI summary, $K_{\mathrm{str}}$). 14: Generate S ← LLMinvoke$(SysMsg,UserMsg;\mathrm{\Theta })$ and post-process S 15: return S

4.2. Mapping Module

In this section, we describe the mapping module that focuses on the high-risk ATT&CK techniques (TIDs) identified in the previous section and systematically maps them to the defensive techniques defined in MITRE D3FEND to derive immediately actionable response strategies. Using the matrix structures of ATT&CK and D3FEND as its organizing principle, the module arranges techniques at the tactic level and visually represents attack–defense relationships, thereby enabling security operators to rapidly comprehend the situation and respond according to priority. The interaction flow and layout overview of the module are shown in Figure 2.

The mapping logic follows a relationship-based algorithm between the ATT&CK Attack_technique and D3FEND Defensive_technique. This algorithm constructs attack–defense relationships while preserving the tactical context and outputs a graph composed of nodes and links to present the defensive techniques associated with the selected attack technique. In particular, because D3FEND exhibits a many-to-one structure in which multiple defensive techniques may be linked to a single TID, this study determines the priority of defensive techniques based on the risk level of the TID. In other words, for TIDs assessed as high-risk, the system preferentially exposes defensive options with greater immediate applicability and expected effectiveness among the mapped defense candidates, thereby supporting operational decision-making.

As illustrated in Figure 3, the D3FEND knowledge structure is established through expert curation based on diverse data sources, including patents, technical documents, and academic literature. Semantic technique naming integrates different implementations that address the same technical problem under a single and unambiguous name, whereas digital artifact ontology defines digital objects in cybersecurity as artifacts. Furthermore, digital artifact relationships specify how offensive and defensive techniques are associated with particular artifacts, thereby providing a conceptual foundation for linking ATT&CK and D3FEND techniques through shared artifacts [37].

The proposed visualization tool is designed to operate using either the generated scenarios or TIDs as inputs. When a user selects a scenario item or TID, a graph that connects the corresponding attack technique to its mapped D3FEND defensive techniques is displayed. Additionally, this study was designed with reference to the procedure-oriented visualization approach illustrated by the Bushwalk example graph in D3FEND CAD, thereby emphasizing the tactic-level structure and enabling a clear exploration of defensive strategies across multiple tactics along the scenario flow. Through this design, security operators can identify which attack techniques constitute the core risk while visually tracing which defensive techniques can be immediately associated with them and what roles they play.

4.3. Security-Countermeasure Module

This section describes the Security Countermeasure Module that transforms the results of ATT&CK–D3FEND mapping into security-response actions that can be immediately utilized in operational settings. The mapping module in Section 4.2 focuses on deriving candidate D3FEND defensive techniques corresponding to specific TIDs; however, this section uses quantitative risk indicators to explain why these techniques should be prioritized for response and strengthens decision-making and practical applicability by presenting the supporting rationale with the recommended actions. Therefore, CVSS, a vulnerability-based severity metric, and EPSS, which reflects the likelihood of near-term exploitation, are combined with high-risk TIDs, thereby providing priority-based response strategies while preserving the scenario context.

Because the number of candidate defensive techniques associated with each TID can be large, the TID-level risk score defined by the composite prioritization formula helps operators focus first on the highest-risk attack paths, thereby narrowing the actionable scope and mitigating the risk of recommendation overload. However, the D3FEND ontology does not natively provide implementation-cost or deployment-complexity metadata, and such attributes are highly dependent on the specific organizational environment, including infrastructure, staffing, and budget constraints. Accordingly, incorporating an implementation-complexity dimension, for example, through cross-referencing with NIST SP 800-53 control baselines or organizational maturity assessments, is identified as an important direction for future work.

To reduce ambiguity in the joint use of CVSS and EPSS, the prioritization score $R_i$ for each ATT&CK TID i was defined as follows:

$$R_i=w_1·{\displaystyle \frac{CVS{S}_i^{max}}{10}}+w_2·EPS{S}_i^{max}$$

(1)

where $CVS{S}_i^{max}$ denotes the maximum CVSS score among the CVEs associated with TID i, and $EPS{S}_i^{max}$ denotes the maximum EPSS score among the corresponding CVEs. The CVSS term was normalized to the range $[0,1]$ for compatibility with EPSS. In this study, equal weights were adopted, i.e., $w_1=w_2=0.5$, as a simple and interpretable heuristic to reflect both technical severity and exploitation likelihood. Accordingly, cases with high CVSS but low EPSS were interpreted as technically severe but with relatively lower near-term exploitation likelihood, whereas cases with low CVSS but high EPSS were treated as operationally important because of their elevated exploitation likelihood. This score was used as a practical prioritization heuristic rather than as a formally calibrated risk model.

For high-risk TIDs, CVE identifiers observed in CTI reports and incident records are collected. For each CVE, impact and severity information derived from the CVSS v3.1 Base Score and Vector, together with exploitability information derived from the EPSS score, are assigned. In addition, the sources of the score retrieval and retrieval date are recorded together to ensure evidential traceability to support reproducibility and timely updates in operational environments. This design is intended to enumerate scores and preserve the risk-assessment process itself in an auditable form.

A single ATT&CK technique may be associated with multiple vulnerabilities; therefore, this module preserves vulnerability-level evidence while providing a TID-level risk summary that enables operators to make rapid judgments. For example, representative evidence is constructed by focusing on CVEs linked to the same TID that exhibit either high severity or exploitability, and the response priority of the TID is then determined based on this evidence. Rather than relying on a single threshold for uniform classification, the module is designed to support conservative decision-making through the explicit presentation of relative ranking and supporting evidence.

For high-risk TIDs whose priorities have been determined, the D3FEND mapping results derived in Section 4.2 are retrieved and presented in the form of immediately actionable countermeasures. Because D3FEND exhibits a many-to-one structure, in which multiple defensive techniques may be linked to a single TID, this module does not recommend only a single technique; instead, it presents a list of recommended defensive techniques together with the role of each technique, CVSS/EPSS-based rationale for its selection, and scenario context. In this manner, the module strengthens the linkage through which standardized attack-technique identification results can be directly translated into defensive actions.

The final output is generated as a Markdown-based report. For each TID, the report includes the technique identifier and name, related CVE evidence, CVSS, EPSS, recommended D3FEND defensive techniques, and their roles, selection rationale, references, and generation dates. This report structure clearly presents high-priority defensive options in a single document centered on high-risk techniques derived from up-to-date CTI, thereby enabling security operators to rapidly apply and adjust the recommended actions according to their organizational environment.

5. Threat-Scenario Validation

5.1. Scenario-Similarity Validation

Threat scenarios generated by an LLM are produced in natural language. Because of the probabilistic nature of the generation process, the narrative style, detailed progression, and included information may vary even from the same seed [38]. In addition, because gold-standard labels for generated outputs are often unavailable or limited [39], their quality cannot be easily assessed using only traditional classification performance metrics [40,41]. Accordingly, this section performs supplementary validation based on visualization and clustering after projecting the generated scenario texts onto an embedding space to examine whether semantically similar scenarios tend to be naturally grouped together.

First, Sentence-BERT (SBERT) is applied to convert each scenario text into a sentence embedding, yielding the embeddings ${\left\{{\mathbf{z}}_i\right\}}_{i=1}^N$ [42]. SBERT provides embeddings specifically designed for sentence-level semantic-similarity comparisons; therefore, it is well suited for subsequent analyses, such as visualization and clustering, in which semantic proximity among scenarios is handled in a distance-based manner [43,44,45].

Because scenario embeddings are difficult to interpret directly in a high-dimensional space [46], nonlinear dimensionality reduction is used to project them into two or three dimensions for a visual inspection of their distribution. In this study, uniform manifold approximation and projection (UMAP) or t-distributed stochastic neighbor embedding (t-SNE) is employed to map the embeddings into a low-dimensional space. UMAP offers advantages in terms of preserving global structure and computational efficiency [47], whereas t-SNE strongly preserves local similarity and is widely used to visually examine clustering tendencies [48]. Through these visualizations, the cluster structure and outliers in the scenario embeddings can be intuitively examined.

In the clustering stage, K-Means is applied to partition scenario embeddings into K clusters. The objective function of K-Means is defined as follows:

$$\underset{{\left\{C_k\right\}}_{k=1}^K}{min}{\displaystyle \sum _{k=1}^K}\sum _{i\in C_k}{∥{\mathbf{z}}_i-{\mathit{\mu }}_k∥}_2^2,{\mathit{\mu }}_k={\displaystyle \frac{1}{|C_k|}}\sum _{i\in C_k}{\mathbf{z}}_i,$$

(2)

where $C_k$ denotes the index set of the kth cluster and ${\mathit{\mu }}_k$ denotes the corresponding cluster centroid, that is, the mean vector. The goal of clustering is to ensure that the objects within the same cluster are closely grouped, whereas those belonging to different clusters remain sufficiently separated [49].

To evaluate the clustering quality quantitatively, the silhouette score, which jointly reflects cohesion and separation, is used [50,51]. The silhouette score can be computed at the individual-sample level and then summarized by the overall average; therefore, it is well suited for a supplementary assessment of how clearly the generated scenario embeddings form a cluster structure [52]. For an arbitrary sample i, let $a\left(i\right)$ denote the average distance to other samples within the same cluster, and let $b\left(i\right)$ denote the average distance to the nearest neighboring cluster. Then,

$$a\left(i\right)={\displaystyle \frac{1}{|C_{k\left(i\right)}|-1}}\sum _{\begin{array}{c}j\in C_{k\left(i\right)}\\ j\ne i\end{array}}d({\mathbf{z}}_i,{\mathbf{z}}_j),b\left(i\right)=\underset{k\ne k\left(i\right)}{min}{\displaystyle \frac{1}{|C_k|}}\sum _{j\in C_k}d({\mathbf{z}}_i,{\mathbf{z}}_j),$$

(3)

where $k\left(i\right)$ is the cluster index to which sample i belongs, and $d(·,·)$ is a metric that defines the distance between a pair of embeddings.

In this study, the cosine distance $d_{cos}(·,·)$ is used to reflect the semantic proximity of the sentence embeddings [42]. Because a cosine-based metric computes similarity based on the vector direction rather than the magnitude [53,54], it can mitigate the influence of scale variations caused by differences in sentence length and token count [55,56]. In addition, SBERT sentence embeddings are commonly compared using cosine similarity in semantic similarity tasks [42,57], making this metric appropriate for consistently measuring both intra- and inter-cluster distances. Accordingly, this study adopts the cosine distance as the distance function, and in the subsequent distance-calculation sets, $d({\mathbf{z}}_i,{\mathbf{z}}_j)=d_{cos}({\mathbf{z}}_i,{\mathbf{z}}_j)$. The cosine similarity is defined as follows:

$$\cos \text{\_}\mathrm{sim}(\mathbf{x},\mathbf{y})={\displaystyle \frac{{\mathbf{x}}^{\top }\mathbf{y}}{\parallel \mathbf{x}\parallel \parallel \mathbf{y}\parallel }}.$$

(4)

The corresponding cosine distance is defined as follows:

$$d_{cos}(\mathbf{x},\mathbf{y})=1-\cos \text{\_}\mathrm{sim}(\mathbf{x},\mathbf{y}).$$

(5)

The silhouette coefficient $s\left(i\right)$ is defined as follows:

$$s\left(i\right)={\displaystyle \frac{b\left(i\right)-a\left(i\right)}{max\left\{a\right(i),b(i\left)\right\}}},-1\le s\left(i\right)\le 1.$$

(6)

The overall mean silhouette score is then computed as

$$\overline{s}={\displaystyle \frac{1}{N}}{\displaystyle \sum _{i=1}^N}s\left(i\right).$$

(7)

A value of $\overline{s}$ closer to one indicates better cluster cohesion and separation, whereas a larger proportion of negative values suggests a higher likelihood of the samples being assigned to inappropriate clusters.

The OpenCTI instance contains a substantially larger number of campaign-related cases. However, using all available campaigns would have resulted in an excessively large number of clusters, thereby reducing the interpretability of clustering-based comparison and low-dimensional visualization. Therefore, 20 campaigns were selected as a manageable subset for comparative validation. The selection was based on three inclusion criteria. Each campaign had to contain at least three distinct ATT&CK TIDs to ensure sufficient tactical diversity. The selected campaigns also had to collectively cover the ATT&CK kill chain from Initial Access through Impact. In addition, they had to represent a range of threat-actor types and target sectors to avoid overrepresentation of a single attack profile. Cases with insufficient ATT&CK linkage, overly fragmented procedural context, or highly redundant campaign characteristics were excluded.

In this study, 100 threat scenarios were generated using GPT-4.5, with five scenarios produced for each of the 20 campaigns. SBERT embeddings were then applied, followed by K-means clustering with $K=20$. The distribution of the generated scenarios was visualized in two dimensions using UMAP and t-SNE, and the cohesion and separation were evaluated using the cosine silhouette score. As shown in the visualization results (Figure 4a,b, UMAP reveals a tendency for mutually similar clusters to converge near the center and several groups to remain relatively well separated in specific regions. By contrast, t-SNE produces a more compact representation for many clusters owing to its ability to preserve the local structure, with only limited mixing observed along the cluster boundaries.

As shown in Figure 5, the cosine silhouette scores, used as a quantitative indicator, ranged from 0.33 to 0.75, with an average of approximately 0.52. However, the silhouette coefficient can vary depending on the data preprocessing, embedding model, dimensionality-reduction method, and clustering configuration; therefore, its ability to determine the realism or validity of the generated scenarios based on a single metric is limited. In particular, for the LLM-based generation of attack-scenario variants, an absolute threshold for the silhouette coefficient cannot be easily defined because ground-truth labels for actually observed event sets are frequently unavailable. Moreover, a high degree of similarity in the sentence-embedding space does not guarantee that a scenario has been well generated; rather, high similarity may arise from repeated narrative patterns or excessive generalizations.

However, given that sufficiently established quantitative-evaluation criteria for LLM-generated attack scenarios have remained limited in prior research, this study uses cluster-based metrics as supplementary and conservative sources of evidence. In other words, the result that the mean silhouette score is approximately 0.52 is interpreted as evidence that the generated scenarios form a cluster structure while preserving a certain level of semantic consistency. However, it is not used as direct evidence of real-world plausibility or factual validity. Instead, considering the possibility that some generated variants may not correspond to scenarios that actually exist, this study adopts such a metric not for making strong claims, but as a baseline for confirming minimal internal consistency.

Accordingly, the present clustering-based analysis should be interpreted only as a supplementary consistency check rather than as a validity benchmark for generated scenarios. In particular, it does not directly establish the technical accuracy, operational feasibility, or practical usefulness of the generated content for security analysts. More direct evaluation methods, such as expert review, red-team-based plausibility assessment, or structured analyst-centered scoring, are required for a more rigorous assessment of scenario quality.

Therefore, the silhouette score must be complemented with additional validity measures, and the stability of the results must be further examined using alternative clustering methods and cross-validation. In addition, because the scenarios in this study were generated using GPT-4.5, further experiments are required to assess the model dependence by comparing these results with scenarios regenerated by other LLMs.

5.2. Framework Validation via Case Study

While the SKT intrusion incident is presented as the primary case study in the main text, additional validation cases, including the 2022 Ukraine Electric Power Attack, Salt Typhoon, and Vicious Trap, are provided in Appendix A. On 18 April 2025, a Berkeley packet filter (BPF) backdoor was introduced through a wireless-charging data record system [58]. This backdoor exploited the kernel-level BPF to respond only to externally triggered packets, masquerading as a legitimate process in the user space and evading logs and command histories, thereby making early detection difficult. After establishing a foothold in the internal network through a covert channel, the attacker further penetrated the management and service networks. After compromising the home subscriber server (HSS), the attacker extended their scope of influence to the home-location register (HLR) and equipment-identity register (EIR) through trust relationships. Consequently, a large volume of sensitive identification and authentication information, including the international mobile subscriber identity (IMSI), international mobile equipment identity (IMEI), and subscriber long-term keys, was confirmed to have been exfiltrated.

Table 2. Mapping of TTPs in the SKT Intrusion Incident to ATT&CK IDs.

Case	Tactic	Technique	ATT&CK ID
SKT Intrusion Incident	Initial Access	Spearphishing Link	T1566.002
	Initial Access	Valid Accounts	T1078
	Initial Access	Exploit Public-Facing Application	T1190
	Execution	Command and Scripting Interpreter	T1059.004
	Command and Control	Multi-hop Proxy	T1090.003
	Command and Control	Port Knocking	T1205.001
	Defense Evasion	Masquerading	T1036
	Defense Evasion	Clear Command History	T1070.003
	Lateral Movement	Remote Services	T1021

presents the TTPs identified in the SK Telecom (SKT) incident, organized by ATT&CK TIDs.

Figure 6 shows an example of a generated variant scenario based on the TIDs identified in the SKT intrusion incident. Countermeasures for the identified TIDs were mapped using D3FEND tactics. According to the CVSS and EPSS analyses presented in

Table 3. Risk Analysis of Techniques in the SKT Intrusion Incident Based on CVSS and EPSS.

Case	TID	CVSS	EPSS
SKT Intrusion Incident	T1190	9.8	0.73531
	T1036	10	0.94381
	T1078	10	0.94335

, T1190, T1036, and T1078 were the highest-priority risk factors. The final report output includes a summary table of TIDs, CVSS, and EPSS together with a prioritized list of response actions, presenting the corresponding D3FEND techniques for each ATT&CK technique.

Framework-Based Additional Defense-Strategy Proposal

Table 4. D3FEND Mapping of Post-Incident Mitigation Measures of SKT.

D3FEND Tactic	D3FEND Technique Name	D3FEND TID
Harden	Credential Hardening	D3-CH
	Strong Password Policy	D3-SPP
	Multi-factor Authentication	D3-MFA
	File Encryption	D3-FE
	Local File Permissions	D3-LFP
	Credential Rotation	D3-CRO
	Disk Encryption	D3-DENCR
	Software Update	D3-SU
	Platform Hardening	D3-PH
Model	Asset Inventory	D3-AI
	Asset Vulnerability Enumeration	D3-AVE
	Network Vulnerability Assessment	D3-NVA
	Network Traffic Policy Mapping	D3-NTPM
Detect	Network Traffic Analysis	D3-NTA
	Administrative Network Activity Analysis	D3-ANAA
Isolate	Network Isolation	D3-NI
	Network Traffic Filtering	D3-NTF
	Encrypted Tunnels	D3-ET
	Execution Isolation	D3-EI
	Executable Allowlisting	D3-EAL
	Executable Denylisting	D3-EDL
	Access Mediation	D3-AMED
	Access Policy Administration	D3-APA

summarizes the official follow-up response measures announced by SKT after the intrusion incident [58] and reorganizes them based on the corresponding MITRE D3FEND tactics and defensive techniques. Through this mapping, publicly disclosed countermeasures are systematically structured at both the tactical and technical levels, thereby providing a clearer view of how the post-incident actions of SKT can be interpreted within the D3FEND framework. However, this analysis was conducted based on the response measures and presentation materials officially disclosed by SKT; therefore, it does not fully reflect actual internal operational procedures or undisclosed measures. Accordingly, the mapping results presented in this study should be interpreted as an analytical assessment based on publicly available information and may differ in part from the full set of response mechanisms actually implemented in practice.

Because no widely standardized end-to-end benchmark currently exists for integrated CTI-driven scenario generation, ATT&CK–D3FEND mapping, and risk-based defense prioritization, the present study does not claim superiority over a common baseline. Instead, the official post-incident response measures announced by SKT, which were formulated by the company’s security team in conjunction with a joint public–private investigation, are used as a practical reference point for examining whether the proposed framework can derive additional structured defense options beyond the publicly disclosed response set.

Table 5. Additional D3FEND Tactics and Techniques Referenced in the SKT Case Study.

D3FEND Tactic	D3FEND Technique Name	D3FEND TID
Model	Operational Activity Mapping	D3-OAM
	Access Modeling	D3-AM
Detect	Connection Attempt Analysis	D3-CAA
	Remote Terminal Session Detection	D3-RTSD
	Protocol Metadata Anomaly Detection	D3-PMAD
	Per Host Download–Upload Ratio Analysis	D3-PHDURA
	Domain Account Monitoring	D3-DAM
	Local Account Monitoring	D3-LAM
	User Behavior Analysis	D3-UBA
	User Geolocation Logon Pattern Analysis	D3-UGLPA
Isolate	Network Resource Access Mediation	D3-NRAM
	Remote File Access Mediation	D3-RFAM
Deceive	Decoy File	D3-DF
Restore	Restore Object	D3-RO
	Restore File	D3-RF

presents the results obtained after excluding all items that overlapped with the official follow-up response measures announced by SKT and selectively organizing only those D3FEND defensive techniques that, from the perspective of this study, were not included in the SKT response. Although SKT proposed several security enhancement plans as part of its recurrence-prevention measures, many remained at a relatively general level, such as strengthening account management, network segmentation, and access control, without providing sufficient specificity regarding which defensive technologies should be introduced in practice. In contrast, the application of the framework proposed in this study enables the reinterpretation of the same incident within the D3FEND tactic–technique structure and derivation of a refined list of additional measures not covered by SKT’s existing countermeasures. This demonstrates that defensive gap areas can be systematically supplemented. By comparing the framework’s output against this expert baseline, the analysis identified 15 additional D3FEND defensive techniques across five tactical categories that were not included in the officially disclosed measures.

First, from the perspective of the model tactic, although the environment involved highly complex structural and account dependencies among the HSS, management network, and customer network, no evidence was identified in the official materials that such dependencies had been systematically modeled and managed. Accordingly, the introduction of operational activity mapping (D3-OAM), which visualizes business functions in terms of their dependencies on servers, network segments, and accounts based on operational activities, and Access Modeling (D3-AM), which explicitly models the resources accessible to administrators, operators, and system accounts, is required. Although SKT mentioned strengthening account security and managing privileged accounts, such measures remain distant from a systematic privilege-structure design grounded in model-level tactics.

From the perspective of the Detect tactic, potential improvements were identified in both network- and command-and-control (C2)-level anomaly detection as well as account- and behavior-based detection. SKT allowed prolonged covert intrusion into the HSS and management network. However, earlier containment may have been possible if anomalous remote access, repeated connection attempts, and connection patterns similar to port scanning had been detected at an earlier stage. To this end, connection attempt analysis (D3-CAA), which analyzes repeated failed logins and exploratory connection attempts, and remote terminal session detection (D3-RTSD), which detects traffic between nodes that do not normally communicate, servers functioning as relay nodes, and unauthorized remote terminal sessions such as RDP or SSH after the formation of intermediate footholds and relay hosts using BPFDoor and web shells, are required. In addition, given the reported exfiltration of 9.82 GB of data and 26 million records, the upload pattern of a specific HSS server likely deviated substantially from normal behavior. Therefore, protocol metadata anomaly detection (D3-PMAD), which detects anomalies at the level of protocol metadata, and per-host download–upload ratio analysis (D3-PHDURA), which monitors changes in upload-to-download and download-to-upload ratios on a per-host basis, would be effective in preventing recurrence. Furthermore, considering that the joint public–private investigation team identified poor account-information management and the exploitation of long-unchanged accounts as key failures, the introduction of user and entity behavior analytics (UEBA)-type techniques is essential, including domain account monitoring (D3-DAM), which continuously monitors domain-account creation, privilege changes, and anomalous login events; local account monitoring (D3-LAM), which provides the same functionality for local accounts; user behavior analysis (D3-UBA); and user geolocation logon pattern analysis (D3-UGLPA), which detects login behavior that deviates from normal temporal, spatial, and behavioral patterns.

From the perspective of the Isolate tactic, SKT proposed follow-up measures, such as strengthened network segmentation and reinforced firewall policies; however, these remained at a relatively coarse level of isolation at the network-segment level. In the future, more fine-grained policies will be required to control which accounts or hosts access which services or files, at what times, from which locations, and through which access paths. This can be concretized through designs at the level of the network resource access mediation (D3-NRAM), which mediates access to network resources, and remote file access mediation (D3-RFAM), which precisely controls the access to remote files. These techniques move beyond merely separating networks by introducing an additional layer that finely mediates access rights down to the resource and file levels, thereby structurally constraining lateral movement and large-scale exfiltration by attackers.

For the Deceive tactic, the deployment of deceptive assets capable of immediately generating detection signals upon attacker access may be effective to compensate for the failure to detect signs of HSS compromise at an early stage when the initial indicators of compromise were first recognized in 2022. For example, fake HSS administrator account lists and forged Ki and IMSI lists can be deployed as decoy objects or files using the decoy file (D3-DF) technique. If any access, inspection, or copying attempts against them are elevated to high-risk events and immediately linked to alert and investigation processes, they may serve as effective early-detection triggers for future similar attacks.

From the perspective of the Restore tactic, SKT’s official materials describe post-incident actions, such as malware removal, strengthened firewall policies, and USIM replacement and reconfiguration, in relatively detailed terms; however, they do not provide information regarding the standards, procedures, or recovery points used to restore compromised servers, data, and configuration values from backup images. Accordingly, to prepare for similar incidents, procedures to systematically restore compromised servers, configurations, and data from integrity-verified baseline backups must be established. This can be concretized through policies and operational processes from the perspectives of the restore object (D3-RO), which defines restoration at the object level, and the restore file (D3-RF), which addresses restoration at the file level.

Overall, the additional D3FEND-based countermeasures proposed in this study are meaningful because they not only explain the causes of the SKT incident retrospectively but also provide concrete execution strategies regarding which defensive techniques should be reinforced at which tactical stages when an organization faces similar intrusion scenarios in the future. In particular, by decomposing the generally stated measures in the SKT follow-up plans, such as strengthening account management and reinforcing network segmentation, into specific D3FEND techniques, such as D3-OAM, D3-CAA, D3-NRAM, and D3-RO, the areas omitted from the existing defense framework may be clearly identified. Furthermore, these analytical results can provide a reusable reference model not only for telecommunications carriers but also for other infrastructure operators with similar network and account structures, thereby contributing to the post-incident response for a single case, the establishment of proactive defense strategies, and the improvement of security architecture.

6. Limitations

The limitations of this study are organized into three categories. First, regarding data limitations, the CTI collected through 13 OpenCTI connectors does not exhaustively cover all available threat-intelligence sources, and the resulting dataset may therefore reflect coverage biases toward the feeds and communities represented by those connectors. Although the proposed framework itself is not inherently restricted to a fixed temporal window and can be applied to broader or earlier CTI collections depending on deployment conditions, the empirical illustration and framework validation in this study were conducted on a March–June 2025 snapshot. Accordingly, the main limitation lies in the temporal scope of the present evaluation, and additional validation across longer collection periods would strengthen generalizability.

Second, regarding methodological limitations, the current framework relies solely on GPT-4.5, which may introduce model-specific biases in scenario narration and technique-combination patterns; cross-model validation with alternative LLMs is therefore required, as discussed in Section 4.1. In addition, the silhouette score used in Section 5.1 serves only as a supplementary consistency indicator and does not directly establish scenario realism, while the absence of ground-truth labels prevents the application of conventional classification metrics. To complement the clustering-based analysis, future work should incorporate direct quality assessment of the generated scenarios. This includes structured evaluation by domain experts who rate scenario outputs across dimensions such as technical accuracy, operational feasibility, and information completeness, as well as automated scoring using a separate LLM as an independent evaluator. In addition, runtime cross-checking strategies such as self-consistency verification, in which multiple scenario variants are generated from the same seed and checked for factual agreement, and iterative self-refinement approaches, in which the LLM evaluates and revises its own output against the source CTI, should be explored as built-in hallucination mitigation mechanisms. Comparing human and algorithmic judgments through agreement metrics would further clarify whether the semantic consistency observed in embedding space corresponds to practical utility in operational settings.

Third, regarding framework limitations, MITRE D3FEND does not officially cover ICS and mobile domains, and extending the pipeline to OT environments requires integration with ATT&CK for ICS, as discussed in the Introduction. Moreover, the CVSS–EPSS risk-scoring mechanism is predicated on CVE associations; however, APT actors frequently exploit zero-day vulnerabilities or employ living-off-the-land techniques with no CVE association, rendering this scoring mechanism inapplicable in such cases. Addressing this gap requires complementary risk signals that do not depend on CVE-based scoring, such as threat-actor attribution confidence or technique prevalence in recent CTI. Finally, the current framework remains partially automated, and achieving full end-to-end automation, including Security Orchestration, Automation, and Response platform integration, remains a task for future research.

As a complementary future direction, this study will extend the current ATT&CK- and D3FEND-centered framework toward machine learning (ML) and deep learning (DL) attack scenarios by incorporating MITRE ATLAS as an independent extension path [59]. This extension will proceed in three steps. First, an ATLAS-STIX parser will be developed to extract and normalize ATLAS-specific technique objects, including those related to ML supply chains and model-centric attack procedures. Second, the extracted ATLAS techniques will be structurally aligned with the existing tactic–technique chain representation used in the current framework, so that ML-oriented tactical sequences, such as model theft, data poisoning, or malicious model manipulation, can be expressed in a form compatible with the current ATT&CK-based scenario-generation pipeline. Third, the extended framework will be validated against publicly documented AI supply chain attack cases, including malicious model distribution incidents, to assess whether the generated scenario chains and defense mappings remain coherent, traceable, and operationally meaningful in ML/DL contexts. Through this process, the ATLAS extension will follow a structured integration and validation pathway rather than remaining at a conceptual level, thereby ensuring that ML/DL scenario generation maintains the same degree of traceability and operational relevance as the current ATT&CK–D3FEND pipeline.

7. Conclusions

A consistent pipeline that reflects up-to-date threat intelligence was proposed, encompassing CTI collection and preprocessing, threat-scenario generation, D3FEND-based defensive technique mapping, and the preparation of Defense Descriptions. By structuring the threat intelligence ingested into OpenCTI based on the MITRE ATT&CK kill chain and automatically generating diverse scenarios, the proposed framework rapidly reconstructed the tactical and technical flow of emerging attacks. Subsequently, by visualizing the mapping between ATT&CK and D3FEND and clearly presenting the defensive techniques corresponding to each attack technique, actionable defense strategies and proactive response measures for recent attacks could be derived in the context of a specific group or campaign. Consequently, this study provides a real-time CTI-driven framework for enterprise IT-oriented and other ATT&CK-mappable environments in which the current ATT&CK–D3FEND pipeline can be operationalized. At the same time, the present framework should not be interpreted as directly applicable to ICS/SCADA scenarios that depend on the specialized ATT&CK for ICS matrix unless future expansion of the D3FEND ontology enables such coverage. Within these scope boundaries, the proposed framework offers a reproducible operational foundation for transforming continuously collected CTI into structured attack scenarios, prioritized defense mappings, and decision-support artifacts for proactive cyber defense.