Leveraging LLMs to Generate Threat Profiles
S.A. Lopulalan (TU Delft - Electrical Engineering, Mathematics and Computer Science)
H.J. Griffioen – Mentor (TU Delft - Electrical Engineering, Mathematics and Computer Science)
Y. Song – Mentor (TU Delft - Electrical Engineering, Mathematics and Computer Science)
M.A. Migut – Graduation committee member (TU Delft - Electrical Engineering, Mathematics and Computer Science)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
The heavy reliance on digital infrastructure introduces many risks for organizations. Therefore, it is key to understand which threats are more relevant in a rapidly changing threat landscape. This is especially important for financial institutions, which are attractive targets for cyber attacks and operate under strict regulatory requirements. Threat profiles can help organizations understand who may attack them, why they may be targeted, how attacks may occur, and what the potential consequences could be. However, creating threat profiles is a labor intensive process that requires collecting, analyzing, interpreting, and prioritizing threat information.
This thesis investigates how Large Language Models (LLMs) can support the development of threat profiles for a financial institution, and how the threat profiles can be validated. Existing research has explored threat profiling, threat intelligence, LLMs, and prompt engineering separately, and recent work has shown that threat intelligence can enrich threat modeling. However, less attention has been given to how structured threat intelligence can be used by LLMs to generate threat profiles for organizations.
To address this gap, a threat-centric profiling framework was developed based on existing threat modeling frameworks. The framework consists of four components: Threat Actor, \MI, Threat Events, and Consequences. This framework was used to guide an iterative prompt engineering process and to evaluate generated threat profiles using a structured evaluation rubric. A custom GPT was also developed and enriched with filtered and normalized threat intelligence from MISP. The generated profiles were validated through a technical validation using aggregated security monitoring data and an expert based validation with three cybersecurity experts.
The results show that LLMs can support several steps in the threat profiling process, including analyzing information, mapping it to a framework, prioritizing threats, and generating coherent threat profiles. Prompt design had the strongest effect on the quality of the generated profiles, while threat intelligence made the profiles more concrete and actionable. The validation showed that technical monitoring data alone is not sufficient to validate all threat profile components, as claims about threat actors, motivations, and consequences often require additional evidence or expert interpretation. Overall, LLMs can reduce manual effort and make threat profiling more manageable, but the generated profiles must still be reviewed and validated by analysts before being used for decision-making.