LOCALINTEL: Generating Organizational Threat Intelligence from Global and Local Cyber Knowledge

TL;DR

This paper tackles the challenge of turning generic global threat intelligence into organization-specific, actionable CTI for Security Operations Centers. It introduces LocalIntel, a two-phase framework that retrieves global CTI and local organizational knowledge and uses a Large Language Model to contextualize the information into a final completion $\mathcal{C}$ tailored to an organization's environment. The architecture comprises a Global Threat Repository $\mathcal{G}$, a Local Knowledge Database $\mathcal{L}$, an Agent, Tools, and an LLM, with a retrieval phase to gather relevant knowledge and a generation phase to produce contextualized CTI that includes implications and mitigations. Experimental results across 58 scenarios show high alignment with SME ground truths (RAGAs similarity around $92\%$ and G-EVAL correctness around $78\%$) and substantial inter-rater agreement (Fleiss Kappa ≈ $0.65$), supporting the feasibility of automated, on-premises CTI generation. The framework reduces manual effort, enables real-time policy adaptation, and is modular for integration with varied data sources and future enhancements such as knowledge graphs and fine-tuned LLMs.

Abstract

Security Operations Center (SoC) analysts gather threat reports from openly accessible global threat repositories and tailor the information to their organization's needs, such as developing threat intelligence and security policies. They also depend on organizational internal repositories, which act as private local knowledge database. These local knowledge databases store credible cyber intelligence, critical operational and infrastructure details. SoCs undertake a manual labor-intensive task of utilizing these global threat repositories and local knowledge databases to create both organization-specific threat intelligence and mitigation policies. Recently, Large Language Models (LLMs) have shown the capability to process diverse knowledge sources efficiently. We leverage this ability to automate this organization-specific threat intelligence generation. We present LocalIntel, a novel automated threat intelligence contextualization framework that retrieves zero-day vulnerability reports from the global threat repositories and uses its local knowledge database to determine implications and mitigation strategies to alert and assist the SoC analyst. LocalIntel comprises two key phases: knowledge retrieval and contextualization. Quantitative and qualitative assessment has shown effectiveness in generating up to 93% accurate organizational threat intelligence with 64% inter-rater agreement.

Figures (4)

• Figure 1: Overview of our LocalIntel framework with an example use case.
• Figure 2: LocalIntel data-flow diagram. The zero-day vulnerability triggers the system to retrieve information from global $\mathcal{G}\xspace_i$ and local $\mathcal{L}\xspace_i$ knowledge sources and then contextualizes the results, producing a final output Completion $\mathcal{C}\xspace$.
• Figure 3: LocalIntel framework module interaction in the two phases: knowledge retrieval, and contextualized threat intelligence generation. Processes are numbered in ascending execution order following the data-flow diagram (Fig. \ref{['Fig:process_flow']}).
• Figure 4: Evaluation box-plot for Completion $\mathcal{C}\xspace$ with respect to ground truth.