Security Operations Center (SoC) analysts gather threat reports from openly accessible global threat repositories and tailor the information to their organization’s needs, such as developing threat intelligence and security policies. They also depend on organizational internal
repositories, which act as private local knowledge database. These local
knowledge databases store credible cyber intelligence, critical operational
and infrastructure details. SoCs undertake a manual labor-intensive task
of utilizing these global threat repositories and local knowledge databases
to create both organization-specific threat intelligence and mitigation
policies. Recently, Large Language Models (LLMs) have shown the capability to process diverse knowledge sources efficiently. We leverage this
ability to automate this organization-specific threat intelligence generation. We present LocalIntel, a novel automated threat intelligence
contextualization framework that retrieves zero-day vulnerability reports
from the global threat repositories and uses its local knowledge database
to determine implications and mitigation strategies to alert and assist
the SoC analyst. LocalIntel comprises two key phases: knowledge retrieval and contextualization. Quantitative and qualitative assessment
has shown effectiveness in generating up to 93% accurate organizational
threat intelligence with 64% inter-rater agreement.
