Context: Cybersecurity vendors often publish cyber threat intelligence (CTI) reports, referring to the written artifacts on technical and forensic analysis of the techniques used by the malware in APT attacks. Objective: The goal of this research is to inform cybersecurity practitioners about how adversaries form cyberattacks through an analysis of adversarial techniques documented in cyberthreat intelligence reports. Dataset: We use 594 adversarial techniques cataloged in MITRE ATT\&CK. We systematically construct a set of 667 CTI reports that MITRE ATT\&CK used as citations in the descriptions of the cataloged adversarial techniques. Methodology: We analyze the frequency and trend of adversarial techniques, followed by a qualitative analysis of the implementation of techniques. Next, we perform association rule mining to identify pairs of techniques recurring in APT attacks. We then perform qualitative analysis to identify the underlying relations among the techniques in the recurring pairs. Findings: The set of 667 CTI reports documents 10,370 techniques in total, and we identify 19 prevalent techniques accounting for 37.3\% of documented techniques. We also identify 425 statistically significant recurring pairs and seven types of relations among the techniques in these pairs. The top three among the seven relationships suggest that techniques used by the malware inter-relate with one another in terms of (a) abusing or affecting the same system assets, (b) executing in sequences, and (c) overlapping in their implementations. Overall, the study quantifies how adversaries leverage techniques through malware in APT attacks based on publicly reported documents. We advocate organizations prioritize their defense against the identified prevalent techniques and actively hunt for potential malicious intrusion based on the identified pairs of techniques.

翻译：背景：网络安全厂商常发布网络威胁情报（CTI）报告，这些书面成果涉及对APT攻击中恶意软件所用技术的取证与分析。目标：本研究旨在通过分析网络威胁情报报告中记载的对抗性技术，帮助网络安全从业者了解攻击者如何构建网络攻击。数据集：我们使用MITRE ATT&CK中收录的594种对抗性技术，并系统构建了MITRE ATT&CK在描述这些技术时所引用的667份CTI报告。方法：首先分析对抗性技术的出现频率与趋势，随后对技术实现进行定性分析。接着通过关联规则挖掘识别APT攻击中重复出现的技术对，并进一步开展定性分析以揭示技术对之间的潜在关联。发现：667份CTI报告共记载10370项技术，其中19种常见技术占比达37.3%。我们还识别出425对统计显著的重复出现技术对，以及这些技术对间的七类关联关系。前三大关系表明恶意软件使用的技术间存在以下相互关联：（a）滥用或影响同一系统资产，（b）按序列执行，（c）实现方式存在重叠。总体而言，本研究基于公开报告量化了攻击者如何在APT攻击中通过恶意软件运用技术。我们建议组织优先防御已识别的常见技术，并依据识别的技术对主动搜寻潜在恶意入侵。