The current state of Advanced Persistent Threats (APT) attribution primarily relies on time-consuming manual processes. These include mapping incident artifacts onto threat attribution frameworks and employing expert reasoning to uncover the most likely responsible APT groups. This research aims to assist the threat analyst in the attribution process by presenting an attribution method named CAPTAIN (Comprehensive Advanced Persistent Threat AttrIbutioN). This novel APT attribution approach leverages the Tactics, Techniques, and Procedures (TTPs) employed by various APT groups in past attacks. CAPTAIN follows two significant development steps: baseline establishment and similarity measure for attack pattern matching. This method starts by maintaining a TTP database of APTs seen in past attacks as baseline behaviour of threat groups. The attribution process leverages the contextual information added by TTP sequences, which reflects the sequence of behaviours threat actors demonstrated during the attack on different kill-chain stages. Then, it compares the provided TTPs with established baseline to identify the most closely matching threat group. CAPTAIN introduces a novel similarity measure for APT group attack-pattern matching that calculates the similarity between TTP sequences. The proposed approach outperforms traditional similarity measures like Cosine, Euclidean, and Longest Common Subsequence (LCS) in performing attribution. Overall, CAPTAIN performs attribution with the precision of 61.36% (top-1) and 69.98% (top-2), surpassing the existing state-of-the-art attribution methods.

翻译：当前高级持续性威胁（APT）归因主要依赖于耗时的手动流程，包括将事件特征映射到威胁归因框架，并运用专家推理找出最可能的责任APT组织。本研究旨在通过提出一种名为CAPTAIN（全面高级持续性威胁归因）的归因方法，协助威胁分析师进行归因工作。这种新颖的APT归因方法利用了不同APT组织在过往攻击中采用的战术、技术与程序（TTPs）。CAPTAIN遵循两个重要开发步骤：基线建立与攻击模式匹配的相似性度量。该方法首先维护一个包含历史攻击中观察到的APT的TTP数据库，作为威胁组织的基线行为。归因过程利用TTP序列提供的上下文信息——这些序列反映了威胁行为者在攻击不同杀伤链阶段所展示的行为顺序，随后将给定的TTPs与已建立的基线进行比较，以识别最匹配的威胁组织。CAPTAIN引入了一种用于APT组织攻击模式匹配的新型相似性度量方法，可计算TTP序列之间的相似度。所提出的方法在执行归因任务时，其性能优于余弦相似度、欧几里得距离和最长公共子序列（LCS）等传统相似性度量方法。总体而言，CAPTAIN在归因任务中实现了61.36%（top-1）和69.98%（top-2）的精确度，超越了现有最先进的归因方法。