In recent years, the cyber threat intelligence (CTI) community has invested significant effort in building knowledge bases that catalog threat groups. These knowledge bases associate each threat group with its observed behaviors, including their Tactics, Techniques, and Procedures (TTPs) as well as the malware and tools they employ during attacks. However, the distinctiveness and completeness of such behavioral profiles remain largely unexplored, despite being critical for tasks such as threat group attribution. In this work, we systematically analyze threat group profiles built from two public CTI knowledge bases: MITRE ATT&CK and Malpedia. We first investigate what fraction of threat groups have group-specific behaviors, i.e., behaviors used exclusively by a single group. We find that only 34% of threat groups in ATT&CK have group-specific techniques, limiting the use of techniques as reliable behavioral signatures to identify the threat group behind an attack. The software used by a threat group proves to be more distinctive, with 73% of ATT&CK groups using group-specific software. However, this percentage drops to 24% in the broader Malpedia dataset. Next, we evaluate how group profiles improve when data from both sources are combined. While coverage improves modestly, the proportion of groups with group-specific behaviors remains under 30%. We then enhance profiles by adding exploited vulnerabilities and additional techniques extracted from threat reports. Despite the additional information, 64% of groups still lack any group-specific behavior. Our findings raise concerns about the specificity of existing behavioral profiles and highlight the need for caution, as well as further improvement, when using them for threat group attribution.

翻译：近年来，网络威胁情报（CTI）领域投入了大量精力构建用于分类记录威胁组织的知识库。这些知识库将每个威胁组织与其观察到的行为相关联，包括其攻击战术、技术与程序（TTPs）以及在攻击中使用的恶意软件和工具。然而，尽管此类行为特征对于威胁组织归因等任务至关重要，但其独特性和完整性在很大程度上仍未得到充分探究。在本研究中，我们系统分析了基于两个公共CTI知识库——MITRE ATT&CK和Malpedia——构建的威胁组织特征。我们首先探究了有多大比例的威胁组织具有组织特异性行为，即仅被单一组织使用的行为。我们发现，在ATT&CK中仅有34%的威胁组织拥有组织特异性技术，这限制了将技术作为可靠行为特征来识别攻击背后威胁组织的作用。威胁组织使用的软件被证明更具区分性，ATT&CK中73%的组织使用了组织特异性软件。然而，在更广泛的Malpedia数据集中，这一比例下降至24%。接下来，我们评估了结合两个数据源时组织特征的改进情况。虽然覆盖率略有提升，但具有组织特异性行为的组织比例仍低于30%。随后，我们通过添加已利用漏洞以及从威胁报告中提取的额外技术来增强特征。尽管增加了额外信息，仍有64%的组织缺乏任何组织特异性行为。我们的研究结果引发了对现有行为特征特异性的担忧，并强调在使用它们进行威胁组织归因时需要保持谨慎，并寻求进一步改进。