Kitten or Panda? Measuring the Specificity of Threat Group Behaviors in Public CTI Knowledge Bases

TL;DR

This study evaluates the uniqueness of threat group behaviors in public CTI knowledge bases, revealing limited group-specific signatures and highlighting challenges in threat attribution accuracy.

Contribution

It systematically analyzes threat group profiles from MITRE ATT&CK and Malpedia, assessing their specificity and proposing insights for improving threat attribution methods.

Findings

Only 34% of groups have group-specific techniques.

73% of groups use group-specific software in ATT&CK.

Over 60% of groups lack any group-specific behavior even after data enhancement.

Abstract

In recent years, the cyber threat intelligence (CTI) community has invested significant effort in building knowledge bases that catalog threat groups. These knowledge bases associate each threat group with its observed behaviors, including their Tactics, Techniques, and Procedures (TTPs) as well as the malware and tools they employ during attacks. However, the distinctiveness and completeness of such behavioral profiles remain largely unexplored, despite being critical for tasks such as threat group attribution. In this work, we systematically analyze threat group profiles built from two public CTI knowledge bases: MITRE ATT&CK and Malpedia. We first investigate what fraction of threat groups have group-specific behaviors, i.e., behaviors used exclusively by a single group. We find that only 34% of threat groups in ATT&CK have group-specific techniques, limiting the use of techniques as reliable behavioral signatures to identify the threat group behind an attack. The software used by a threat group proves to be more distinctive, with 73% of ATT&CK groups using group-specific software. However, this percentage drops to 24% in the broader Malpedia dataset. Next, we evaluate how group profiles improve when data from both sources are combined. While coverage improves modestly, the proportion of groups with group-specific behaviors remains under 30%. We then enhance profiles by adding exploited vulnerabilities and additional techniques extracted from threat reports. Despite the additional information, 64% of groups still lack any group-specific behavior. Our findings raise concerns about the specificity of existing behavioral profiles and highlight the need for caution, as well as further improvement, when using them for threat group attribution.