The Procedural Semantics Gap in Structured CTI: A Measurement-Driven STIX Analysis for APT Emulation

TL;DR

This paper investigates the limitations of current structured cyber threat intelligence standards, revealing a semantic gap that hampers automated adversary emulation, and proposes a methodology to bridge this gap using executable steps.

Contribution

It introduces a measurement-driven analysis of STIX and ATT&CK, identifying the semantic gap and demonstrating a methodology to enable multi-stage adversary emulation.

Findings

Only 35.6% of techniques appear in campaigns.

Structured CTI lacks procedural semantics like order and preconditions.

The methodology enables emulation in the MITRE Caldera framework.

Abstract

Cyber threat intelligence (CTI) encoded in STIX and structured according to the MITRE ATT&CK framework has become a global reference for describing adversary behavior. However, ATT&CK was designed as a descriptive knowledge base rather than a procedural model. We therefore ask whether its structured artifacts contain sufficient behavioral detail to support multi-stage adversary emulation. Through systematic measurements of the ATT&CK Enterprise bundle, we show that campaign objects encode just fragmented slices of behavior. Only 35.6% of techniques appear in at least one campaign, and neither clustering nor sequence analysis reveals any reusable behavioral structure under technique overlap or LCS-based analyses. Intrusion sets cover a broader portion of the technique space, yet omit the procedural semantics required to transform behavioral knowledge into executable chains, including ordering, preconditions, and environmental assumptions. These findings reveal a procedural semantic gap in current CTI standards: they describe what adversaries do, but not exactly how that behavior was operationalized. To assess how far this gap can be bridged in practice, we introduce a three-stage methodology that translates behavioral information from structured CTI into executable steps and makes the necessary environmental assumptions explicit. We demonstrate its viability by instantiating the resulting steps as operations in the MITRE Caldera framework. Case studies of ShadowRay and Soft Cell show that structured CTI can enable the emulation of multi-stage APT campaigns, but only when analyst-supplied parameters and assumptions are explicitly recorded. This, in turn, exposes the precise points at which current standards fail to support automation. Our results clarify the boundary between descriptive and machine-actionable CTI for adversary emulation.