ART: Automated Reclassification for Threat Actors based on ATT&CK Matrix Similarity

Abstract

Given the perniciousness of threats posed by state-sponsored advanced persistent threats (APTs), identifying cyber threat attribution of the cyber threat actors (CTA) is of paramount importance for deterring cyber-attacks by APTs. As state-sponsored APT groups have been especially active in the past decade, recent studies have attempted to establish attribution with the limited set of information of the APT groups. Various government agencies and SOC vendors have utilized Indicators of Compromise (IoC) and Tactic, Technique, Procedures (TTPs) to collect intelligence pertaining to the adversaries, to no avail. Recently, MITRE’s ATT&CK® framework has been widely adopted for collecting and documenting the TTPs of the various CTAs. This paper presents an Automated Reclassification for Threat Actors (ART) that quantitatively compares the TTPs from different APT groups. ART crawls cyber threat reports and retrieves the ATT&CK matrix of APT groups. Then, it vectorizes the ATT&CK matrix and calculates the cosine similarity. By reexamining the various aliases of the CTAs with the ATT&CK framework, we believe that ART can help classify the indiscriminately established APT groups.