Advanced Persistent Threats: Attribution, Profiling, and Tracking

Abstract

Advanced Persistent Threats (APTs) represent one of the most complex and persistent challenges in cybersecurity, posing significant risks to organizations, governments, and society at large. This dissertation investigates the evolving landscape of APTs by examining their behavioral patterns and the challenges associated with their attribution. First, through interviews with security practitioners, we identify a nuanced, three-layer approach to analyzing APT campaigns, emphasizing the importance of understanding attacker Tactics, Techniques, and Procedures (TTPs) over direct group attribution. We also highlight the operational and collaborative challenges analysts face in real-world environments. Second, we introduce ADAPT, a machine learning-based framework designed to automate APT attribution. ADAPT focuses on clustering heterogeneous file artifacts—documents and binaries—commonly used in APT campaigns. Third, given the limited research on document-based attack vectors, we conduct a large-scale measurement study of over 9,000 document malware samples from both targeted and widespread attacks. Our analysis identifies prevalent attacker tactics and exposes fundamental limitations in current document analysis techniques, informing both the design of ADAPT and broader malware detection research. Finally, we explore the complementary dimension of cyber threat intelligence and its role in APT attribution. We analyze threat group behavioral profiles (TTPs and tooling) derived from platforms such as MITRE ATT&CK and Malpedia, and find that most groups lack distinctive behavioral signatures, challenging the reliability of behavior-based attribution based solely on threat intelligence. Collectively, this work advances understanding of APT operations, delivers actionable tools for practitioners, and highlights the need for attribution approaches that are resilient to incomplete intelligence and aligned with real-world analyst workflows.