This work investigates whether threat actor behavioral profiling—specifically ATT&CK Tactics, Techniques, and Procedures (TTPs) and Malpedia malware—can robustly replace short-lived Indicators of Compromise (IOCs) for detection and attribution. Method: We construct a cross-source knowledge graph integrating heterogeneous cyber threat intelligence (CTI) and quantitatively assess the uniqueness and coverage of organizational behavior across multiple CTI repositories, employing statistical significance testing, vulnerability/technique expansion extraction, and a joint specificity-coverage metric. Results: Only 34% of ATT&CK groups possess exclusive TTPs; while 73% exhibit group-specific software in ATT&CK, this drops to 24% in Malpedia; even after multi-source fusion, 64% of groups lack any exclusive behavioral signature. These findings challenge the prevailing assumption that behavioral profiles can fully supplant IOCs, exposing fundamental limitations in their persistence and discriminability for long-term attribution. The study establishes an empirical benchmark and methodological framework for CTI modeling and knowledge base integration.

Indicators of Compromise (IOCs) such as IP addresses, file hashes, and domain names are commonly used for threat detection and attribution. However, IOCs tend to be short-lived as they are easy to change. As a result, the cybersecurity community is shifting focus towards more persistent behavioral profiles, such as the Tactics, Techniques, and Procedures (TTPs) and the software used by a threat group. However, the distinctiveness and completeness of such behavioral profiles remain largely unexplored. In this work, we systematically analyze threat group profiles built from two open cyber threat intelligence (CTI) knowledge bases: MITRE ATT&CK and Malpedia. We first investigate what fraction of threat groups have group-specific behaviors, i.e., behaviors used exclusively by a single group. We find that only 34% of threat groups in ATT&CK have group-specific techniques. The software used by a threat group proves to be more distinctive, with 73% of ATT&CK groups using group-specific software. However, this percentage drops to 24% in the broader Malpedia dataset. Next, we evaluate how group profiles improve when data from both sources are combined. While coverage improves modestly, the proportion of groups with group-specific behaviors remains under 30%. We then enhance profiles by adding exploited vulnerabilities and additional techniques extracted from more threat reports. Despite the additional information, 64% of groups still lack any group-specific behavior. Our findings raise concerns on the belief that behavioral profiles can replace IOCs in threat group attribution.