Search papers, labs, and topics across Lattice.
This study evaluates the limitations of Structured Cyber Threat Intelligence (CTI) in accurately defining the environment for adversary emulation, revealing that while ATT&CK-style structured CTI can help narrow down candidate environments, it falls short of providing a complete replay-ready System Under Test (SUT). The analysis of datasets from MITRE ATT&CK shows that a staggering 97.6% of software objects lack crucial version and vulnerability data, indicating a significant gap in the information available for effective emulation. Ultimately, the findings underscore the necessity for integrating external data sources to supplement structured CTI in order to achieve comprehensive and accurate adversary emulation setups.
ATT&CK-style structured CTI narrows down candidate environments but fails to provide the detailed version and vulnerability information needed for effective adversary emulation.
Structured Cyber Threat Intelligence (CTI) is increasingly used for adversary emulation, detection evaluation, and cyber range design. However, these workflows still require a target System Under Test (SUT) whose environment is not fully described by public CTI. We measure how much of that environment can be derived from MITRE ATT&CK Structured Threat Information Expression (STIX) bundles. Using the ATT&CK Enterprise, Mobile, and Industrial Control Systems datasets, with CAPEC and FiGHT as comparison datasets, we evaluate platform coverage, software specificity, vulnerability evidence, and deployment compatibility. Platform annotations are common, but software references rarely include versions or Common Platform Enumeration (CPE) identifiers. In Enterprise, 97.6% of software objects lack both, and campaign-level Common Vulnerabilities and Exposures (CVEs) remain sparse. Our results show that ATT&CK-style structured CTI can narrow candidate environments and support lower-bound backend-family assignment, but structured fields alone are insufficient to derive a replay-ready SUT. Profile confusion decreases from 1.3% when one software item is linked to 0% when two are linked. The results identify a boundary between environment details supported by the corpus and the version, vulnerability, and deployment information that must come from external sources. Keeping corpus-supported elements fixed while varying only analyst-authored details yields multiple distinct, campaign-compatible SUTs, including an executable witness exploiting the same real vulnerability. Structured CTI, therefore, constrains but does not uniquely determine the environment, highlighting the need to separate corpus-supported commitments from analyst-authored assumptions in replay-ready emulation.