Nowadays, network attacks are becoming more and more organized. How to effectively trace the source of threat organizations is an important part of network security defense. As the manifestation of attacking the victim"s system, threat behavior pattern is difficult to change, which is an advanced feature of the attacker. If the threat behavior patterns can be extracted effectively, the success rate and accuracy of organization traceability will be greatly improved. Therefore, this paper proposes threat behavior Technique Association Algorithm from the perspective of organizational behavior pattern. The algorithm extends the Ward connection aggregation hierarchical clustering, which can extract the threat behavior patterns of the organization by clustering the attack techniques used by the organization, and verifies the technical correlation between the threat behaviors with 95% confidence. In this paper, the threat behavior Technique Association model generated by the algorithm includes 97 types of threat behavior Technique Association clusters. Each cluster can directly see the corresponding threat behavior patterns of different organizations, which can provide strong support for organization traceability.