Is your feature request related to a problem? Please describe.
For some actors, references may be impure because they have common tools (mimikatz, cobalt strike, meterpreter, ...) attributed to them. if malware families are easily identified as non-exclusive (reuse among several actors), they should be listed below the "core" references imported from MISP or inferred from signature tools.

Describe the solution you'd like
Split the references into "core" references and "related" references depending on the exclusiveness of families.