Here is a few comments as I couldn’t make today’s mini call:
- If it often helpful to associate a specific campaign with other campaigns, but not duplicate ones. Campaigns, especially by nation states often reoccur on a periodic basis and are not one time instances. A re-occurring campaign is NOT a duplicate and
the fact that it re-occurs is a key aspect of intelligence about a campaign
- Campaigns generally leverage TTPs since the TTP characterizes how the campaign evolves/is played out, who it targets, what types of exploits it utilizes, identifies patterns or sequences of attack steps, etc. So a campaign need to have a reference to TTPs
that are leveraged or related to the campaign. Remember it may not be possible to identify the threat actor(s) to which the campaign is able to be attributed to and yet characterization of how the campaign ‘functions’ are identifiable, so you can’t rely upon
getting to the TTPs of the campaign via attribution to a threat actor(s).
- Characterizing a campaign requires relationships from the campaign to the indicators used to detect the campaign, not observations, and from the campaign to incidents that were reportedly as a result of the campaign. Clearly there inverse relationship
between campaign, indicator, and incident is also true. But having only a relationship from those items to the campaign makes it very difficult to describe a characterization of the campaign is a straightforward manner.
- There is only an indirect relationship between a Campaign and one or more corresponding Courses of Actions. Its indirect because you can not directly mediate a campaign, only the exploits that are leveraged by a campaign. The exploits that are targeted
by a campaign are defined through the use of TTPs, thus the relationship is Campaign—> TTP —> Exploit Target. I believe there is confusion about the purpose of the Activity property and the use of Courses of Action as COAs are meant to represent corrective
actions and preventative steps (remediation or countermeasures). The activity property is used to capture just generic actions that is meant to be extended.
Understand that campaigns must be planned out; they don’t just happen. Therefore a campaign has a lifecycle, in some way similar to the concept of a kill chain. So to effectively mediate a campaign requires one to disrupt the threat actor’s planning
lifecycle, often referred to as the Threat Actor OODA (Observe, Orient, Decide Act). By understanding the TTPs of a campaign, you can being to take defensive actions to make it harder for the threat actor to achieve their objectives because you able to
force them to change their ‘modus operandi’ as illustrated through the TTPs that are used as part of a campaign. That is why understanding the attack pattern and targets TTPs are so critical.
I hope this helps adds some clarity to this discussion. In general, I believe that the definition of Campaign in STIX 1.2. * is actually correct. I would also assert, as was stated on the #campaign slack channel, that the concept of intended effects
is actually best represented by an assertion.
FireEye Intelligence Business Unit
I should be on the call, but if not, here are some additional relationships to think about:
- Campaign targets a Victim (organization or vertical)
- If ThreatActor and ThreatGroup are not identical, Campaigns may be attributed to the latter
- Campaign uses a TTP
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."