OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Definitions for Campaigns, Intrusion Sets and Threat Actors

During some of the previous discussions, individuals had asked for definitions on Campaigns, Intrusion Sets and Threat Actors.  The below definitions were put together to help with the discussions.  I put together these definitions/examples and ran them by Paul Patrick to get some concurrence, but if individuals do not agree, I would be interested in understanding where there is disagreement.

Hope it helps the discussion,

Campaign: A campaign is a set of incidents that occur over a specific time period that relate to each other by shared indicators, tools, infrastructure or TTPs which indicate that they were performed by the same Intrusion Set/Threat Actor and/or have a shared objective.  Some SOCs will associate incidents to a campaign if: a new incident shares observables that are relatively unique and difficult to change from 2 or more phases of the kill chain with observables from incidents already associated with that campaign.  

An Intrusion Set relates a set of incidents, indicators, tools, infrastructure or TTPs, that are grouped together to show a believed attribution back to an entity.  For example, a set of Incidents may share a set of TTPs.  The Threat Actors behind the attack may not be known but the activity can be grouped together and new activity can be attributed to that Intrusion Set.  Threat actors could move from supporting one Intrusion Set, to supporting another, or they may support multiple Intrusion Sets.  An Intrusion Set is usually tracked over a long period of time.  While sometime an Intrusion Set goes silent, or changes focus, it is usually difficult to know if it has truly disappeared or ended.  Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors.  The analysts may be able to only attribute it back to a nation-state, perhaps back to an organization within that nation-state, or perhaps back to the individuals within that organization.

Threat Actor: Threat Actors are the individuals or organizations related to a set of incidents, indicators, tools, infrastructure or TTPs.  There can be multiple Threat Actors associated to the same thing.  For example, a Threat Actor 1, malware author, may provide malware to an attack which is used by Threat Actor 2 to perform the attack.  Both Threat Actors work for the same organization, which would also be represented using the Threat Actor object.  An analyst may wish to map out the organization and the individual members, how they interact and any overlaps the have supporting multiple organizations.  The analyst may want to capture the infrastructure used by those threat actors, their tools, or motivations, etc.

 // Campaign Example
     	"type": "campaign",
     	"title": "Jets4Christmas"
 	"description": "shared TTP of malicious Christmas messages"
 	"motive": "Political"
 	"objective": "Access documents pertaining to jet engine designs"
 	"id": "campaign--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
     	"created_time": "2015-12-06T20:07:09Z",
     	"created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff",
 // Intrusion Set Example
	"type:": "intrusion-set"
	 "id": "intrusion-set-4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
	 "title": "Bobcat Breakin",
	 "description": "Incidents usually feature a shared TTP of a bobcat being released within the building containing network 	access, scaring users to leave their computers without locking them first.  Still determining where the threat actors are 	getting the bobcats.",
	 "sophistication": "Unique"
 // Threat Actor Example
 	"type": "threat-actor"
 	"id": "threat-actor-4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
 	"title": "Norway Nasjonal Sikkerhetsmyndighet"
 	"title": "Norway Nasjonal Sikkerhetsmyndighet"
 	"description": "Norway National Security Authority"
 	"motivation": "Usually focused on capturing intelligence about meatball recipes devised by their neighboring country"
 	"sophistication": "High, perfect meatballs are of utmost importance"

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]