Re: [cti] Definitions for Campaigns, Intrusion Sets and Threat Actors

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

Gary - first of all thank you for this and the work you put into it, and thanks to Paul as well. This is amazing stuff and coming to baseline consensus on the base concepts is critical in order to get STIX right.

Given the description of campaign, it seems critical that a campaign is a grouping of one or more intrusion sets or threat actors, and it should not be a grouping of bare TTPs or Indicators (those TTPs/Indicators should be assigned to an intrusion set, and a campaign created that references that intrusion set). Is that how you see it?


-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Katz, Gary CTR DC3---05/23/2016 02:27:23 PM---During some of the previous discussions, individuals had asked for definitions on Campaigns, Intrusi

From: "Katz, Gary CTR DC3/DCCI" <Gary.Katz.ctr@dc3.mil>
To: "'cti@lists.oasis-open.org'" <cti@lists.oasis-open.org>
Date: 05/23/2016 02:27 PM
Subject: [cti] Definitions for Campaigns, Intrusion Sets and Threat Actors
Sent by: <cti@lists.oasis-open.org>

---

During some of the previous discussions, individuals had asked for definitions on Campaigns, Intrusion Sets and Threat Actors.  The below definitions were put together to help with the discussions.  I put together these definitions/examples and ran them by Paul Patrick to get some concurrence, but if individuals do not agree, I would be interested in understanding where there is disagreement.

Hope it helps the discussion,
    -Gary


Campaign: A campaign is a set of incidents that occur over a specific time period that relate to each other by shared indicators, tools, infrastructure or TTPs which indicate that they were performed by the same Intrusion Set/Threat Actor and/or have a shared objective.  Some SOCs will associate incidents to a campaign if: a new incident shares observables that are relatively unique and difficult to change from 2 or more phases of the kill chain with observables from incidents already associated with that campaign.  

An Intrusion Set relates a set of incidents, indicators, tools, infrastructure or TTPs, that are grouped together to show a believed attribution back to an entity.  For example, a set of Incidents may share a set of TTPs.  The Threat Actors behind the attack may not be known but the activity can be grouped together and new activity can be attributed to that Intrusion Set.  Threat actors could move from supporting one Intrusion Set, to supporting another, or they may support multiple Intrusion Sets.  An Intrusion Set is usually tracked over a long period of time.  While sometime an Intrusion Set goes silent, or changes focus, it is usually difficult to know if it has truly disappeared or ended.  Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors.  The analysts may be able to only attribute it back to a nation-state, perhaps back to an organization within that nation-state, or perhaps back to the individuals within that organization.

Threat Actor: Threat Actors are the individuals or organizations related to a set of incidents, indicators, tools, infrastructure or TTPs.  There can be multiple Threat Actors associated to the same thing.  For example, a Threat Actor 1, malware author, may provide malware to an attack which is used by Threat Actor 2 to perform the attack.  Both Threat Actors work for the same organization, which would also be represented using the Threat Actor object.  An analyst may wish to map out the organization and the individual members, how they interact and any overlaps the have supporting multiple organizations.  The analyst may want to capture the infrastructure used by those threat actors, their tools, or motivations, etc.

Examples:
 // Campaign Example
 {
                      "type": "campaign",
                      "title": "Jets4Christmas"
                  "description": "shared TTP of malicious Christmas messages"
                  "motive": "Political"
                  "objective": "Access documents pertaining to jet engine designs"
                  "id": "campaign--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
                      "created_time": "2015-12-06T20:07:09Z",
                      "created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff",
     
 }
 
 // Intrusion Set Example
 {
                 "type:": "intrusion-set"
                  "id": "intrusion-set-4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
                  "title": "Bobcat Breakin",
                  "description": "Incidents usually feature a shared TTP of a bobcat being released within the building containing network                  access, scaring users to leave their computers without locking them first.  Still determining where the threat actors are                  getting the bobcats.",
                  "sophistication": "Unique"
 }
 
 // Threat Actor Example
 {
                  "type": "threat-actor"
                  "id": "threat-actor-4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
                  "title": "Norway Nasjonal Sikkerhetsmyndighet"
                  "title": "Norway Nasjonal Sikkerhetsmyndighet"
                  "description": "Norway National Security Authority"
                  "motivation": "Usually focused on capturing intelligence about meatball recipes devised by their neighboring country"
                  "sophistication": "High, perfect meatballs are of utmost importance"
 }

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php