OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cti] Definitions for Campaigns, Intrusion Sets and Threat Actors

I'm still trying to wrap my head around how these concepts relate, based on my limited experience in operational government environments. 

I (believe I) understand the difference, particularly in (U.S.) government circles, between one or more "campaigns" and the encompassing intrusion set(s). From a data modeling perspective, though, I wonder if it makes sense to consider intrusion sets to just be a "meta-campaign", and allow a STIX Campaign to be made up of "subcampaigns". From my perspective, both campaigns and intrusion sets can be loosely defined as "collections of activity determined by an analyst to be related based on shared TTPs (tools, infrastructure, targets, themes, etc.)". The exact method of that determination can vary wildly based on the source (and we can and probably should support the representation of those assertions in STIX), but I'm hesitant to encode the distinction between the more general term "campaign" and the more specific term "intrusion set" directly into the STIX data model. As a concrete example, if one STIX producer considers a set of activity to be a "campaign" and another (likely US gov't) producer considers it to be an "intrusion set", it's simpler and easier to reconcile in STIX if you can assert a relationship between the two campaigns than saying "campaign X is the same as intrusion set Y".

On top of that is the idea that some organizations consider "Threat Actors" to be individuals who can move between groups/campaigns/intrusion sets, while others consider the group itself to be the Threat Actor. It's likely that STIX will need to support both models. In some ways, it's similar to Intrusion Set/Campaign in that you can have "meta threat actors" (groups) which are made up of "sub threat actors" (individuals).  

Gary, do you think it would be possible for government users to use the existing "Campaign" construct (perhaps with modifications) to handle intrusion sets (where an Intrusion Set is just a special type of Campaign)? I realize the terminology itself may cause confusion, but if you get past that, are the data types at least compatible?

Just my 2 cents.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]