OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cti] Threat Actor items

Hi Phil,


First, yes these are public and can be used as needed.  They are derived from public works we have published previously.  (Attached)


These characters are a subset of our Threat Agent Library and were developed over a period of several years of analysis by my threat intelligence team in response to a lack of standards in this field.  We wanted a set of universal actors that were distinct and identifiable, and comprehending all the harmful roles that could be encountered by any organization, public or private.  Since then a number of organizations have utilized or adopted the Library and the underlying taxonomy, either whole or in part.  Several such papers by CERT and the U.S. Dept. of Homeland Security are attached as an example.


Feel free to contact me if you would like more information.





From: Phillip Cutforth [mailto:Phillip.Cutforth@dia.govt.nz]
Sent: Sunday, July 17, 2016 10:27 PM
To: Casey, Timothy P <timothy.p.casey@intel.com>
Cc: Jordan, Bret <bret.jordan@bluecoat.com>; cti@lists.oasis-open.org
Subject: Re: [cti] Threat Actor items


Hi Tim,

Are these aligned with any other 'standard' categories or definitions?


I do like them and checking / asking if I can socialise these with my govt agencies with potential for becoming basis of our govt TA profiles? Though our NCSC would have to sanction them, obviously!


Many Thanks,

Phil Cutforth

NZ Govt Enterprise and Cyber Architect


Sent from my iPhone - excuse brevity

+64 21 901 752

On 18/07/2016, at 5:03 PM, Jordan, Bret <bret.jordan@bluecoat.com> wrote:

Tim these are fantastic!!!   I have copied them as is.  Thank you so much for these.  








Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 


On Jul 17, 2016, at 17:57, Casey, Timothy P <timothy.p.casey@intel.com> wrote:


Here are the drafted descriptors for each of the Threat Actor Labels.  A few items: 


-        I left a question in the last sentence of the Cyber Warrior descriptor as I did not know the proper mechanism here to reference when linking a CW to an associated Spy organization.  This must be addressed before publication.

-        I may not have been consistent in capitalization of the label within the text, as I could not determine the protocol from other documents.  This may need to be addressed before publication.


The attached doc is the same as text below and is included for convenience.


Please let me know if there is anything I can help with.







Highly motivated, potentially destructive supporter of a social or political cause.


Activist actions directed towards an organization are often intended to protest and influence the organization’s decisions pertaining to issues such as facility placement, trade and business dealings, or labor or environmental impacts. Their attacks are usually intended to either disrupt the ability produce product or services or damage the company’s image. The activist may act entirely online, or may extend their operations into the cyber realm in addition to physical attacks. Activists are primarily motivated by ideology, which can drive extensive and persistent attacks.


This category includes actors sometimes referred to as anarchists, cyber vandals, extremists, and hacktivists in addition to what are traditionally known as activists. It does not include terrorists, as activist attacks can be severe but generally do not intend the personal injury and loss of life sought by terrorists.






An organization which rivals another in the economic marketplace and competes for the same market share.


The goal of a competitor is to gain an advantage in business with respect to the rival organization it targets. It usually does this by copying intellectual property, trade secrets, acquisition strategies, or other technical or business data from a rival organization with the intention of using the data to bolster its own assets and market position. Highly aggressive competitors may also use disruptive or damaging attacks to slow or block a rival’s progress.


“Competitor” can include vendors and partners, but in this context does not include military adversaries (see the Cyber-Warrior and Spy descriptors). The primary motivation for a competitor taking hostile actions is organizational gain.






An enterprise organized to conduct significant, large-scale criminal activity for profit.


Crime syndicates, also known as organized crime, are generally large, well-resourced groups that operate to create profit from all types of crime. Their activities can be seriously harmful and even extreme in impact, and they may use any combination of physical and cyber techniques to both execute attacks and protect their organization. They are almost entirely motivated by organizational gain to create profit, including cases where they have hired out to political or nationalistic interests to attack on their clients’ behalf. However, they can also act from dominance in establishing local political or social power or in opposing rival syndicates.


As the name implies a crime syndicate is generally a larger, formal organization. Those with similar criminal objectives but working independently or in very small groups generally belong in the Thief category.






Member of an organization that engages in cyber activities to support active military objectives.


Cyber warriors usually work for organizations affiliated with the military forces of a nation state and work at the direction of that state’s government and military leadership, but may work for a private organization. A cyberwarrior typically has access to significant support, resources, training, and tools and is capable of designing and executing very sophisticated and effective campaigns. Using these capabilities, the cyberwarrior’s role is to support the organization in active conflicts, either physical or political. Their motivation is primarily dominance, but other motivations such as ideology may come into play.


As in all military organizations, intelligence gathered through espionage is essential to their conflict success and that espionage is often carried out by the same organization. Although affiliated with the cyberwarrior, the espionage role is properly called “Spy,” even though the individual may actually work in a cyber-war unit and may even take on the cyberwarrior role during conflicts. “Cyberwarrior” refers only to individuals engaged in active conflicts, including conflicts of the “cold war” type. In cases where the espionage and cyber-war organization are the same, that relationship should be noted in the [affiliation construct???].






A non-hostile employee who unintentionally exposes the organization to harm.


“Employee” in this context includes any worker extended internal trust, such as regular employees, contractors, consultants, and temporary workers.


Every employee occasionally makes mistakes, sometimes serious ones. Some risk factors that increase the likelihood of a security-relevant mistake include poor or incomplete training, fatigue, overwork, and distraction. For instance, a new hire may not yet have the knowledge to precisely follow confidentiality protocols, or an experienced worker may be may be distressed about a relative's illness and forget an important step in a sandbox configuration procedure. In any case, the employee is well-intentioned, and the mistakes are unintentional and possibly even unnoticed by the employee.







Current or former employee with intent to harm the organization in retaliation for perceived wrongs.


“Employee” in this context includes any worker extended internal trust, such as regular employees, contractors, consultants, and temporary workers.


When the grievances of a disgruntled employee (real or perceived) is severe and the situation

escalates, he or she a can seek revengeful and harmful retaliation. Disgruntled threat actors can include both employees and former employees, who may have extensive knowledge that can be leveraged when conducting attacks. Often a disgruntled employee acts alone but may join an organization, whether group of similar individuals, a competitor, or criminal organization, if the individual believes that doing so will enable greater harm to the source of his or her anger. A disgruntled person can use cyber or physical means to take any number of actions including sabotage, violence, theft, fraud, espionage, or embarrassing individuals or the organization.






Seeks to cause embarrassment and brand damage by exposing sensitive information in a manner designed to cause a public relations crisis.


A Sensationalist may be an individual or small group of people motivated primarily by a need for notoriety. Unlike the Activist, the Sensationalist generally has no political goal, and is not using bad PR to influence the target to change its behavior or business practices. The embarrassment of the target is the end in itself, along with the “15 minutes of fame” that the scandal may bring to the Sensationalists themselves. Any disruption or damage to the target's infrastructure is only important insofar as it adds to negative public perception.







Secretly collects the sensitive information of another for use, dissemination, or sale.


While in the broad sense spying, i.e., espionage, is a form of theft, it is recognized as special case and is usually treated far more severely than simple thievery. Many spies are part of a well-resourced intelligence organization and are capable of very sophisticated clandestine operations. However, insiders such as employees or consultants can be just as effective and damaging, even when their activities are largely opportunistic and not part of an overall campaign. This includes employees who leak information they believe is evidence of wrongdoing, or opportunistically taking information when they leave the organization.


In this context, a Spy is one who collects sensitive information for the benefit of any economic, industrial, or military espionage objective, in other words the domain or end user is not considered in defining the Spy. There can be any number of motivations for spying depending on the individual or organizations involved.






Uses extreme violence to advance a social or political agenda as well as monetary crimes to support its activities.


“Terrorist” does not have a universally accepted definition and usually depends on regional and situational aspects for identification. In this context it refers to individuals who target noncombatants with extreme violence to send a message of fear far beyond the actual events. They may act independently or as part of a terrorist organization. While terrorist violence requires physical action that action can be generated through cyber means, such as by sabotaging critical infrastructure or facility safety systems via cyber manipulation. Terrorist organizations must typically raise much of their operating budget through criminal activity, which is increasingly occurring online. Terrorists are also often adept at using and covertly manipulating social media for both recruitment and impact.


The primary motivation for terrorist activity, both violent and monetary, is ideology, which can drive extensive and persistent attacks. Dominance, disgruntlement, and organizational gain are often also present as motivators.






Individual who steals items of value for personal financial gain.


A Thief opportunistically attacks wherever it looks like there is easy profit to be made, whether it be from a large company or from another individual. Many kinds of resources can be stolen especially money or other financial assets such as credit card numbers, but also valuables, hardware, business or personal data, intellectual property, or anything else that can be easily sold. Also considered theft are various avenues of extortion, such as ransomware. Theft can be as simple as pocketing an unattended smartphone, and as sophisticated as hacking into a large organization to steal thousands of identities to sell on the black market.


Unlike a Spy, who also steals and sells information but for organizational gain, the Thief's goal is simple personal financial gain. As defined here, “Thief” refers to those acting individually or in very small or informal groups. For sophisticated, organized criminal activity, see the Crime Syndicate descriptor.




From: Patrick Maroney [mailto:Pmaroney@Specere.org] 
Sent: Friday, July 15, 2016 12:43 PM
To: cti@lists.oasis-open.org; Casey, Timothy P <timothy.p.casey@intel.com>
Subject: Re: [cti] Threat Actor items


Just a comment:  In 'our' context "Operational" indicates that an entity has the ability to effectively establish infrastructure and use attack packages developed by others.  An analogy might be a group of actors with malicious intent who purchase pre-built exploitation packages, compromised hosts/credentials, etc. from the "black market".  They have enough sophistication to configure and run these pre-built packages but not develop or customize same.

Patrick Maroney
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org


On Fri, Jul 15, 2016 at 2:16 PM -0400, "Casey, Timothy P" <timothy.p.casey@intel.com> wrote:

Here is a suggested re-wording of the “Contest” vocabulary item for Attack Resource Level for Threat Actor:


“A short-lived and perhaps anonymous interaction that concludes when an ad-hoc group of participants have achieved a single goal. For example, people who break into systems just for thrills or prestige may hold a contest to see who can break into a specific target first. It also includes announced "operations" to achieve a specific goal, such as the original "OpIsrael" call for volunteers to disrupt all Israel internet functions for a day. Minimum Sophistication level: ???.”


There were some changes suggested to Sophistication Level that will need to be reflected in the other Attack Resource Level descriptions.  This one was formerly “Operational,” indicating a moderate level of sophistication but little long-term planning or development capabilities.


If there are other items for updating please let me know.





<STIX Threat Actor Descriptors.doc>


Attachment: Intel Corp_Threat Agent Library_Sep2007.pdf
Description: Intel Corp_Threat Agent Library_Sep2007.pdf

Attachment: Intel Corp_Threat Agent Motivations_Feb2015.pdf
Description: Intel Corp_Threat Agent Motivations_Feb2015.pdf

Attachment: A Field Guide to Insider Threat_Intel Corp_Oct 2015.pdf
Description: A Field Guide to Insider Threat_Intel Corp_Oct 2015.pdf

Attachment: pdfrKabwTkIrR.pdf
Description: Analytic_Approaches_To_Detect_Insider_Threats_Whitepaper (2015-12-09).pdf

Attachment: IT Sector Risk Assessment Baseline.pdf
Description: IT Sector Risk Assessment Baseline.pdf

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]